sshd on two fibs

[Grzegorz Junka]

On 21/09/2020 07:35, Eugene Grosbein wrote:
> 21.09.2020 14:21, Grzegorz Junka wrote:
>
>>> All you need is telling kernel to use right gateway based on source IP address despite of default route,
>>> this is called policy-based routing and you can achieve that with single ipfw rule:
>>>
>>> ipfw add 2000 fwd $gateway2 ip from $wan2ip to any out xmit $wan1
>>>
>>> That is: redirect IP packets with source of second WAN interface ($wan2ip) to right gateway of that WAN ($gateway2)
>>> if they are going using (wrong) route to WAN1. That's all.
>> Thanks Eugene. I am reluctant to add firewall rules because the second interface is configured as being in fib 1.
> Existance of the fib 1 does not matter for your case, at all.
>
>> This is so that jails, which are also started with fib 1, can use the proper routing table.
> Exactly.
>
>> I don't want to add complexity where it isn't necessary, unless there is no other option.
> Me too. And single ipfw rule is minimal possible addition, all other solutions are more complex.
>
>> Is it possible to somehow configure sshd to use the proper routing table?
> It is possible but it won't help you because every routing table contains routes that do NOT depend
> on source IP address of the packet and you need such policy-based routing. Standard routing tables
> do not offer policy-based routing, so they are useless for you.
>
> You could read rc.conf(5) manual page to learn about <name>_fib knob (f.e. sshd_fib="1")
> but it won't solve your problem. You could also add your own startup script to run second copy of sshd
> with its own PID file and listening IP address and FIB but that would be much more complex solution.
>
> Just tell kernel you need policy-based routing with ipfw. This just works.
> No need to utilize second FIB just because you already have it.
>

OK, yeah, sounds reasonable. Thanks for explaining!

GrzegorzJ