Re: Two Networks on one System


On 6/20/11 5:07 PM, Martin McCormick wrote:

We are moving a primary name server from network A to
network B on one of our branch campuses. If the secondary
interface was reachable from the world, we can change the whois
information and not worry about the exact second the change goes
in to effect.

Can networks A and B talk to each other? I suspect not, otherwise things would be just working even if all traffic went to the primary's gateway, but I just wanted to check that there wasn't something else bad happening.

On the assumption that A and B are completely disconnected, then the only solution for this problem that I know of is to do policy-based routing using the source address or interface to make routing decisions, rather than using solely the destination address.

This is actually relatively trivial to do using PF.

pass in on nic_a reply-to ($nic_a $gw_a)
pass in on nic_b reply-to ($nic_b $gw_b)

with the various interfaces named appropriately and variables set to match should get you much of the way there. If you're using a slightly older version of PF, where keeping state on connections is not the default, you'll have to add state maintenance options to the lines. If you want packets to local machines to not go to the gateways and do u-turns there, you'll have to add a bit of filtering based on addresses, etc., etc.

The explanation for the first line is more or less:

For any new "connection" that comes in on NIC A, add an entry to the state table indicating that any reply packets should physically go out NIC A and should be passed to the next hop at adress $gw_a.

WARNING: I use PF primarily on OpenBSD so sometimes get caught out on the subtle differences to the FreeBSD version.

--Jon Radel
jon@xxxxxxxxx
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: strange packets from 192.168.1.126
    ... external interface from the 192.168.1.0/24 network. ... local machines on this network and the packets are coming in on my WAN ... that is connected to the ISP, rather than a network under your (or ...
    (comp.security.firewalls)
  • Re: Apple security FAIL
    ... Is FirstClass a web-based application, a Flash or Java plugin, or is it a Windows executable that I'd have to run in Wine? ... 40092 packets transmitted, 0 packets received, 100% packet loss ... and shares across a network ok. ... Filer itself *is* your file open and save interface, and it's a much more convenient and powerful interface that you already have open when ...
    (uk.comp.sys.mac)
  • Re: Nmap questions concering my router
    ... It's a bit off topic - but down at the Ethernet level, the packets are ... so your router masquerades for you. ... it may differ from other applications - we just send data to a network ... >> the Ethernet header is the MAC address of the 10.0.0.138 interface. ...
    (comp.security.firewalls)
  • Re: [maybe spam] Re: linux PF_PACKET compatibility
    ... This family allows an application to send and receive packets dealing directly with the network card driver, thus avoiding the usual protocol stack-handling. ... That is, any packet sent through the socket will be directly passed to the Ethernet interface, and any packet received through the interface will be directly passed to the application." ...
    (freebsd-hackers)
  • Re: interface bonding
    ... > account the new interface metrics. ... Hi Antoine, Gernot, and Brian! ... engineers do not improve products as fast as network engineers. ... a 1 MIPS computer was able to process packets on any ...
    (comp.unix.bsd.netbsd.misc)