How to do source based routing in OS X Server

I have an OS X Server which has 2 NICs with two ISP DSL accounts. There is one default route. I would like to have inbound traffic for the non-default interface to go via a separate router.

eg

en0: 192.168.1.10/24 router 192.168.1.1 - NATs to 1.2.3.4
en1: 192.168.2.10/24 router 192.168.2.1 - NATs to 4.3.2.1

Default route is 192.168.1.1

I would like to set up source based routing such that any inbound packet to 4.3.2.1 is replied to via the router 192.168.2.1

To do this, I have tried using the command

ipfw add  fwd 192.168.2.1 ip from 192.168.2.10 to not 192.168.2.10/24

which gives me an ipfw table of

00001 allow udp from any 626 to any dst-port 626
00010 divert 8668 ip from any to any via en1
00099 fwd 192.168.2.1 ip from 192.168.2.10 to not 192.168.2.0/24
01000 allow log ip from any to any via lo0
01010 deny ip from any to 127.0.0.0/8
01020 deny ip from 224.0.0.0/4 to any in
01030 deny tcp from any to 224.0.0.0/4 in
12300 allow log ip from any to any
65534 deny ip from any to any
65535 allow ip from any to any


When I try to ping to the external IP address from outside, I can see the packets reaching the server on the correct interface, but they do not seem to get any reply on either interface. If I remove the rule, then the reply packets can be seen going out through the default interface.

Cheers,

Joel


LVL 12
dalesitAsked:
Who is Participating?
 
gheistConnect With a Mentor Commented:
Definitely no. There is another option -Linux. IPFW is not that capable.
0
 
Shaun McNicholasSenior Marketing TechnologistCommented:
All you have to do is set the default route to 192.168.2.10 - it doesn't matter where the inbound traffic is coming from.
0
 
dalesitAuthor Commented:
That is no good, as then I would have the same situation, but in reverse. In that case, traffic for 4.3.2.1 would work, but now traffic for 1.2.3.4 would go out the wrong interface.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
gheistCommented:
Set public addresses as multi:multi NAT pool. No need to reinvent the wheel.
0
 
dalesitAuthor Commented:
Hi gheist,

I don't see what you mean by the multi:multi NAT pool - the issue is not with the NAT, but rather trying to get the packet to go out one interface or the other.

If a packet comes in on en1 from the internet, the reply will go out via en0 which is the default route. Consequently the reply packet will go via a different internet connection, have a different IP address and so not be recognised by the originator of the initial packet.

Cheers,

Joel
0
 
gheistCommented:
You have to run two natd(s) then.
0
 
dalesitAuthor Commented:
No, I want to preserve the original src information. If I implement src routing, then this is possible. Within linux you can use iproute2 as described at

http://lartc.org/howto/lartc.rpdb.multiple-links.html

I am trying to do the same thing within OSX Server.

In theory,

ipfw add  fwd 192.168.2.1 ip from 192.168.2.10 to not 192.168.2.10/24

should work. However, it doesn't for me. I am trying to achieve source based routing (sometimes called policy routing) within OSX Server. I am not looking for NAT based solutions where I would lose the IP information of the initiating contact.

Cheers,

Joel
0
 
gheistCommented:
Apple names "ipfw" component "ipfilter".
IPFilter is able to do m:n NAT that you require, FreeBSD's ipfw is not. Ask for warranty replacement on misadvertising or reinstall with some *BSD
0
 
Shaun McNicholasSenior Marketing TechnologistCommented:
It seems like you guys are all making this incredibly complicated.
All inbound traffic is routed to the computer via your firewall or internal router - if someone types in an address 172.16.252.25 and your router or firewall translates it using NAT to the internal address 192.168.2.1 then you just set the default internal gateway to the other card. The default gateway is only used for sending traffic - it has nothing to do with receiving traffic.

I have a single mac with a separate ip address for each of 6 websites - I am using ip addresses instead of alias naming for personal reasons - but I route the dns record for each website to the address I want to use and tell the mac to use that address assigned to the external card and point it to the folder for that particular website. The default outbound traffic for all six of my websites comes out of the machine for only one of the 6 addresses.

I am sure you can mess around with the routing and load balancing settings in the OS X but it seems like you are just making the situation much more difficult than it needs to be - just expose one address using NAT and set the default gateway to the other - don't expose the second card to the public and you will never receive inbound traffic on that card but all outbound will go through it since it's the default gateway for the machine.
0
 
dalesitAuthor Commented:
OK, first off, I would like to emphasise that I know about NAT, and routing. I can do what I want to do using Linux and iproute2.

I want to have two connections exposed to the internet to provide resilience for our inbound mail and DNS. Our server will in effect have 2 MX records, one via ISP1, and one via ISP2. We want to have mail or DNS queries able to be made via either ISP. Consequently both addresses of the OSX Server need to be accessible.

The problem is that a packet which comes in to address 1 ends up on interface 1, and the reply goes out interface 1 and to router1 because that is the default route. However, a packet to address 2 ends up on interface 2, but the reply goes out interface 1 and to router 1 because that is the default route.

What I want to do is to set up source based routing (or policy routing) such that a packet inbound to interface 1 will send the reply via default route of router 1, and a packet inbound to interface 2 will send the reply via default route of router 2.


gheist - not sure what you are trying to say here. Are you saying that the command ipfw within OSX is actually ipfilter? And hence the OSX ipfw command is not equivalent to the BSD ipfw command? Or did I misunderstand?

Cheers,

Joel
0
 
gheistCommented:
You ask for thing that IPFW from FreeBSD does not do. IPFilter from NetBSD of PF from OpenBSD does this.
0
 
dalesitAuthor Commented:
Is there a way to do such a thing using OSX Server?

Cheers,

Joel
0
 
gheistCommented:
Yes - upgrade your server with OpenBSD/macppc or NetBSD/macppc
0
 
dalesitAuthor Commented:
Is there a solution without changing the OS?
0
 
drkaiserCommented:
I was having the same problem.  Ultimately, I used IPNetRouterX from Sustainable Softworks to solve the issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.