# Best way to make an application use alternate routing?



## mickey (Aug 26, 2015)

Due to recent hardware failure of my CPE, I decided to turn my FreeBSD router/firewall into a VoIP gateway/PBX to hook up VoIP phones to. My ISP uses two separate PVCs, one for internet access and another for VoIP. So far I managed to map each PVC onto a different VLAN, so I can run two ppp processes doing PPPoE over one physical ethernet link simultaneously, which leaves me with two separate tun interfaces, each with it's own public IP address.

From my understanding, this leaves me with two problems:

The VoIP PBX software needs to use a different default route for outgoing traffic.
The peer address on both WAN interfaces is the same.
So far my research into that matter has turned up that the FreeBSD kernel supports multiple routing tables - if compiled with the right options - via the setfib(1) command and corresponding commandline options in tools like route(8). Also there seems to be support in pf(4) for handling that kind of stuff. So this could possibly be a solution.

But I still wonder if there are other options, like running the VoIP PBX software within a jail, that are maybe a bit more elegant?


----------



## junovitch@ (Aug 27, 2015)

Hello,
Does the PBX software just need to use the second WAN link?  Not using both for load balancing?

If so, this should be straight forward.  You don't need to compile any special options to use setfib(1) as it's been a boot time tunable in /boot/loader.conf for several years now.  You can use a Jail bound to a FIB or set the process to a FIB.  Some examples on how to do it are in a previous post here.
https://forums.FreeBSD.org/threads/using-same-ip-address-on-different-fibs.52565/#post-295037


----------



## mickey (Aug 27, 2015)

junovitch@ said:


> Does the PBX software just need to use the second WAN link?  Not using both for load balancing?
> 
> If so, this should be straight forward.  You don't need to compile any special options to use setfib(1) as it's been a boot time tunable in /boot/loader.conf for several years now.  You can use a Jail bound to a FIB or set the process to a FIB.  Some examples on how to do it are in a previous post here.
> https://forums.FreeBSD.org/threads/using-same-ip-address-on-different-fibs.52565/#post-295037



Thanks for your reply.
Load balancing will not be necessary. From the technical side of things, the scenario is this. My ISP (o2 Telefonica Germany) provides standard internet access via PVC 1/32 and telephony services (access to o2 SIP servers) via PVC 1/35. Both PVCs use PPPoE and get a seperate IPv4 address, but the peer's address is the same for both. Normally all this is handled by a CPE device (originally ZyXEL P-2602HWN-D7A) with integrated ATA.

As long as I do not want to use third-party SIP servers, I assume all SIP/RTP traffic has to go over PVC 1/35. Should I decide to use other SIP services (no plans yet), it might become necessary to pass traffic to/from those via PVC 1/32. I really have no idea yet, as to what level of internet service is provided on PVC 1/35 (i.e. whether ISP has filters in place only allowing access to their own SIP servers, allowance of other protocols i.e. http etc).

Assuming I would accept incoming SIP/RTP on both interfaces, would it be possible to route traffic back through the interface it came in on?
I'm using PF for my firewall.


----------



## junovitch@ (Sep 1, 2015)

Sorry for the delay.  I haven't had to use PF or another firewall to handle traffic across different FIBs so I can't offer any advise on that path.  Normally I've just bound a jail or application to a FIB and that has served my requirement.  Things are simple going that route but if you do go the firewall route a follow up post for the archives on how you went about things would be excellent.


----------



## mickey (Sep 3, 2015)

junovitch@ said:


> Sorry for the delay.  I haven't had to use PF or another firewall to handle traffic across different FIBs so I can't offer any advise on that path.  Normally I've just bound a jail or application to a FIB and that has served my requirement.  Things are simple going that route but if you do go the firewall route a follow up post for the archives on how you went about things would be excellent.


I have had limited success in setting up a second routing table manually that has an alternate default route on the tun1 interface. Unfortunately that only seems possible when using `net.add_addr_allfibs=0` in /boot/loader.conf, as otherwise the second FIB will contain an interface route for the tun0 interface pointing to the same peer, that cannot be deleted as it is marked as PINNED. So that essentially means you would have to set up each and every route within the second FIB yourself.

For the moment I have put the second FIB thing on ice as a whole, as I found out that my ISP seems to allow SIP registrations coming via the data PVC also. This not only saves a lot of headaches configuration-wise (second PVC, multiple VLANs, dual PPPoE sessions, dual routing, etc), but also the link-sharing happens in PF, not on PVC level, so that the upstream bandwidth is actually known and constant and can be distributed by means of PF/ALTQ. Personally I think that is the easier and better solution, at least as long as no other problems arise.


----------

