Re: network routing with dual interfaces.
From: Triffid (triffid_at_nebula.net)
Date: 12/08/04
- Next message: Neil W Rickert: "Re: network routing with dual interfaces."
- Previous message: Dan Espen: "Re: "Torn between two OS" - Solaris vs Linux"
- In reply to: Neil W Rickert: "Re: network routing with dual interfaces."
- Next in thread: Neil W Rickert: "Re: network routing with dual interfaces."
- Reply: Neil W Rickert: "Re: network routing with dual interfaces."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 07 Dec 2004 22:30:16 -0500
Neil W Rickert wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Darren Dunham <ddunham@redwood.taos.com> writes:
>
>>Neil W Rickert <rickert+nn@cs.niu.edu> wrote:
>>
>>>Darren Dunham <ddunham@redwood.taos.com> writes:
>
>
>>>>Solaris does not do any form of source routing out of the box.
>
>
>>>>The only way I'm aware of to make it do so is to install IPFilter (now
>>>>included in the Solaris 10 OS, but installable on older verstions).
>
>
>>While ipfilter is most often used to simply block or pass traffic, it
>>does have a syntax to allow the traffic to be passed, but only via a
>>specific interface. So you don't stop the packets, you deliver the
>>packets via the "right" subnet.
>
>
> This is not working.
I asked the same question a few weeks ago, and Darren gave me the same
advice. It works for me.
My ipf.conf looks like this:
pass out quick on qfe0 to qfe1:<qfe1-dr> from <qfe1-ip>/32 to any
pass out quick on qfe1 to qfe0:<qfe0-dr> from <qfe0-ip>/32 to any
Where:
<qfeN-dr> is the IP of the default router for the qfeN subnet
<qfeN-ip> is the IP assigned to the qfeN interface
It may not be intuitive, but this effectively says "if a packet tries to
leave qfe0 with qfe1's source address, re-route it to qfe1 - and vice versa"
One caveat: re-routed packets don't go out on the wire unless the
destination mac address is *already* in the arp table. An init script
that pings all the default routers takes care of that minor problem.
>
> It is preventing the packets from going out on the "wrong"
> interface. But they are not being sent out at all. In effect, these
> packets are dropped.
>
> According to the man pages for ipf(5), the "to interface" is a
> synonym for "fastroute interface". However, if I try "fastroute", I
> get an error that it is only allowed on input rules. I'm taking that
> as a hint as to what is going wrong.
>
> I may try a newer ipfilter. But I don't hold out much hope. The
> HISTORY file doesn't mention anything that looks promising.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.3.91 (SunOS)
>
> iD8DBQFBtUygvmGe70vHPUMRAm3XAKCGJDyuQFo0UbwnlY10cdAQjmI+XwCfVlZV
> SkDVLlr2NO79XuaEWHpthl4=
> =rJfK
> -----END PGP SIGNATURE-----
>
- Next message: Neil W Rickert: "Re: network routing with dual interfaces."
- Previous message: Dan Espen: "Re: "Torn between two OS" - Solaris vs Linux"
- In reply to: Neil W Rickert: "Re: network routing with dual interfaces."
- Next in thread: Neil W Rickert: "Re: network routing with dual interfaces."
- Reply: Neil W Rickert: "Re: network routing with dual interfaces."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
