LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 03-16-2005, 06:29 AM   #1
mxk
LQ Newbie
 
Registered: Jun 2004
Location: Rockville, MD
Posts: 18

Rep: Reputation: 0
Multiple WAN interfaces (FreeBSD Firewall)


Hi guys, have a question here regarding if this is possible or not. I'm setting up a FreeBSD 5.3 firewall and I need to have two separate WAN interfaces, with each being able to receive a dynamic IP from my ISP upon start up. Is this possible, and if so, how do I go about doing this?
 
Old 03-16-2005, 06:52 AM   #2
n0sr
Member
 
Registered: Sep 2004
Location: 127.0.0.1
Distribution: Slackware 13; Ubuntu Raspberry Pi OS
Posts: 255

Rep: Reputation: 34
Quote:
Hi guys, have a question here regarding if this is possible or not. I'm setting up a FreeBSD 5.3 firewall and I need to have two separate WAN interfaces, with each being able to receive a dynamic IP from my ISP upon start up. Is this possible, and if so, how do I go about doing this?
I'm not 100% up to speed with FreeBSD, so I won't be able to help with the specifics with the system, however I do have a couple questions:

Are you connecting these interfaces to different ISP's?

Are these connections to the Internet? or used for point to point connections with remote locations?

If you are connecting the WAN interfaces to the same ISP, it is possible, but they will need to allow you to have more than one IP address and they must be on different networks.
 
Old 03-16-2005, 07:02 AM   #3
mxk
LQ Newbie
 
Registered: Jun 2004
Location: Rockville, MD
Posts: 18

Original Poster
Rep: Reputation: 0
Well regarding number one - it's kinda hard to answer since this is actually for the development of a firewall that is used by many people in many different environments. Ideally, we'd like to be able to connect to multiple ISPs. Though in my own case, I would like to connect to the same ISP (Comcast) that issues IPs based on the mac address. So if I have two separate nics, each with its own mac, then as long as each one asks for an IP, comcast will issue one.

For number two, in most cases it will be connection to the internet, though I'm sure some people might have other ideas for it.

Basically what we'd like to do is have the ability to setup port forwarding based on the IP address, even if the port is the same. For example, if I have two different machines each running a web server on my LAN, I would like to say that connections that came in on WAN1:80 go to something like 192.168.1.2, and connections on WAN2:80 go to 192.168.1.3. That's the general idea. We can already do this with static IPs and one dynamic IP, but since most people don't have static from their ISP, we'd like to be able to work with multiple dynamic IPs and base our rules on the interface.

Hope that helps a bit.
 
Old 03-17-2005, 05:26 AM   #4
n0sr
Member
 
Registered: Sep 2004
Location: 127.0.0.1
Distribution: Slackware 13; Ubuntu Raspberry Pi OS
Posts: 255

Rep: Reputation: 34
Yes, that does help a bit..
I do have one other question: will there be two fully qualified domain names associated with the interfaces? (wan1.domain.com and wan2.domain.com for example) Or will someone put in www.domain.com and hit either wan1 or wan2? If you have one fqdn, then you'll be doing load balancing between the two interfaces and I've not directly played with that, although the only thing I know of that will do it is fairly expensive commercial high-availability/load balancing type software.

Otherwise, I would approach this remembering you will have two different issues, incoming traffic and outgoing traffic.

Incoming traffic will be straightforward, as the request will come in on an interface and can be sent to a webserver specific to that interface or to a single webserver that can handle requests from either port.

The biggest issue will be the outgoing information.

If you able to get two different IP addresses from the same ISP, then effectively you are doing the same as using two different ISP's with one big difference: One ISP will most likely give you IP addresses from the same network (just like in your example: 192.168.1.2 and 192.168.1.3). Two different ISPs will give you IP addresses from *DIFFERENT* networks (i.e. 192.168.1.2 and 10.1.1.3)

This will cause you routing issues as the system will need to know how to route outgoing data. Either interface would work the same, you will want the data to go out on the same port the request came in from. In a static IP environment, this would be much simpler as you can plug in the IP addresses into the routing table and firewall config. It can be done with dynamically assigned IP's just the same, however by the nature of that beast, you would most likely have to write a script to read the addresses after they're assigned and then handle the routing and firewall config within that script.

Hope that is a little bit clearer than mud!!
 
Old 03-17-2005, 11:21 AM   #5
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 47
Quote:
Originally posted by n0xvb
If you have one fqdn, then you'll be doing load balancing between the two interfaces and I've not directly played with that, although the only thing I know of that will do it is fairly expensive commercial high-availability/load balancing type software.
BIND is free

Quote:
Originally posted by n0xvb
Otherwise, I would approach this remembering you will have two different issues, incoming traffic and outgoing traffic.

-{Snip}-

Hope that is a little bit clearer than mud!!
Barely

Assuming the NAT/PAT is designed correctly there will not be a routing problem at all.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall : Multiple external interfaces rlore Linux - Security 2 06-28-2005 09:18 PM
Red Hat 7.3 and multiple gateways on multiple interfaces bluefmc Linux - Networking 2 11-19-2004 05:01 PM
Iptables firewall in multiple lan interfaces Neelesh Linux - Security 3 07-31-2004 01:19 PM
Multiple Ethernet Interfaces gjs286 Linux - Networking 1 04-19-2004 01:09 PM
Multiple redundant WAN lines. hubergeek Linux - Networking 8 07-25-2003 09:27 AM

LinuxQuestions.org > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 06:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration