Subject: Re: Multiple default routes through different network interfaces?
To: None <sudog@sudog.com>
From: Alicia da Conceicao <alicia@cyberstation.ca>
List: port-i386
Date: 10/23/2001 08:58:11
> But with IPFilter, you can use a rule like this:
> pass out quick on fxp1 to int0:next.hop.ip from int0.ip.address/32 to any
> in my case this would be:
> pass out quick on fxp1 to int0:10.0.0.5 from 10.0.0.9/32 to any
> This solves the problem in a very kludgy way. In my case, my 10.0.0.9 is 
> the internal interface for an adsl gateway, and 10.0.0.5 is the internal 
> interface for a cable gateway. it just answers as normal if connections 
> come in from the adsl link. (the other side of the netbsd machine.)

Hi Marc:

Thank you, those fastrouting route sets in IFP worked, they allow
my NetBSD server to respond to connections sent to either external
interface.  However, they do not work with the keep state rules in
my existing ipf configuration.

Below is a copy of my existing IPF configuration.  Note that:

lo0  - loop back            interface (IP 127.0.0.1)
int0 - internal lan         interface (IP 192.168.0.1)
eth0 - external cable modem interface (IP 123.123.123.123 Gateway 123.123.123.1)
eth1 - external ADSL  modem interface (IP 231.231.231.231 Gateway 231.231.231.1)

All interfaces have *STATIC* IP numbers.  I added your fastrouting
route sets to the begining, so that regardless of which external
interface (eth0 or eth1) has the default route, the other interface
can still respond to connections sent to it.

Also, this NetBSD server is also providing DNS, e-mail (SMTP), POP3,
web (HTTP+HTTPS), and FTP (active mode only) services.  It is also a
gateway to an internal lan with non-routable IP numbers, using IPNAT,
and it also redirects incomming requests from the outside to port 5511,
to an internal server at 192.168.0.133.

===== /etc/ipf.conf ===================================================================================

pass out quick on eth0 to eth1:123.123.123.123 proto tcp from 231.231.231.231/32 to any
pass out quick on eth1 to eth0:231.231.231.231 proto tcp from 123.123.123.123/32 to any

block in quick all head 1

    block in quick all with frag group 1
    block in quick proto tcp all with short group 1
    block in quick all with ipopts group 1

    block return-rst in quick proto tcp from any to any port = 113 flags S group 1
    block return-rst in quick proto tcp from any port = 113 to any flags S group 1

    pass in quick on lo0  all group 1
    pass in quick on int0 all group 1

    block in quick from 192.0.2.0/24    to any group 1
    block in quick from 204.152.64.0/23 to any group 1
    block in quick from 169.254.0.0/16  to any group 1
    block in quick from 192.168.0.0/16  to any group 1
    block in quick from 172.16.0.0/12   to any group 1
    block in quick from 127.0.0.0/8     to any group 1
    block in quick from 10.0.0.0/8      to any group 1
    block in quick from 0.0.0.0/8       to any group 1
    block in quick from 224.0.0.0/3     to any group 1

    block in quick on eth0 all head 11 group 1

        block in quick proto tcp from any port > 1023 to 123.123.123.123/32 flags S head 111 group 11

            pass in quick proto tcp from any to any port =   21 keep state group 111
            pass in quick proto tcp from any to any port =   22 keep state group 111
            pass in quick proto tcp from any to any port =   25 keep state group 111
            pass in quick proto tcp from any to any port =   53 keep state group 111
            pass in quick proto tcp from any to any port =   80 keep state group 111
            pass in quick proto tcp from any to any port =  110 keep state group 111
            pass in quick proto tcp from any to any port =  443 keep state group 111
            pass in quick proto tcp from any to any port = 5511 keep state group 111

        block in quick proto udp from any             to 123.123.123.123/32         head 112 group 11

            pass in quick proto udp from any              to any port =   53 keep state group 112

        block in quick proto tcp from any port > 1023 to 192.168.0.133/32 flags S head 113 group 11

            pass in quick proto tcp from any to any port = 5511 keep state group 113

    block in log quick on eth1 all head 12 group 1

        block in quick proto tcp from any port > 1023 to 231.231.231.231/32 flags S head 121 group 12

            pass in quick proto tcp from any to any port =   21 keep state group 111
            pass in quick proto tcp from any to any port =   22 keep state group 121
            pass in quick proto tcp from any to any port =   25 keep state group 121
            pass in quick proto tcp from any to any port =   53 keep state group 121
            pass in quick proto tcp from any to any port =   80 keep state group 121
            pass in quick proto tcp from any to any port =  110 keep state group 121
            pass in quick proto tcp from any to any port =  443 keep state group 121
            pass in quick proto tcp from any to any port = 5511 keep state group 121

        block in quick proto udp from any             to 231.231.231.231/32         head 122 group 12

            pass in quick proto udp from any              to any port =   53 keep state group 122

        block in quick proto tcp from any port > 1023 to 192.168.0.133/32 flags S head 123 group 12

            pass in quick proto tcp from any to any port = 5511 keep state group 123

block out quick all head 2

    block out quick all with frag group 2
    block out quick proto tcp all with short group 2
    block out quick all with ipopts group 2

    pass out quick on lo0  all group 2
    pass out quick on int0 all group 2

    block out quick from any to 192.0.2.0/24    group 2
    block out quick from any to 204.152.64.0/23 group 2
    block out quick from any to 169.254.0.0/16  group 2
    block out quick from any to 192.168.0.0/16  group 2
    block out quick from any to 172.16.0.0/12   group 2
    block out quick from any to 127.0.0.0/8     group 2
    block out quick from any to 10.0.0.0/8      group 2
    block out quick from any to 0.0.0.0/8       group 2
    block out quick from any to 224.0.0.0/3     group 2

    block out quick on eth0 all head 21 group 2

        block out quick from 123.123.123.123/32 to any head 211 group 21

            pass out quick proto tcp  from any port > 1023 to any flags S      keep state group 211
            pass out quick proto udp  from any port > 1023 to any              keep state group 211
            pass out quick proto icmp from any             to any icmp-type  8 keep state group 211
            pass out quick proto icmp from any             to any icmp-type 11 keep state group 211

        block out quick from 192.168.0.0/24 to any head 212 group 21

            pass out quick proto tcp  from any port > 1023 to any flags S      keep state group 212
            pass out quick proto udp  from any port > 1023 to any              keep state group 212
            pass out quick proto icmp from any             to any icmp-type  8 keep state group 212
            pass out quick proto icmp from any             to any icmp-type 11 keep state group 212

    block out quick on eth1 all head 22 group 2

        block out quick from 231.231.231.231/32 to any head 221 group 22

            pass out quick proto tcp  from any port > 1023 to any flags S      keep state group 221
            pass out quick proto udp  from any port > 1023 to any              keep state group 221
            pass out quick proto icmp from any             to any icmp-type  8 keep state group 221
            pass out quick proto icmp from any             to any icmp-type 11 keep state group 221

        block out quick from 192.168.0.0/24 to any head 222 group 22

            pass out quick proto tcp  from any port > 1023 to any flags S      keep state group 222
            pass out quick proto udp  from any port > 1023 to any              keep state group 222
            pass out quick proto icmp from any             to any icmp-type  8 keep state group 222
            pass out quick proto icmp from any             to any icmp-type 11 keep state group 222

=======================================================================================================

Yes, this is a big configuration file, although I try to make use of
grouping to reduce the overhead.  Without the fastroute rules you
provided, this ipf configuration works great, although it has the
routing issues discussed previously.  Unfortunately, those fastroute
rules are needed to allow both external interfaces to respond to
incoming connections, and yet these fastroute rules conflict with the
keep state rules above.  :-(

I would greatly appreciate any addition advice you have.

> Paul Vixie wrote a set of "default route" patches that fixed this 
> behaviour. I believe these patches also might've fixed the annoying arp 
> publishing problem, where, if you publish an arp entry NetBSD answers on 
> all interfaces whether it already knows about the machine in its arp cache 
> or not. So you have to use "real" routing from routing equipment and not 
> just a simulated arp proxy-type thingy like you can with Linux.

These patches are very dated, and are for a very old NetBSD release.
Unfortunately it will take a lot of work to update them to work with
the NetBSD-1.52 release.  :-(

> Hope this helps--even a little. Check the ipfilter lists for "load 
> balancing" and also the netbsd mailing list archives for "default route" 
> and "load balancing" and "dual".

I am very grateful for showing me the fastroute tip for ipf.  :-)
Hopefully I can find a way to get it to co-exist with my existing
firewall rulesets.
 
If I come across any other solutions, I will let you know.

Thanks again, and thank you in advance.
Sincerely,
Alicia.