[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to do source based routing in OS X Server

Posted on 2007-10-12
15
Medium Priority
?
2,072 Views
Last Modified: 2013-12-23
I have an OS X Server which has 2 NICs with two ISP DSL accounts. There is one default route. I would like to have inbound traffic for the non-default interface to go via a separate router.

eg

en0: 192.168.1.10/24 router 192.168.1.1 - NATs to 1.2.3.4
en1: 192.168.2.10/24 router 192.168.2.1 - NATs to 4.3.2.1

Default route is 192.168.1.1

I would like to set up source based routing such that any inbound packet to 4.3.2.1 is replied to via the router 192.168.2.1

To do this, I have tried using the command

ipfw add  fwd 192.168.2.1 ip from 192.168.2.10 to not 192.168.2.10/24

which gives me an ipfw table of

00001 allow udp from any 626 to any dst-port 626
00010 divert 8668 ip from any to any via en1
00099 fwd 192.168.2.1 ip from 192.168.2.10 to not 192.168.2.0/24
01000 allow log ip from any to any via lo0
01010 deny ip from any to 127.0.0.0/8
01020 deny ip from 224.0.0.0/4 to any in
01030 deny tcp from any to 224.0.0.0/4 in
12300 allow log ip from any to any
65534 deny ip from any to any
65535 allow ip from any to any


When I try to ping to the external IP address from outside, I can see the packets reaching the server on the correct interface, but they do not seem to get any reply on either interface. If I remove the rule, then the reply packets can be seen going out through the default interface.

Cheers,

Joel


0
Comment
Question by:dalesit
  • 6
  • 6
  • 2
  • +1
15 Comments
 
LVL 9

Expert Comment

by:Shaun McNicholas
ID: 20070007
All you have to do is set the default route to 192.168.2.10 - it doesn't matter where the inbound traffic is coming from.
0
 
LVL 12

Author Comment

by:dalesit
ID: 20070066
That is no good, as then I would have the same situation, but in reverse. In that case, traffic for 4.3.2.1 would work, but now traffic for 1.2.3.4 would go out the wrong interface.
0
 
LVL 62

Expert Comment

by:gheist
ID: 20074740
Set public addresses as multi:multi NAT pool. No need to reinvent the wheel.
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
LVL 12

Author Comment

by:dalesit
ID: 20074935
Hi gheist,

I don't see what you mean by the multi:multi NAT pool - the issue is not with the NAT, but rather trying to get the packet to go out one interface or the other.

If a packet comes in on en1 from the internet, the reply will go out via en0 which is the default route. Consequently the reply packet will go via a different internet connection, have a different IP address and so not be recognised by the originator of the initial packet.

Cheers,

Joel
0
 
LVL 62

Expert Comment

by:gheist
ID: 20076424
You have to run two natd(s) then.
0
 
LVL 12

Author Comment

by:dalesit
ID: 20076957
No, I want to preserve the original src information. If I implement src routing, then this is possible. Within linux you can use iproute2 as described at

http://lartc.org/howto/lartc.rpdb.multiple-links.html

I am trying to do the same thing within OSX Server.

In theory,

ipfw add  fwd 192.168.2.1 ip from 192.168.2.10 to not 192.168.2.10/24

should work. However, it doesn't for me. I am trying to achieve source based routing (sometimes called policy routing) within OSX Server. I am not looking for NAT based solutions where I would lose the IP information of the initiating contact.

Cheers,

Joel
0
 
LVL 62

Expert Comment

by:gheist
ID: 20080869
Apple names "ipfw" component "ipfilter".
IPFilter is able to do m:n NAT that you require, FreeBSD's ipfw is not. Ask for warranty replacement on misadvertising or reinstall with some *BSD
0
 
LVL 9

Expert Comment

by:Shaun McNicholas
ID: 20081003
It seems like you guys are all making this incredibly complicated.
All inbound traffic is routed to the computer via your firewall or internal router - if someone types in an address 172.16.252.25 and your router or firewall translates it using NAT to the internal address 192.168.2.1 then you just set the default internal gateway to the other card. The default gateway is only used for sending traffic - it has nothing to do with receiving traffic.

I have a single mac with a separate ip address for each of 6 websites - I am using ip addresses instead of alias naming for personal reasons - but I route the dns record for each website to the address I want to use and tell the mac to use that address assigned to the external card and point it to the folder for that particular website. The default outbound traffic for all six of my websites comes out of the machine for only one of the 6 addresses.

I am sure you can mess around with the routing and load balancing settings in the OS X but it seems like you are just making the situation much more difficult than it needs to be - just expose one address using NAT and set the default gateway to the other - don't expose the second card to the public and you will never receive inbound traffic on that card but all outbound will go through it since it's the default gateway for the machine.
0
 
LVL 12

Author Comment

by:dalesit
ID: 20082960
OK, first off, I would like to emphasise that I know about NAT, and routing. I can do what I want to do using Linux and iproute2.

I want to have two connections exposed to the internet to provide resilience for our inbound mail and DNS. Our server will in effect have 2 MX records, one via ISP1, and one via ISP2. We want to have mail or DNS queries able to be made via either ISP. Consequently both addresses of the OSX Server need to be accessible.

The problem is that a packet which comes in to address 1 ends up on interface 1, and the reply goes out interface 1 and to router1 because that is the default route. However, a packet to address 2 ends up on interface 2, but the reply goes out interface 1 and to router 1 because that is the default route.

What I want to do is to set up source based routing (or policy routing) such that a packet inbound to interface 1 will send the reply via default route of router 1, and a packet inbound to interface 2 will send the reply via default route of router 2.


gheist - not sure what you are trying to say here. Are you saying that the command ipfw within OSX is actually ipfilter? And hence the OSX ipfw command is not equivalent to the BSD ipfw command? Or did I misunderstand?

Cheers,

Joel
0
 
LVL 62

Expert Comment

by:gheist
ID: 20083514
You ask for thing that IPFW from FreeBSD does not do. IPFilter from NetBSD of PF from OpenBSD does this.
0
 
LVL 12

Author Comment

by:dalesit
ID: 20084464
Is there a way to do such a thing using OSX Server?

Cheers,

Joel
0
 
LVL 62

Expert Comment

by:gheist
ID: 20085360
Yes - upgrade your server with OpenBSD/macppc or NetBSD/macppc
0
 
LVL 12

Author Comment

by:dalesit
ID: 20105695
Is there a solution without changing the OS?
0
 
LVL 62

Accepted Solution

by:
gheist earned 1000 total points
ID: 20109765
Definitely no. There is another option -Linux. IPFW is not that capable.
0
 

Expert Comment

by:drkaiser
ID: 22727342
I was having the same problem.  Ultimately, I used IPNetRouterX from Sustainable Softworks to solve the issue.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This article outlines the struggles that Macs encounter in Windows-dominated workplace environments – and what Mac users can do to improve their network connectivity and remain productive.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question