# multiple gateways



## gjpc (Apr 13, 2012)

I have a freebsd FreeBSD 6.4 that I have been using a as a router for a few years. It has an inside interface 10.25/16 and an outside interface 10.100.0/24.

I added a node on the outside interface IP 10.100.0.5. I wish to have a single node on the inside 10.25 network use this node as its gateway, all the others on 10.25 should use the router's default gateway 10.100.0.4.

Is this possible?


----------



## DutchDaemon (Apr 13, 2012)

FreeBSD 6.4 has been End-of-Life since *November 30, 2010*. We advise against keeping it deployed any longer, because it is highly insecure (and "safe LANs" are a myth), and there are no updates of any kind available for it. We also don't want to offer support on the forums for these outdated versions, because that would only encourage further use. Please switch to a supported FreeBSD version, e.g. 7.4, a.s.a.p.

Other than that: yes, this is possible with e.g. static route statements and/or PF. Which is also *very* outdated on FreeBSD 6.4, and has undergone syntax changes that may render any advice unusable. Upgrade.


----------



## gjpc (Apr 13, 2012)

DutchDaemon said:
			
		

> Upgrade.



I am now running FreeBSD 2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011 on the router.

May I get some guidance on how to setup the static route?

Thanks


----------



## ecazamir (Apr 13, 2012)

Please provide full IP addresses and network diagram to avoid confusion.
- 10.25/16 translates to 10.0.0.25/16, which IMO means the 10.0.0.0/16 network
- 10.100.0/24 translates to 10.100.0.0/24, which is usually a network address, not recommended to be bound on a interface.

Most IP-enabled machine uses the 'default gateway' to reach non-directly-connected networks, perhaps you need to check this in the machine which needs a different gateway.


----------



## gjpc (Apr 13, 2012)

ecazamir said:
			
		

> Please provide full IP addresses and network diagram to avoid confusion.
> - 10.25/16 translates to 10.0.0.25/16, which IMO means the 10.0.0.0/16 network
> - 10.100.0/24 translates to 10.100.0.0/24, which is usually a network address, not recommended to be bound on a interface.
> 
> Most IP-enabled machine uses the 'default gateway' to reach non-directly-connected networks, perhaps you need to check this in the machine which needs a different gateway.



*I*nternet gateways: 10.100.0.4 and 10.100.0.5

*I*nterface fxp0 router external IP 10.100.0.1 netmask 255.255.255.0 NATD interface
*I*nterface rl0  router internal IP 10.25.0.2  netmask 255.255.0.0 and 10.0.0.2 netmask 255.255.255.0

*T*he router is running DHCPD and NATD servers; ipfw and ipdivert are enabled.

rc.conf: 
	
	



```
defaultrouter="10.100.0.4"

gateway_enable="YES"
hostname="valcora.ob1net.net"
linux_enable="YES"
local_startup="/usr/local/etc/rc.d"
sshd_enable="YES"
usbd_enable="YES"
apache22_enable="YES"
inetd_enable="YES"

#firewall & NAT
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="fxp0"
#natd_interface="rl0"
natd_flags="-m -s"
```

I wish to have IP 10.25.0.209 use the gateway 10.100.0.5. All others should use 100.100.0.4.

current route map:

```
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.100.0.4         UGS        23   218515   fxp0
10.0.0.0           link#1             U           1    32760    rl0
10.0.0.2           link#1             UHS         0        0    lo0
10.25.0.0          link#1             U           1    83719    rl0
10.25.0.1          link#1             UHS         0        0    lo0
valcora            link#1             UHS         0        0    lo0
10.25.0.5          link#1             UHS         0        0    lo0
10.100.0.0         link#2             U           2    68541   fxp0
10.100.0.1         link#2             UHS         0        0    lo0
localhost          link#5             UH          0     8145    lo0
```
ipfw rule list:

```
00050 divert 8668 ip4 from any to any via fxp0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 allow ip from any to any
65535 allow ip from any to any
```
Thanks for any advice.


----------



## ecazamir (Apr 14, 2012)

An ipfw forward rule should do what you require. From ipfw(8): 

```
fwd | forward ipaddr | tablearg[,port]
             Change the next-hop on matching packets to ipaddr, which can be
             an IP address or a host name.  The next hop can also be supplied
             by the last table looked up for the packet by using the tablearg
             keyword instead of an explicit address.  The search terminates if
             this rule matches.
             ....
             If ipaddr is not a local address, then the port number (if speci-
             fied) is ignored, and the packet will be forwarded to the remote
             address, using the route as found in the local routing table for
             that IP.
             ....
             To enable fwd a custom kernel needs to be compiled with the
             option options IPFIREWALL_FORWARD.
```
ip forwarding will interfere with natd/ip divert, you will need explicit rules for inbound/outbound traffic diverted to natd. Moving NAT task to other machine may help making rules easier to read, write and diagnose.


----------



## gjpc (Apr 15, 2012)

ecazamir said:
			
		

> ip forwarding will interfere with natd/ip divert, you will need explicit rules for inbound/outbound traffic diverted to natd. Moving NAT task to other machine may help making rules easier to read, write and diagnose.



I think you are saying this cannot be done on the NAT machine. Probably due to the double dip that every NAT packet takes through the rule set. I am still not convinced it is impossible to perform the task on the NAT machine, but I have unhappily replugged wires on the switches to achieve the means to the end.

Does anyone have a clear idea on how this can be done on the NAT router itself? A suggestion of what ecazamir's hinted rule set may look like?


----------



## ecazamir (Apr 16, 2012)

pf(4) can solve your problem easier, it does not need diverting all traffic to natd and back. 
it has the 'route-to' option, which is very similar to ipfw fwd.
If you move your NAT/ipfw ruleset to pf, it would look like:

```
ext_if="fxp0"
int_if="rl0"
gw_2="10.100.0.5"
table <nat_networks> { 10.24.0.0/16, 10.0.0.0/24 }
table <gw2_clients> { 10.25.0.209/32 }

# NAT is performed for all hosts, using the IP address of $ext_if
nat on $ext_if inet from <nat_networks> -> ($ext_if)

block log all
set skip on lo0
antispoof for lo0
pass inet6 all
pass inet all
# Bypass the kernel route mechanism for packets coming from <gw2_clients>
pass inet from <gw2_clients> to any route-to ($ext_if, $gw2)
```


----------



## gjpc (Apr 17, 2012)

ecazamir said:
			
		

> pf(4) can solve your problem easier, it does not need diverting all traffic to natd and back.
> it has the 'route-to' option, which is very similar to ipfw fwd.



Thank you eczamir.  I shall try your suggestion before end of week and report back to this thread.


----------

