Dual gateways

perkypork · Nov 20, 2014

I am currently trying to switch from Linux to FreeBSD for my server requirements. I am a newbie when it comes to FreeBSD.

In our current server infrastructure, each server has two network interfaces. One interface is the WAN interface and responds to port 80 and 443 requests. The second interface is connected to a private LAN and responds to port 22. Each interface responds via a different gateway.

To get this working in Centos I essentially did what is in this guide - http://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/

I have done a heap of reading about multiple default routes in FreeBSD but I seem to be mixing up terminology and unable to find the right documentation on what I am trying to achieve.

I found this guide - http://forum.ivorde.ro/freebsd-multiple-routing-tables-t15241.html

Is this guide detailing the steps I need to do to achieve what I want?

ondra_knezour · Nov 22, 2014

Looks like nobody knows the right answer or your question is too generic, I for example can't get if your private LAN is a stub (no connection to other networks or the internet), or if there can appear also packets with a source address from anywhere in the universe. In the first scenario you would probably find static routes good enough.

Some links which can be useful:
http://wiki.stocksy.co.uk/wiki/Multiple_default_routes_in_FreeBSD_without_BGP_or_similar
http://daemonforums.org/showthread.php?t=4610
http://blog.gonyeo.com/posts/2014-05-12-multiple-routes-freebsd.html

perkypork · Nov 23, 2014

Thanks ondra_knezour. I will elaborate further. I have two network interfaces. One has a public IP address and serves a website, the other is connected to a private LAN. When connectsions come in the WAN interface, I want the machine to respond via that interfaces gateway. When requests come in the LAN interface, I want the machine to respond via that interfaces gateway.

My firewall is set[]up to only allow port 80 and port 443 (and responses) in via the WAN interface and port 22 (and responses) only over the LAN interface. With a single gateway (say the WAN gateway) the LAN interface is useless as the incoming connection to port 22 is allowed but the response goes out the WAN gateway. I do not need any internal routing between the two interfaces (i.e. a bridge).

Hopefully this is enough information.

ondra_knezour · Nov 23, 2014

It depends. Consider following scenario - You have one WAN interface with a default gateway set, everything got sent there, except:
- packets to local segment addresses - if LAN interface has i.e. 192.168.0.2/24, everything in the 192.168.0.x network will go out using LAN interface
- packets to targets to which routes are known - if you have only couple of networks behind the LAN interface, you can set static routes for all of them and you are done.

Otherwise, you can use multiple routing tables, start sshd using setfib command et voila

I just found this article which describes exactly what you are looking for, I think. https://www.mmacleod.ca/blog/2011/06/source-based-routing-with-freebsd-using-multiple-routing-table/

Also see this thread for some glue https://lists.freebsd.org/pipermail/freebsd-net/2012-September/033325.html

perkypork · Nov 24, 2014

Thank you, ondra_knezour. I had read all the articles you linked (before I posted my question) but the lingo for FreeBSD is much more technical than the Linux world - it takes some getting used to. Appreciate you spending the time to help me out and will report back with my findings in case someone else has the same issue or question.

rmoe · Nov 24, 2014

From what I see there is no problem at all and your situation is by no means exotic. You simply assign (or have assigned via DHCP) the IP adresses to the interfaces and FreeBSD will take care of the rest regarding routing.

So, what you want is something like this in your /etc/rc.conf (here assuming an Intel Gb and a Via Rhine card)

Code:

# public interface, IP as given by your provider/hoster
ifconfig_em0="inet 123.123.123.123 netmask 255.255.255.0"
defaultrouter="123.123.123.1"

# private LAN interface
ifconfig_vr0="inet 192.168.1.10 netmask 255.255.255.0"

Finding out about your network cards (the "em0" and "vr0" part in the lines above) is easy, too. Usually dmesg | grep net is all that's needed to see what you have to fill in.

Next, you tell your daemons, e.g. nginx and openssh, in their respective configuration files on what address(es) to listen. In your case that would be the public IP for the HTTP(S) server and the private IP for the openssh daemon. Finally, you might want to use/configure a firewall.

Note that the basic logic is the same as in every unixoid. In FreeBSD network settings (like pretty all basic config) happen to be (very elegantly) handled centrally in /etc/rc.conf.

usdmatt · Nov 24, 2014

From the Linux article:

By default, administrators can define a single, default route (on eth0). However, if you receive traffic (i.e., ICMP pings) on eth1, the return traffic will go out eth0 by default.

That's not completely true. Let's say you have a configuration like the following:

WAN: 1.2.3.4 with a 255.255.255.0 netmask (so part of the 1.2.3.x network)
LAN: 10.0.0.1 with same netmask.
Default Gateway: 1.2.3.254

Your routing table will look something like this:

Code:

1.2.3.x -> reachable by WAN interface
10.0.0.x -> reachable by LAN interface
*everything else -> reachable through 1.2.3.254 (via the WAN interface)

If you ping, or send any network traffic to that machine from a computer on a 10.0.0.x address, connected to the LAN interface, the server will reply via the LAN interface. These are called connected networks. If the server sees traffic from an IP address that's part of the same network as one of its interfaces, it will respond directly via that interface. So basically, as long as you only SSH to that server from another computer that has a 10.0.0.x address, it will all work correctly and you don't need multiple gateways. I have a similar set up for some servers, and in my case, if I need remote access I VPN into my work network, giving me an IP address on my work LAN, then I can access the servers directly via their LAN interface. However, the default gateway of the servers is over the public Internet.

You'll get a problem if you have a router on both the WAN and LAN sides, and you want to be able to forward SSH traffic through the LAN router to the server. In this case, the server will see the connection coming from an address not on its LAN, and will try and reply through the default gateway. For this you'll probably have to look into the setfib command.

I personally would suggest trying to use a single gateway and SSH to the box via a computer on the LAN, or via a VPN if you really need remote SSH access and don't want to allow it through the WAN (firewalled of course). Running multiple gateways on a system is more hassle, and much rarer that a lot of people seem to think. Even complex border routers running BGP or OSPF on redundant feeds don't really work by having multiple default routes. They have many "static" routes to specific networks, but those static routes are continually managed and updated by daemons running in the background.

perkypork · Dec 3, 2014

Update:

I went without the dual gateway setup. I set up the WAN gateway as the default gateway. I SSHed in from the local network. I set up IPFW to allow SSH from local and HTTPS from WAN. All seems to be working well. Sadly my VPN doesn't give me an IP on the local network (as we are short on local address space), so I will need to change that configuration or try out the dual gateways.

Thank you everyone for your help! I am really enjoying FreeBSD!