# WAN/LAN Gateway having one extra non-routed public IP



## Anonymous (Jul 18, 2013)

I thought this was easy, but it didn't work as expected.

PRESENT SITUATION (working)

A WAN/LAN gateway utilizing ipfw/NAT over two interfaces, em0 connected to the LAN, having an internal IP, and em1 connected to the WAN, having a public IP, by ISP1. The NAT interface is em1, and the default gateway as reported by netstat -nr is set to the router IP of the WAN interface.

NEW SETUP (not working)

I added another NIC em2 to the gateway having another static public IP attributed by another ISP2. I can make em2 the NAT interface, and the router of ISP2 the default route, and the WAN/LAN gateway is effectively switched over to the new ISP2 - and this part is working so far.

However, for the time being (until DNS/rDNS is transferred to the new ISP), I need to keep the old link over em1 from/to the internet by the old ISP1 active for web and mail services (80/443, 25,587, 110/995, 143/993) which are running directly on the gateway machine. The problem is, that em1 via ISP1 is no more accessible from the internet when switching the WAN/LAN gateway to em2 via the new ISP2.

Is this kind of setup possible at all, if yes how?


----------



## throAU (Jul 19, 2013)

I'm not sure if it can be done using pf, but I am pretty sure it CAN be done...

You can fix half of the problem by setting up another internal IP for 1:1 NAT inbound, e.g.:

ISP1-IP -> internal IP 1
ISP2-IP -> internal IP 2

But on the way out, you'll have problems making sure packets go back out through the correct path (it will pick your default route.  If you were to have two default routes, it would simply round-robin, and this will break the TCP connection).

To get this to work, I suspect you'll need to do some policy-based routing using pf (or your choice of firewall), but I've not dealt with pf in that respect before.

Essentially you will want to inspect traffic as it hits your FreeBSD router on the way out, and IF the source IP matches internal IP 2 (pre-NAT), forward it to ISP 2 for delivery, doing 1:1 NAT to the external IP of ISP2 on the way out.

How to accomplish this is left as an exercise for the reader


----------

