Solved Multiple IPs in different subnets - default routing

CallumA

New Member

Reaction score: 2
Messages: 17

Hello!
I have a weird setup here whereby I have two IP addresses available, say:
22.33.44.187, netmask 255.255.255.128, default gateway 22.33.44.129
13.33.44.92, netmask 255.255.255.0, default gateway 13.33.44.1

I'd like to set up the two IPs so that one (22.33.44.187 in this example) is used mainly for a VPN (both routing out (using IPNAT currently), and listening for VPN connections) and the other (13.33.44.92) for other things (as a primary IP address).

My problem is I can set one default route. Ideally I would like to set a different default route for outgoing packets for each IP rather than a default route for the whole system.

How can this be done?

Thanks in advance!
 

ondra_knezour

Aspiring Daemon

Reaction score: 196
Messages: 761

You can have multiple routing tables and thus default gateways for different processes, see setfib(1). I am not sure, if you need them, but may be the case if you want to send traffic originating from VPN clients via different interface that is default for local traffic etc.
 
OP
OP
C

CallumA

New Member

Reaction score: 2
Messages: 17

You can have multiple routing tables and thus default gateways for different processes, see setfib(1). I am not sure, if you need them, but may be the case if you want to send traffic originating from VPN clients via different interface that is default for local traffic etc.
How would I do this with a NAT for the routing within the VPN? It sounds a bit awkward to setup.
 

ondra_knezour

Aspiring Daemon

Reaction score: 196
Messages: 761

I never have reason to try such configuration, but I linked some articles here Dual gateways. You can also search setfib here on forum, I thing there was several threads about it.
 

junovitch@

Daemon
Developer

Reaction score: 616
Messages: 1,773

If I understand your requirements right, I would explore something along the lines of this. I haven't tried anything quite like this so I would be glad to hear what you come up with and if this is helpful:

- 13.33.44.92, netmask 255.255.255.0, default gateway 13.33.44.1
Leave this in the default FIB since it's the primary IP.

- 22.33.44.187, netmask 255.255.255.128, default gateway 22.33.44.129
Make this in an alternate FIB. You do need to reboot the system after setting this since multiple routing tables can only be set at boot.
echo 'net.fibs=2' >> /boot/loader.conf

Set a default route on the FIB.
/etc/rc.conf
Code:
static_routes="fibdefault"
route_fibdefault="default 22.33.44.129 -fib 1
For the VPN, I believe this would be the correct syntax for something like OpenVPN. Hypothetically this would result in OpenVPN's tunnel being created in the same FIB the process runs in and this should just work. What I'm not sure of here is the firewall. I'm thinking since you aren't using the firewall to shift packets from one FIB to another then it may not matter.
Code:
openvpn_fib='1'
 
Last edited:
OP
OP
C

CallumA

New Member

Reaction score: 2
Messages: 17

If I understand your requirements right, I would explore something along the lines of this. I haven't tried anything quite like this so I would be glad to hear what you come up with and if this is helpful:

- 13.33.44.92, netmask 255.255.255.0, default gateway 13.33.44.1
Leave this in the default FIB since it's the primary IP.

- 22.33.44.187, netmask 255.255.255.128, default gateway 22.33.44.129
Make this in an alternate FIB. You do need to reboot the system after setting this since multiple routing tables can only be set at boot.
echo 'net.fibs=2' >> /boot/loader.conf

Set a default route on the FIB.
/etc/rc.conf
Code:
static_routes="fibdefault"
route_fibdefault="default 22.33.44.129 -fib 1
For the VPN, I believe this would be the correct syntax for something like OpenVPN. Hypothetically this would result in OpenVPN's tunnel being created in the same FIB the process runs in and this should just work. What I'm not sure of here is the firewall. I'm thinking since you aren't using the firewall to shift packets from one FIB to another then it may not matter.
Code:
openvpn_fib='1'
It's been a long time since I posted this...
Anyway, I just tried it out and it works perfectly! Surprisingly easy to use too. I found once I had the fibs enabled I could simply manipulate them by placing setfib 1 in front of a command (like setfib 1 netstat -rn) which is really nice.

This is something I was going crazy trying to work out on a Linux box a while back and ended up having to use additional IPs on at the other end so I could set static routes. This FIB solution on FreeBSD is just incredible!

Thank you very much :)
 

junovitch@

Daemon
Developer

Reaction score: 616
Messages: 1,773

...
This is something I was going crazy trying to work out on a Linux box a while back and ended up having to use additional IPs on at the other end so I could set static routes. This FIB solution on FreeBSD is just incredible!
...
The Linux and FreeBSD solutions both have their merits and sometimes the extra complexity of the Linux way has helped me solve problems in the past. At the same time for the simple stuff the FreeBSD FIBs just work and in my opinion are easier to understand and configure.

Thanks for the update by the way! It's good to hear months later that everything worked out so I went ahead and tagged this thread as solved for you.
 
Top