source-based-routing Inbound traffic --------------- Let's assume the above includes DNS and name servers. What happens quite frequently is that at some place in the world routing is screwed up, and the folks affected by that can't reach your DNS/mail server through ISP1 anymore, but they can reach it via ISP2. The problem here is that your servers will send their answers back via the default route (eg ISP1), and due to the routing problem somewhere in the distance those answers don't reach their target. So what is needed for the above scenario is that requests coming in through ISP1 are answered via ISP1, and requests coming in via ISP2 are answered via ISP2. For this to work, your DNS/mail servers need to be either on or outside the firewall, so they can identify where the packets come from. Let us assume you have a machine set to IP A (via ISP1) and aliased to IP B (via ISP2), default route points to the gateway to ISP1. Thankfully services like named etc. bind their responses to the address the request came in from (A if the request came via ISP1, and B if the request came in via ISP2). We can now use ipfw to 'bend' packets that originate on address B to be directed to the gateway to ISP2, using a ruleset like this: add 1000 allow all from A to any add 1010 allow all from any to BN add 1020 allow all from any to AN add 1030 fwd BGW all from B to any A and B are the IP addresses (see above), AN and BN are the network addresses, and BGW is the IP address of the gateway to ISP2. The first rule is just a shortcut to speed up the bulk of the packets. The second and third rule let traffic in from either ISP1/2. The last rule is the one that does the trick: If the 'from' address is B, forward the packet to the gateway to ISP2. Now you can have primary and secondary DNS/mail server on seperate addresses and networks, but the same physical machine. LINK: http://www.freebsd.org/cgi/getmsg.cgi?fetch=1937792+1943014+/usr/local/www/db/text/2001/freebsd-questions/20010114.freebsd-questions |