A web server behind two gateways?

Eugene Grosbein eugen at grosbein.net
Mon Jul 17 18:19:20 UTC 2017


18.07.2017 0:48, Alan Somers wrote:

> I think what you meant to say is "this will work for a server directly
> connected to two external gateways (whether or not NAT is involved),
> but won't work if the server is not on the same subnet as the
> gateways".  That's true.  But judging by the OP, I think they're all
> on the same subnet.

Yes. Anyway, as long as there is NAT involved, one already has stateful engine
and simpliest and universal solution for this situation is PBR after NAT for outgoing packets.

It works no matter whether gateways are directly connecter or not
and does not require multiple routing tables nor complex FIB or VNET configurations:

# remove "default" NAT rule
ipfw delete 50

# translate incoming traffic and create NAT states
ipfw add 40 nat 123 ip from any to any in recv $iface1
ipfw add 50 nat 124 ip from any to any in recv $iface2

# insert normal filtering here
...
# translate outgoing replies using existing NAT states
ipfw add 50020 nat global ip from $LAN to any out xmit $iface1
ipfw add 50030 nat global ip from $LAN to any out xmit $iface2

# translate new outgoing connections not having a state yet
ipfw add 50040 nat 123 ip from any to any out xmit $iface1
ipfw add 50050 nat 124 ip from any to any out xmit $iface2

# perform Policy Based Routing for packets going to "wrong" route
ipfw add 50140 fwd $gateway2 ip from $extip2 to any out xmit $iface1
ipfw add 50150 fwd $gateway1 ip from $extip1 to any out xmit $iface2

# that's all, folks!

This works no matter where default route points to ($gateway1 or $gateway2).
All you need is working default route and net.inet.ip.fw.one_pass=0.

This can be extended to any number of external channels/interfaces
and optimized with ipfw tables but for two channels I prefer write it so
for readability. I use this for many installations and it just works.



More information about the freebsd-net mailing list