A web server behind two gateways?

Eugene Grosbein eugen at grosbein.net
Mon Jul 17 18:22:14 UTC 2017 

18.07.2017 1:19, Eugene Grosbein пишет:
> 18.07.2017 0:48, Alan Somers wrote:
> 
>> I think what you meant to say is "this will work for a server directly
>> connected to two external gateways (whether or not NAT is involved),
>> but won't work if the server is not on the same subnet as the
>> gateways".  That's true.  But judging by the OP, I think they're all
>> on the same subnet.
> 
> Yes. Anyway, as long as there is NAT involved, one already has stateful engine
> and simpliest and universal solution for this situation is PBR after NAT for outgoing packets.
> 
> It works no matter whether gateways are directly connecter or not
> and does not require multiple routing tables nor complex FIB or VNET configurations:
> 
> # remove "default" NAT rule
> ipfw delete 50
> 
> # translate incoming traffic and create NAT states
> ipfw add 40 nat 123 ip from any to any in recv $iface1
> ipfw add 50 nat 124 ip from any to any in recv $iface2
> 
> # insert normal filtering here
> ...
> # translate outgoing replies using existing NAT states
> ipfw add 50020 nat global ip from $LAN to any out xmit $iface1
> ipfw add 50030 nat global ip from $LAN to any out xmit $iface2
> 
> # translate new outgoing connections not having a state yet
> ipfw add 50040 nat 123 ip from any to any out xmit $iface1
> ipfw add 50050 nat 124 ip from any to any out xmit $iface2

bugfix:

ipfw add 50040 nat 123 ip from $LAN to any out xmit $iface1
ipfw add 50050 nat 124 ip from $LAN to any out xmit $iface2

> # perform Policy Based Routing for packets going to "wrong" route
> ipfw add 50140 fwd $gateway2 ip from $extip2 to any out xmit $iface1
> ipfw add 50150 fwd $gateway1 ip from $extip1 to any out xmit $iface2
> 
> # that's all, folks!
> 
> This works no matter where default route points to ($gateway1 or $gateway2).
> All you need is working default route and net.inet.ip.fw.one_pass=0.
> 
> This can be extended to any number of external channels/interfaces
> and optimized with ipfw tables but for two channels I prefer write it so
> for readability. I use this for many installations and it just works.

More information about the freebsd-net mailing list