How to change default source address

W

wazigster

I have the following situation:

A freebsd 7.2 server, at colocation site.

Code: 
ifconfig_fxp0="inet 95.xxx.xxx.41 netmask 255.255.255.128"
ifconfig_fxp0_alias0="95.xxx.xxx.42 netmask 255.255.255.128"
ifconfig_fxp0_alias1="95.xxx.xxx.43 netmask 255.255.255.128"
ifconfig_fxp0_alias2="95.xxx.xxx.44 netmask 255.255.255.128"
ifconfig_fxp0_alias3="95.xxx.xxx.45 netmask 255.255.255.128"
ifconfig_fxp0_alias4="95.xxx.xxx.46 netmask 255.255.255.128"
ifconfig_fxp0_alias5="95.xxx.xxx.47 netmask 255.255.255.128"
defaultrouter="95.xxx.xxx.1"

With 'ping -S' I can select any of the source addresses I have at my disposal. I have confirmed that the correct source address sends the ICMP packets.

I need the ability to select the source address for a particular destination through the routing table (or any other means, that doesn't involve recompiling the kernel, or extra devices at the colocation site).

For instance on a Cisco router with an interface with multiple ip addresses I can manipulate the default route like this:

Code: 
ip route 213.239.152.0 255.255.248.0 95.xxx.xxx.43

and let all traffic destined for 213.239.152.0/21 source from 95.xxx.xxx.43 instead of 95.xxx.xxx.41

I want to do the same on the fbsd box. Any help is highly appreciated.

PS I have tried route add 213.239.152.0/21 95.xxx.xxx.42 and it doesn't work (since it selects gateway and not outgoing interface or ip).
 
I would try to configure NAT in packet filter. Add:

Code: 
nat on fxp0 inet proto icmp from { 192.168.0.0/24 } to { 213.239.152.0/21 } -> 95.xxx.xxx.43

to [font="Courier New"]/etc/pf.conf[/font] and change [font="Courier New"]192.168.0.0/24[/font] to whatever your internal network address is. Eventually remove "[font="Fixedsys"]proto icmp[/font]" if you would all traffic and not just ICMP. Then check syntax and load it:

Code: 
pfctl -nf /etc/pf.conf
pfctl -f /etc/pf.conf
 
Though I appreciate the suggestion, I don't think NAT would solve my problem. Since I'm running all kinds of server applications, some of them listening to all IP addresses, while others listen to only a particular IP. Plus I want this feature of selecting source addresses to be flexible.

I was thinking of using something like Quagga to build static routes (in a more Cisco like manner) like so:

Code: 
route-map hopeitworks permit 10
set src 95.xxx.xxx.43 (does the attribute src exist?)
!
ip protocol static route-map hopeitworks 
!
ip route 213.239.152.0/21 95.xxx.xxx.1 

(I'm only guessing syntax here...based on the manual of Quagga.)

Though I'm only guessing this sort of setup would work since I have no experience what-so-ever with Quagga.

This way only the static routes build would have the source address I assigned, with no interference on other traffic or server application configuration.

Can someone who has experience with Quagga confirm that such a setup works?
 
I meant does the attribute src exist on freebsd? I have only seen references to Linux?

I couldn't find a way to edit my previous post....
 
New members can edit their posts after 10 days of membership and 10 posts.
 
You'll want to do searches on vimage, multiple fib support, and policy routing. All of these will be possible with FreeBSD 8.0, and allow you to do what you want.
 
wazigster said:
Though I appreciate the suggestion, I don't think NAT would solve my problem.
Click to expand...
It will and is your only option. There is no way to manipulate source IP address other than to use NAT to rewrite it or modify your process to set it. (as ping can do)
 
phoenix said:
You'll want to do searches on vimage, multiple fib support, and policy routing. All of these will be possible with FreeBSD 8.0, and allow you to do what you want.
Click to expand...

If that is so, that would be superb. As I understand it, FreeBSD 8.0 will be release ready somewhere next month. I did do some google searches on those key words and could only find source address selection in combination with jails. If it only applies to particular jails having particular source addresses, it absolutely isn't the feature I'm looking for.

aragon said:
It will and is your only option. There is no way to manipulate source IP address other than to use NAT to rewrite it or modify your process to set it. (as ping can do)
Click to expand...

Mmm, that would mean writing a shitload of forwarding rules for all the services that are exposed to the internet. Can you or someone else give an indication of the performance impact (MEM/CPU) on server. Plus I wander how flexible this method would be, per configuration change a restart or pf. Does that mean that all existing session will be dropped?

Do you (or anyone else) for a fact know that Quagga on FreeBSD can't do what I described above? Please don't get me wrong, I do highly appreciate the feedback that all of you have given me so far.
 
wazigster said:
Mmm, that would mean writing a shitload of forwarding rules for all the services that are exposed to the internet.
Click to expand...

Why? I think you need to write the same number of NAT rules as routes in cisco you spoke about.

wazigster said:
Can you or someone else give an indication of the performance impact (MEM/CPU) on server.
Click to expand...

Not exactly. As written in PF: performance, it depends on your environment. However, for my personal experience, we used NAT on servers with tens of Gb/s traffic and tens of thousands concurrent connections without any significant performance impact.
 
You must log in or register to reply here.
Back
Top