Best approach for a FreeBSD router / Internet gateway with backuplink?
I am using a FreeBSD box as my main internet gateway and firewall. It is
connected (via ethernet) to a DSL modem.
I am using ipfw as my firewall, together with natd.
Currently, if the DSL link goes down, I have no backup link to the Internet.
Recently, HSDPA subscriptions plans here in Norway have dropped to a
level were they are an affordable option (at least outside of business
hours).
And the usb-based HSDPA modems they offer actually do work under
FreeBSD. They use ppp (PPPoE).
So I was thinking about using a HSDPA modem as a backup internet link
for my firewall / internet gateway.
I googled a bit, but couldn't find any good articles on the subject. Are
there any howto's on this?
I think I will need to activate the ppp link manually (or via a script)
- I can live with that.
Some points that needs attention:
- routing; the firewall needs a default route to the currently active
gateway (DSL or ppp). That's easy enough - ppp adds a default route when
the link goes active, and I can simply restore the old default route
when the ppp link deactivates.
- nat: should I use natd for the ppp link also? And how would I best set
it up? Or should I used ppp built-in nat for the ppp link?
- firewall: should I extend my ipfw firewall script to also cover the
ppp link? Or should I use ppp built-in filtering?
Any pointers welcome.
--
Torfinn Ingolfsen,
Norway
Re: Best approach for a FreeBSD router / Internet gateway with backuplink?
A small update.
Torfinn Ingolfsen wrote:[color=blue]
> I think I will need to activate the ppp link manually (or via a script)
> - I can live with that.[/color]
For now I just do 'ppp -nat 3g'.
[color=blue]
> - routing; the firewall needs a default route to the currently active
> gateway (DSL or ppp). That's easy enough - ppp adds a default route when
> the link goes active, and I can simply restore the old default route
> when the ppp link deactivates.[/color]
It seems ppp only can do "route add default", byt my machine complains
about that.
If I do a 'route change default" after the ppp link is up, everything works.
This needs to be fixed.
[color=blue]
> - nat: should I use natd for the ppp link also? And how would I best set
> it up? Or should I used ppp built-in nat for the ppp link?[/color]
It seems I have to use the '-nat' option on ppp to get a working connection.
[color=blue]
> - firewall: should I extend my ipfw firewall script to also cover the
> ppp link? Or should I use ppp built-in filtering?[/color]
I have modified my ipfw firewall script to include the backup link. Not
perfect, but it works.
Other things:
- dns: I run bind as a local dns, and use my ISP's dns servers as
forwarders. Cureently I have just changed named.conf to include the dns
servers for the HSDPA ISP as well. But perhaps there is a better approach?
- mail: getting mail from my ISP works (via pop3). sending mail (smtp)
vi may ISP's smtp server does not work. I nned to find out if the
support a way to do it (authentication + encryption?)
--
Torfinn Ingolfsen,
Norway
Re: Best approach for a FreeBSD router / Internet gateway withbackup link?
On Fri, 24 Oct 2008 17:37:58 +0200
Torfinn Ingolfsen <tingo@start.no> wrote:
[color=blue]
> A small update.[/color]
I've been pondering if this would be a task for netgraph/ng_one2many.
This does not set up your DNS and assumes 2 ppp links for the sake of
simplicity:
ng_one2many will send traffic for interface ``one'' over the links
``many0'' ``many1'' etc, in a round-robin alteration per packet.
So you could set up your routing and firewall for ``one'', likely being
a virtual interface;
configure ppp0 and ppp1 as ``many0'' and ``many1'';
sort-of abusing ng_one2many only ever have _one_ of the many links up,
so traffic send to ``one'' goes to your ISP of choice.
Using NG_ONE2MANY_FAIL_NOTIFY would have netgraph automatically
en-/disable the ``many''-hook, once the ppp link goes up/down, so you
routing would be transparently changed once you change the active ppp
link.
This is totally untested, maybe stupid and might not work at all.
It just happens to be a method I recently thought about trying for
myself, just out of curiosity.
Michael
Re: Best approach for a FreeBSD router / Internet gateway with backuplink?
Michael Ross wrote:[color=blue]
> On Fri, 24 Oct 2008 17:37:58 +0200
> Torfinn Ingolfsen <tingo@start.no> wrote:
>[color=green]
>> A small update.[/color]
>
> I've been pondering if this would be a task for netgraph/ng_one2many.[/color]
Very interesting. I haven't looked closely at netgraph, maybe now is the
time.
Thanks for the idea.
--
Torfinn Ingolfsen,
Norway
