netbsd-help: Re: Selective routing ? (IE: "two default gateways")

Subject: Re: Selective routing ? (IE: "two default gateways")
To: Laine Stump <lainestump@rcn.com>
From: sudog <sudog@sudog.com>
List: netbsd-help
Date: 03/04/2002 16:50:25
> >     He has 3 networks cards, one to the internal network, another to
> > an ADSL router and the third to a leased line internet link.

I have both ADSL and Cable modems running at home.  I was trying to get a 
single NetBSD firewall to be able to simply and easily handle both 
interfaces, but it was just too much manual labour, and now and again I 
would bump into a problem where tearing down the default routes and 
re-setting it wouldn't "stick".

Instead, I set up a second firewall and attached it to the other pipe. Now 
when I want to use one or the other, it's trivial to reprogram the 
internal machines' gateways and voila.

I ran into another problem shortly thereafter.. I have redirects on each 
firewall to send in traffic to various services inside my lan. But NetBSD 
does NOT know enough to respond on the same interface it received the 
traffic on. Instead it blindly follows the outgoing routing tables.

Thus, a connection like this:

CABLE->firewall->10.0.0.9/Firewall/64.1.2.3

Where traffic comes in on one interface, through a firewall, to hit the 
internal IP of the other firewall, would cause the second firewall to 
forward traffic out its external interface -- BUT WITH THE INTERNAL SOURCE 
ADDRESS INTACT. Neither behaviour is desirable.

I requested information in the mailing lists--unfortunately  I learned 
NetBSD needs patching. The best idea I found so far is a source-routing 
patch that..  was it der Mouse? Greywolf? I forget..  one of those guys 
had a great idea and had some patches that allowed command-line 
source-based routing.

I track -current mostly, so patching would mean a lot of extra work.

My solution: It turns out IPFilter can do something called "fastrouting" 
where you match a rule and short-circuit the routing tables. A fastroute 
looks like this:

pass out quick on fxp1 to fxp0:10.0.0.100 from 10.0.0.99/32 to any

Shortly after adding this rule in a prominent place, the outgoing packets 
destined for the internet that came through the "other" firewall were 
properly re-routed, and in my logs I get to keep the "correct" ip of the 
remote machine--which I wouldn't have if I had used an application proxy.

One more solution to the problem was a patch done by Paul Vixie a while 
back that allowed multiple default routes--basically a quick patch that 
allowed you to set multiple default routes and (I think) kludge in a minor 
form of der Mouse's source-routing patch. (Greywolf? Argh! Which one of 
you did the src-routing patch? I  forgot!)

-sudog