Postfix and dual WAN

[Buggy]

Hello,

Is there some documentation about how to setup FreeBSD 10.1 for a dual WAN connection? I do not want load balancing, but maybe failover.

I have two ISPs and want to have redundancy for HTTP and email. I use PF and have configured a default gateway for each connection with setfib(1). There is no NAT and the server has to do no routing. I use Postfix for email and I want to make the server reachable from both wan connections (2 MX records).

The first WAN connection (FIB 0) works fine, the second however returns traffic over (the gateway of) the first one, so it does not work. This may be by design, but it is a problem.
If someone has some useful suggestions, I would be very grateful.

- Jac

 

[junovitch@]

The FIB design can make things tricky since an instance of a service can only be on 1 FIB.

One route is to run multiple instances of the service. Perhaps 2 jails running Postfix on different FIBs to serve connections from both sources.

The second route is a TCP proxy on FIB 1 using something like net/haproxy, net/tcpproxy, or net/relayd. Use that service on FIB 1 to pass data back and forth to the Postfix server using the FIB 0 routing table.

The third option would be to investigate using the firewall however I never looked into that myself and don't have any suggestions on that route.

 

[Buggy]

Thanks, junovitch.
Relayd looks the perfect solution. On paper.
You can do this (from the Calomel pages):

#######################################################
###  Calomel.org  /etc/relayd.conf  START
#### TCP port relay and forwarder
#######################################################
## Macros
#
box1_addr="10.10.10.10"
box1_port="25"
box2_addr="10.20.20.20"
box2_port="25"
## TCP port relay and forwarder
#
protocol "tcp_service" {
  tcp { nodelay, socket buffer 65536 }
  }
  relay "tcp_forwarder" {
  listen on $box1_addr port $box1_port
  protocol "tcp_service"
  forward to $box2_addr port $box2_port
  }
#######################################################
###  Calomel.org  /etc/relayd.conf  END
#### TCP port relay and forwarder
#######################################################

box1_addr is the second not working address, box2_address is the working address.
But it does not help.
I have removed the address from inet_interfaces in main.cf, but this does not help.
Do I something wrong?

- Jac

 

[junovitch@]

I think the biggest thing is to ensure your port 25 services aren't listening on *:25 and aren't conflicting with each other because of that. If I understand you correctly it does sound like you have done that. After that, I'm not too familar with Relayd and am a bit too swamped to really dive in myself right now. I would suggest seeing what is in relayd.conf(5) to get some ideas.

I will however toss my current configuration for net/haproxy out there if you decide to go explore that route. This is an except for doing TCP proxy of XMPP traffic.

global
        log 10.100.102.2 daemon
        maxconn 2048
        chroot /var/empty
        user www
        group www
        daemon
        stats socket /var/run/haproxy.sock
defaults
        log global
        retries 3
        option redispatch
        maxconn 2000
        timeout connect 5s
        timeout client 600s
        timeout server 600s
frontend frontend-jabber-c2s
        mode tcp
        option tcplog
        bind *:5222
        default_backend backend-jabber-c2s
        timeout client 8h
backend backend-jabber-c2s
        mode tcp
        option tcplog
        balance roundrobin
        server jabber.example.com jabber.example.com:5222
        timeout server 1h

In your case, whatever solution you go with you will want to set the FIB in /etc/rc.conf to go along with the routing behavior you are trying to achieve. This should do the trick for net/haproxy.

haproxy_fib="1"