Best approach for a FreeBSD router / Internet gateway with backuplink? - BSD

This is a discussion on Best approach for a FreeBSD router / Internet gateway with backuplink? - BSD ; I am using a FreeBSD box as my main internet gateway and firewall. It is connected (via ethernet) to a DSL modem. I am using ipfw as my firewall, together with natd. Currently, if the DSL link goes down, I ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Best approach for a FreeBSD router / Internet gateway with backuplink?

  1. Best approach for a FreeBSD router / Internet gateway with backuplink?


    I am using a FreeBSD box as my main internet gateway and firewall. It is
    connected (via ethernet) to a DSL modem.
    I am using ipfw as my firewall, together with natd.
    Currently, if the DSL link goes down, I have no backup link to the Internet.

    Recently, HSDPA subscriptions plans here in Norway have dropped to a
    level were they are an affordable option (at least outside of business
    hours).

    And the usb-based HSDPA modems they offer actually do work under
    FreeBSD. They use ppp (PPPoE).

    So I was thinking about using a HSDPA modem as a backup internet link
    for my firewall / internet gateway.
    I googled a bit, but couldn't find any good articles on the subject. Are
    there any howto's on this?


    I think I will need to activate the ppp link manually (or via a script)
    - I can live with that.

    Some points that needs attention:

    - routing; the firewall needs a default route to the currently active
    gateway (DSL or ppp). That's easy enough - ppp adds a default route when
    the link goes active, and I can simply restore the old default route
    when the ppp link deactivates.

    - nat: should I use natd for the ppp link also? And how would I best set
    it up? Or should I used ppp built-in nat for the ppp link?
    - firewall: should I extend my ipfw firewall script to also cover the
    ppp link? Or should I use ppp built-in filtering?

    Any pointers welcome.
    --
    Torfinn Ingolfsen,
    Norway

  2. Re: Best approach for a FreeBSD router / Internet gateway with backuplink?

    A small update.

    Torfinn Ingolfsen wrote:
    > I think I will need to activate the ppp link manually (or via a script)
    > - I can live with that.


    For now I just do 'ppp -nat 3g'.

    > - routing; the firewall needs a default route to the currently active
    > gateway (DSL or ppp). That's easy enough - ppp adds a default route when
    > the link goes active, and I can simply restore the old default route
    > when the ppp link deactivates.


    It seems ppp only can do "route add default", byt my machine complains
    about that.
    If I do a 'route change default" after the ppp link is up, everything works.
    This needs to be fixed.

    > - nat: should I use natd for the ppp link also? And how would I best set
    > it up? Or should I used ppp built-in nat for the ppp link?


    It seems I have to use the '-nat' option on ppp to get a working connection.

    > - firewall: should I extend my ipfw firewall script to also cover the
    > ppp link? Or should I use ppp built-in filtering?


    I have modified my ipfw firewall script to include the backup link. Not
    perfect, but it works.

    Other things:

    - dns: I run bind as a local dns, and use my ISP's dns servers as
    forwarders. Cureently I have just changed named.conf to include the dns
    servers for the HSDPA ISP as well. But perhaps there is a better approach?

    - mail: getting mail from my ISP works (via pop3). sending mail (smtp)
    vi may ISP's smtp server does not work. I nned to find out if the
    support a way to do it (authentication + encryption?)

    --
    Torfinn Ingolfsen,
    Norway

  3. Re: Best approach for a FreeBSD router / Internet gateway withbackup link?

    On Fri, 24 Oct 2008 17:37:58 +0200
    Torfinn Ingolfsen wrote:

    > A small update.


    I've been pondering if this would be a task for netgraph/ng_one2many.

    This does not set up your DNS and assumes 2 ppp links for the sake of
    simplicity:

    ng_one2many will send traffic for interface ``one'' over the links
    ``many0'' ``many1'' etc, in a round-robin alteration per packet.

    So you could set up your routing and firewall for ``one'', likely being
    a virtual interface;
    configure ppp0 and ppp1 as ``many0'' and ``many1'';
    sort-of abusing ng_one2many only ever have _one_ of the many links up,
    so traffic send to ``one'' goes to your ISP of choice.
    Using NG_ONE2MANY_FAIL_NOTIFY would have netgraph automatically
    en-/disable the ``many''-hook, once the ppp link goes up/down, so you
    routing would be transparently changed once you change the active ppp
    link.

    This is totally untested, maybe stupid and might not work at all.
    It just happens to be a method I recently thought about trying for
    myself, just out of curiosity.


    Michael

  4. Re: Best approach for a FreeBSD router / Internet gateway with backuplink?

    Michael Ross wrote:
    > On Fri, 24 Oct 2008 17:37:58 +0200
    > Torfinn Ingolfsen wrote:
    >
    >> A small update.

    >
    > I've been pondering if this would be a task for netgraph/ng_one2many.


    Very interesting. I haven't looked closely at netgraph, maybe now is the
    time.
    Thanks for the idea.
    --
    Torfinn Ingolfsen,
    Norway

+ Reply to Thread