Routing 2 external interfaces to one internal host

Contributed by jose on 2003-11-14 from the dual-homed dept.

Kevin asks: "K, heres the question:
I have a firewall/router that has two external interfaces on the internet, and one internal host attached to a third interface on the router. I really want both interfaces to route to the one internal host, and only a few select ports at that. Should I use rdr, nat, or binat? Ideally clients machines accessing one of the external, static should believe that they are connected to a single host computer.

Thanks a lot in advance, Kevin"

(Comments are closed)

Comments

By Anonymous Coward () on 2003-11-14 08:29

Hmm. If I understand you have an OBSD machine with three NICs, two of which go out to the net, and one that goes to an internal machine. You can easily use rdr to redirect select services from either or both external addresses to that single host.
By Andreas () davos@puffy.nu on 2003-11-14 09:21 mailto:davos@puffy.nu

I believe you could this to use both the external cards:

nat on $external_1 inet from ($internal)/24 to any -> ($external_1)
nat on $external_2 from ($internal)/24 to any -> ($external_2)
pass in on $internal route-to { ($external_1 $gateway_first), ($external_2 $gateway_second) } round-robin from ($internal)/24 to any keep state

Where $gateway_first and $gateway_second is the gateway of each interface. This could easily be extended with a few simple block quick or anything like that. I haven't actually tested this configuration but hopefully it will work for you.
Comments
1. By Anonymous Coward () on 2003-11-15 00:29
  
  This is for outgoing traffic (connection initiated from internal). What about incoming traffic? Will the following work?
  
  rdr on $ext_if1 proto tcp from any to any port 80 -> $webserver
  rdr on $ext_if2 proto tcp from any to any port 80 -> $webserver
  
  pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
  pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
  Comments
  1. By Anonymous Hero () on 2003-11-17 00:45
    
    Nope, because it doesn't NAT traffic _from_ $webserver _to_ an address which would like to access it. You'll have to use NAT, or BiNAT.
By hellsh0k () on 2003-11-14 10:14

I believe what you are looking for is http://www.openbsd.org/faq/pf/pools.html

Pretty much deals with all multi-card and load balancing issues.
By Luca Cristelli () luca.cristelli@ies.it on 2003-11-15 00:10 mailto:luca.cristelli@ies.it

you may be interested in route-to keyword:

1. redirect (rdr) required ports to internal host

2. you need to route traffic between the two external nics:

http://www.benzedrine.cx/pf/msg02717.html

Hope it helps.

Luca.
By Anonymous Coward () on 2003-11-14 13:20

Why not just binat both external NICs to the internal, and firewall all but the few select ports you want?

OR

Same, but alias the internal NIC.
By Kevin () on 2003-11-14 13:59

Thanks a lot for all of the ideas/tips. They really helped out a lot!

Thanks again,
Kevin
Comments
1. By Anonymous Coward () on 2003-11-14 18:27
  
  Which option did you choose in the end?
By djm () on 2003-11-15 08:25

I had a setup like this for a while. Two external interfaces connected to different IPs with a firewalled host that was accessible from each. As I had routable addresses from each ISP I didn't need to do any NAT, but I did need to use "reply-to ($if $nexthop)" heavily to ensure the traffic went back out the interface it came in on. Once I got my head around reply-to, it worked beautifully.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]