Hi,
I want to do the following, and I'm not sure of the best way to do it, or whether fwbuilder is going to help me (seems so…) - any pointers appreciated:
I have several different public IP ranges that I want to put onto a firewall. These belong to different ISPs, so are not contiguous or even the same size.
On the internal side, I have N machines, each of which should have an IP that will match each public IP. I was thinking of putting each of the /24s on the external side onto a /16 internally, so probably having something like 10.A.B.N, where A corresponds to a /24 on the outside, B corresponds to the /32 on the outside and N is machine1, machine2, etc., giving me potentially 250-odd machines (not that there will ever probably be more than 6-8).
AFAICT, I need to use policy-based routing in order to have the right gateways used. At least I know this is one possible solution - if there are other better ones I'm all ears!
It appears the policy-based routing could be done either on the source machines (routing to several different gw addresses on the FW) or on the FW. I couldn't see how to do this with fwbuilder - is this possible with fwbuilder while putting everything on the FW? I was pretty keen to take care of IPs using fwbuilder - if i still want to have fwbuilder do IPs and other stuff am I going to run into trouble with setting up routing (assuming setting up policy-based routing is not supported)?
If this is not supported or is going to cause me trouble - are there any ways to do this with fwbuilder generated configs?
For a little more context - I have around 1700 public IPs in 4 ranges - I'm only doing very basic NAT but that is still a lot of IPs… I have no experience with BSD but from a bit of reading pf seems to be slightly more performant for this type of use case - am I going to find performance problems with iptables at these numbers compared with free/openbsd? I will also be wanting to cluster for HA. This definitely seems supported with fwbuilder, though maybe not for my use case?
Any help or insults most welcome!
Thanks
Anton
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I want to do the following, and I'm not sure of the best way to do it, or whether fwbuilder is going to help me (seems so…) - any pointers appreciated:
I have several different public IP ranges that I want to put onto a firewall. These belong to different ISPs, so are not contiguous or even the same size.
On the internal side, I have N machines, each of which should have an IP that will match each public IP. I was thinking of putting each of the /24s on the external side onto a /16 internally, so probably having something like 10.A.B.N, where A corresponds to a /24 on the outside, B corresponds to the /32 on the outside and N is machine1, machine2, etc., giving me potentially 250-odd machines (not that there will ever probably be more than 6-8).
AFAICT, I need to use policy-based routing in order to have the right gateways used. At least I know this is one possible solution - if there are other better ones I'm all ears!
It appears the policy-based routing could be done either on the source machines (routing to several different gw addresses on the FW) or on the FW. I couldn't see how to do this with fwbuilder - is this possible with fwbuilder while putting everything on the FW? I was pretty keen to take care of IPs using fwbuilder - if i still want to have fwbuilder do IPs and other stuff am I going to run into trouble with setting up routing (assuming setting up policy-based routing is not supported)?
If this is not supported or is going to cause me trouble - are there any ways to do this with fwbuilder generated configs?
For a little more context - I have around 1700 public IPs in 4 ranges - I'm only doing very basic NAT but that is still a lot of IPs… I have no experience with BSD but from a bit of reading pf seems to be slightly more performant for this type of use case - am I going to find performance problems with iptables at these numbers compared with free/openbsd? I will also be wanting to cluster for HA. This definitely seems supported with fwbuilder, though maybe not for my use case?
Any help or insults most welcome!
Thanks
Anton