# Network/Routing problem with two providers



## vermaden (Apr 8, 2010)

Hi,

this is the topology:


```
NETWORK PROVIDER 0            NETWORK PROVIDER 1
         \                            /
          \                          /
           \                        /
            \                      /
             \                    /
          ROUTER 0            ROUTER 1
          20.0.0.1            40.0.0.1
              \                  /
        +------\----------------/------+
        |       \              /       |
        |       em0          em1       |
        |    20.0.0.10    40.0.0.10    |
        |                              |
        |         FREEBSD BOX          |
        |                              |
        +------------------------------+
```

Now When I set defaultrouter="20.0.0.1" in /etc/rc.conf then FreeBSD BOX responses to PING/ICMP on 20.0.0.0 network, but not on the 40.0.0.0, opposite with defaultrouter="40.0.0.1", PING/ICMP works on 40.0.0.0 but not on 20.0.0.0, I (obviously) can not set two default routes.

My question is what to set to have PING/ICMP response on BOTH interfaces at the same time.


----------



## knarf (Apr 8, 2010)

There are a lot of solutions for your problem. But I'm pretty sure you also have em2 and this is just a part of your configuration, right? At least, correct responses to an icmp echo request won't be your main goal.

Maybe you should give vimage a try. With vimage you can have two default routes on one FreeBSD machine (a jail that has its own routing table).

Some sort of policy based routing will be needed. I've tried ipfw fwd rules without success.

The professional solution would be to get an AS and run BGP.


----------



## phoenix (Apr 8, 2010)

Either use lagg(4) to create a single virtual interface that fails over between the two.

Or, use setfib(1) to create two separate routing tables, with two separate "default" routes, and use IPFW rules to classify data into each FIB according to which interface it came in on.

For example:
/etc/rc.local

```
# Set the correct default routes in each table
setfib 0 route delete default
setfib 0 route add default 172.20.0.10
setfib 1 route delete default
setfib 1 route add default 10.172.20.1


# IPFW rules to set the correct FIB on incoming packets
ipfw -f flush
ipfw add allow ip from any to any via lo0
ipfw add setfib 1 ip from any to any via xl0
ipfw add setfib 0 ip from any to any via sk0
ipfw add allow ip from any to any
```
/etc/rc.conf

```
# Network settings
defaultrouter="10.172.20.1"
ifconfig_sk0="inet 172.20.0.2/24"
ifconfig_xl0="inet 10.172.20.2/24"
```


----------



## SirDice (Apr 8, 2010)

Assuming network provider 0 and 1 are internet providers it should actually work, regardless of the default gateway on the box.

If your gateway is ISP0 and you send an ping to your box from ISP1 the reply will make a little detour though :e
It will get send to ISP0, they in turn send it to ISP1. So the route the reply takes is different compared to the request. 
But that's the beauty of the internet and/or IP in general because it still works :beer


----------



## knarf (Apr 8, 2010)

SirDice said:
			
		

> Assuming network provider 0 and 1 are internet providers it should actually work, regardless of the default gateway on the box.



Did you never see one of them using ipfw verrevpath or equivalent?


----------



## SirDice (Apr 8, 2010)

knarf said:
			
		

> Did you never see one of them using ipfw verrevpath or equivalent?



True, it'll probably get blocked somewhere along the way as a malware defence x(

Doesn't change the fact that it _should_ work :e


----------



## knarf (Apr 9, 2010)

SirDice said:
			
		

> Doesn't change the fact that it _should_ work :e



I'd never rely on it. There are so many ways of getting "connectivity" and most of these are not known to allow you using an IP address as source other than the one provided to you.

And this is the reason why both OP scenarios probably don't work. On both paths (which may be different) is at least one router blocking the packets because they do not belong to the originating IP address. Either because the source is coming from outside and belongs to inside or the source is coming from inside and belongs to outside.


----------



## vermaden (Apr 9, 2010)

Thank You for all the responses, I just thought that I will be able to set a gateway per network just like that, like in Debian for example:

/etc/network/interfaces

```
iface eth0 inet static
    address 20.0.0.10
    netmask 255.255.255.0
    gateway 20.0.0.1

iface eth1 inet static
    address 40.0.0.10
    netmask 255.255.255.0
    gateway 40.0.0.1
```

I really liked the *phoenix* ipfw/setfib sollution (which I propably choose here as a sollution) but BGP using OpenBGPd should also do the job.

Thanks and regards mates.


----------



## vermaden (Apr 13, 2010)

I went the *phoenix* way and it worked like a charm, just to sum things up, these are also needed for complete setup:

Recompile kernel with options ROUTETABLES=16 and put these into /boot/loader.conf file:

```
ipfw_load="YES"
net.fibs=16
```

You can of course use 2 instead of 16, but it will prevent another kernel recompile if You would need 3 instead of 2 for example.


----------



## overmind (Feb 6, 2011)

What is the best way in this example to configure a firewall if FREEBSD BOX from previous diagram would be a router and we want all trafic from LAN behind that router to go to ROUTER 0 or ROUTER 1, but not round robin, so connection from a machine from LAN to use the same ROUTER?


----------

