Two ISP, Port redirect to BSD machine

nerozero

nerozero

Hi there,

I have two ISP providers and 2 routers, both connected into same net 10.20.0.0/24. FreeBSD machine also connected into same network having IP: 10.20.0.10/24, defaultrouter set to 10.20.0.1.
How is it possible to forward port, say tcp:22, from both of the routers to the FreeBSD machine? Port forward working only from one router which defaultrouter is specified on BSD.

1686645452553.png


I have strong filing that there is something to do with the fibs.

Thanks.
 
Your host always uses the default route to reply to those forwarded connections. You'd have to NAT at least those forwarded connections on the internal interfaces of the second router (=ugly).

To avoid such ugly workarounds, simply use jumphosts (jails) on the routers and connect through those to your network.


Why not aggregate both uplinks on a single router? This would simplify a lot of things, especially if those are consumer-grade uplinks; i.e. you can't use BGP.
 
sko, thanks for quick reply.

Unfortunately both routers provided by the ISP-s, and to have an own router you should pay more monthly...

Also could you please describe the "aggregation" thing in more detail?
 
use 2 local ips on freebsd 10.20.0.77,78 forward to from router 1 to 77 and from router 2 to 78
then use ipfw fwd do forward to router2 internal ip anything that originates on .78
 
nerozero said:
Unfortunately both routers provided by the ISP-s, and to have an own router you should pay more monthly...
Click to expand...
If you are in the EU this is not allowed; you are free to use whichever router you want...

However, even in the EU there are still many ISPs that are downright stupid and try to circumvent that regulation to charge monthly fees for their plastic routers. Those ISPs usually try to prevent using other routers by handing out static DHCP leases and/or only allowing given MAC addresses for the IP address pool. If you don't get an IP, just clone the mac of the external ethernet interface on the plastic toy they send you and you'll receive an IP via DHCP.

As a last resort, you could still use your own (aggregation) router behind those two. The downside is, you have at least 2 layers of NAT (+ maybe CG-NAT) and can't use the actual external IPs on your router, breaking some protocols and making it harder (and uglier) to run externally available services.

A quick workaround for your current setup might be using another alias on your host, then forward connections from your second router to that IP and e.g. use a second fib (or forwarding rules) for anything that enters the host via that IP to be routed over the second router.
edit: that's exactly what covacat already mentioned.


nerozero said:
Also could you please describe the "aggregation" thing in more detail?
Click to expand...
This wasn't referring to actual link aggregation, just to connect both uplinks to the same router. This way you can actually route over both uplinks while using the same default route inside your network. Port forwards would then work without any ugly hacks as the router knows over which uplink the connection was made and handles the routing.
 
yah, I guess this is more difficult than I initially thought....

I would like to avoid proxy, this will eliminate to know on a server side from which IP connection has been made ( or at least will make things complex ).

sko said:
If you are in the EU this is not allowed; you are free to use whichever router you want...
Click to expand...
not yet, but hopefully in the near future...

had a chat with provider, it might be possible to have configure routers as bridge, not clear answer for today, they call back me tomorrow.... In this case I will have a public IP on my side. But still, have no idea how to make 2 different default gateway. ( fib things, which I never used yet... Will appriciate samples ) .
 
nerozero said:
I would like to avoid proxy, this will eliminate to know on a server side from which IP connection has been made ( or at least will make things complex ).
Click to expand...
You don't need a proxy.

If both uplinks are connected to the same router you don't have to fiddle around with multiple FIBs or any routing exceptions / multiple default routes / multiple IPs / <other workarounds> on your hosts.
Just rdr-to ssh to that host (still: a ssh jumphost jail or using the router directly for that is the safer and more flexible solution) and the connection will be correctly routed over whatever uplink it was established through.


you *can* specify multiple default routes, but this serves another purpose (fallback) and won't solve the problem you are having.
 
sko, i'm sorry, still not clear to me what does "jumphost" means ? Do you mean to create second machine ( jail/vm/... ) with the gate looking towards second router?

If both providers will give me "green light" for bridging routers, I might start leaning towards "fiddle around" with fibs. Something like:

1686656607209.png


I will appreciate for a config sample, to make machine become addressable externally from both a.a.a.a and b.b.b.b ip addresses.
 
ssh(1)
Code: 
     -J destination
             Connect to the target host by first making a ssh connection to
             the jump host described by destination and then establishing a
             TCP forwarding to the ultimate destination from there.  Multiple
             jump hops may be specified separated by comma characters.  This
             is a shortcut to specify a ProxyJump configuration directive.
             Note that configuration directives supplied on the command-line
             generally apply to the destination host and not any specified
             jump hosts.  Use ~/.ssh/config to specify configuration for jump
             hosts.

A jumphost is essentially a (hardened) host (or vm/jail) that only runs ssh and is the sole endpoint that is reachable from the outside on that port.
This host usually has ssh tightened down to e.g. only key-based logins, allowing only IPs from given countries and having aggressive blacklistd(8) rules to mitigate attacks.

You connect to your internal hosts through that host (using -J or ProxyJump in your .ssh/config) and/or can set up ssh-tunnels to other services in your LAN, e.g. to forward a web interface that is only reachable within your local network.

True, you can just forward ssh to a 'normal' host in your LAN and use that host for such things; but then you either are restricted to that single host, or you have to start using non-standard ports for ssh-forwarding rules to other hosts in your network. A jumphost is usually the most flexible and secure way of dealing with SSH connections from the outside into a LAN.
 
sko, woow, never even heard about that. Thanks a lot.

Regarding blacklistd - useless thing, very often hangs with whole bunch of IP connected to it ( sockstat shows 3-4 pages list ips with ssh sockets in a random states ), doing nothing. I wrote my own "fail to ban" script in python, syslogd pipes required multiple sources to it. But this is off-top, next time will make a separate post.

But still leaning towards multiple "defaultrouter" machine.... Some services other then ssh might also be useful to have available from both providers.
 
You must log in or register to reply here.
Back
Top