Friday, May 22, 2009

Setting up a multi-gateway FreeBSD firewall/Router

Keywords: Multi-homed, source based routing, FreeBSD, ADSL gateways.

The reason for this article is that due to strange and sometimes entertaining DSL solutions in South Africa, we must use a bit of technical ability to provide proper services for small to medium enterprises, where the prohibitive cost of true leased lines would sink such a small company.

Basic Premise: 2 x 1Mbps Uncapped Fibre ADSL Lines from ISP1, plus a bonded ADSL solution (bonding 3 x 4mbps ADSL Lines into a 12Mbps line). Problem is that on a standard Linux router, you get ONE gateway, meaning that all traffic coming in on interface1 does not return to sender through interface1, but rather interface2 if it is the default gateway.

The solution here will allow Incoming traffic to be routed correctly back through the orginating link, making multi-homing a reality.

Refer to the Network Diagram:

em0 - 1mbps Uncapped through ISP1
em1 - 1mbps Uncapped through ISP1
em2 - 12Mbps Capped through ISP2
fxp0 - interface to local LAN

First, we'll need to add some kernel compilation options (I'll do a followup article on creating custom FreeBSD Kernels).

In your kernel config, add:

# Firewalling and NAT
options IPFIREWALL (IPFW firewalling, better than IPTables IMHO)
options IPDIVERT (The Divert class in IPFW)
options IPFIREWALL_FORWARD (The Forward class in IPFW)
options IPFIREWALL_DEFAULT_TO_ACCEPT (create a default allow all rule)
options IPFIREWALL_VERBOSE (Verbose logging to stdout)

you'll need to compile your kernel, install it. Add the following line to /etc/sysctl.conf:


This will activate source based routing. Now reboot the box. IP information for the system is as follows:

em0: em0 gateway: (default gateway for server)
em1: em1 gateway:
em2: em2 gateway:
fxp0: fxp0 gateway: none (self)

NAT Deamons are setup as follows:

em0: port 8668
em1: port 8669
em2: port 8670

You need to activate the source based forward rules in your firewall, so add the following lines to IPFW:

ipfw add 00059 divert 8668 ip from any to any recv em0
ipfw add 00060 fwd ip from to not out recv em0

Rule 59 does not END traffic, but rule 60 does, so further processing of packets is not needed.

ipfw add 00061 divert 8669 ip from any to any recv em1
ipfw add 00062 fwd ip from to not out recv em1

ipfw add 00063 divert 8670 ip from any to any recv em2
ipfw add 00064 fwd ip from to not out recv em2

This will activate source based routing, so if you have a NAT rule on em1 saying redirect all port 25 traffic to internal IP, then it will return traffic back to the source over em1, instead of em0 (the default gateway).

Thus ends the horrible congestion of one line, as well as allowing incoming static NAT for multiple interfaces, really expanding possibilities for your business.

No comments:

Post a Comment