*BSDThis forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi guys, have a question here regarding if this is possible or not. I'm setting up a FreeBSD 5.3 firewall and I need to have two separate WAN interfaces, with each being able to receive a dynamic IP from my ISP upon start up. Is this possible, and if so, how do I go about doing this?
Distribution: Slackware 13; Ubuntu Raspberry Pi OS
Posts: 255
Rep:
Quote:
Hi guys, have a question here regarding if this is possible or not. I'm setting up a FreeBSD 5.3 firewall and I need to have two separate WAN interfaces, with each being able to receive a dynamic IP from my ISP upon start up. Is this possible, and if so, how do I go about doing this?
I'm not 100% up to speed with FreeBSD, so I won't be able to help with the specifics with the system, however I do have a couple questions:
Are you connecting these interfaces to different ISP's?
Are these connections to the Internet? or used for point to point connections with remote locations?
If you are connecting the WAN interfaces to the same ISP, it is possible, but they will need to allow you to have more than one IP address and they must be on different networks.
Well regarding number one - it's kinda hard to answer since this is actually for the development of a firewall that is used by many people in many different environments. Ideally, we'd like to be able to connect to multiple ISPs. Though in my own case, I would like to connect to the same ISP (Comcast) that issues IPs based on the mac address. So if I have two separate nics, each with its own mac, then as long as each one asks for an IP, comcast will issue one.
For number two, in most cases it will be connection to the internet, though I'm sure some people might have other ideas for it.
Basically what we'd like to do is have the ability to setup port forwarding based on the IP address, even if the port is the same. For example, if I have two different machines each running a web server on my LAN, I would like to say that connections that came in on WAN1:80 go to something like 192.168.1.2, and connections on WAN2:80 go to 192.168.1.3. That's the general idea. We can already do this with static IPs and one dynamic IP, but since most people don't have static from their ISP, we'd like to be able to work with multiple dynamic IPs and base our rules on the interface.
Distribution: Slackware 13; Ubuntu Raspberry Pi OS
Posts: 255
Rep:
Yes, that does help a bit..
I do have one other question: will there be two fully qualified domain names associated with the interfaces? (wan1.domain.com and wan2.domain.com for example) Or will someone put in www.domain.com and hit either wan1 or wan2? If you have one fqdn, then you'll be doing load balancing between the two interfaces and I've not directly played with that, although the only thing I know of that will do it is fairly expensive commercial high-availability/load balancing type software.
Otherwise, I would approach this remembering you will have two different issues, incoming traffic and outgoing traffic.
Incoming traffic will be straightforward, as the request will come in on an interface and can be sent to a webserver specific to that interface or to a single webserver that can handle requests from either port.
The biggest issue will be the outgoing information.
If you able to get two different IP addresses from the same ISP, then effectively you are doing the same as using two different ISP's with one big difference: One ISP will most likely give you IP addresses from the same network (just like in your example: 192.168.1.2 and 192.168.1.3). Two different ISPs will give you IP addresses from *DIFFERENT* networks (i.e. 192.168.1.2 and 10.1.1.3)
This will cause you routing issues as the system will need to know how to route outgoing data. Either interface would work the same, you will want the data to go out on the same port the request came in from. In a static IP environment, this would be much simpler as you can plug in the IP addresses into the routing table and firewall config. It can be done with dynamically assigned IP's just the same, however by the nature of that beast, you would most likely have to write a script to read the addresses after they're assigned and then handle the routing and firewall config within that script.
Originally posted by n0xvb If you have one fqdn, then you'll be doing load balancing between the two interfaces and I've not directly played with that, although the only thing I know of that will do it is fairly expensive commercial high-availability/load balancing type software.
BIND is free
Quote:
Originally posted by n0xvb Otherwise, I would approach this remembering you will have two different issues, incoming traffic and outgoing traffic.
-{Snip}-
Hope that is a little bit clearer than mud!!
Barely
Assuming the NAT/PAT is designed correctly there will not be a routing problem at all.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.