Discussion:
Asymmetric routing with FreeBSD on Amazon EC2 within VPC
(too old to reply)
Patrick Gibson
2015-05-19 19:22:12 UTC
Permalink
I'm wondering if anyone has managed to figure out a way to have an
Amazon EC2 instance behind a VPC work with multiple public IP
addresses? The issue is with asymmetric routing. It's been resolved in
the Linux world
(http://blog.bluemalkin.net/multiple-ips-and-enis-on-ec2-in-a-vpc/),
but I can't seem to get it working under FreeBSD. Using the setfib
command, I'm able to manually go out through either interface, but for
incoming packets to a webserver that listens to both interfaces, no
dice. :(

Patrick
Adrian Chadd
2015-05-20 03:56:34 UTC
Permalink
Hi,

So the "freebsd clean" solution would be to create two listen sockets,
one per IP address, and and have each IP address / routing table in a
separate FIB, or separate vnet.

I don't know if anyone has set that up though. It would be nice to
teach some web servers and proxy serversabout FreeBSD FIBs.



-adrian
Post by Patrick Gibson
I'm wondering if anyone has managed to figure out a way to have an
Amazon EC2 instance behind a VPC work with multiple public IP
addresses? The issue is with asymmetric routing. It's been resolved in
the Linux world
(http://blog.bluemalkin.net/multiple-ips-and-enis-on-ec2-in-a-vpc/),
but I can't seem to get it working under FreeBSD. Using the setfib
command, I'm able to manually go out through either interface, but for
incoming packets to a webserver that listens to both interfaces, no
dice. :(
Patrick
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
krad
2015-05-20 07:35:31 UTC
Permalink
you best bet is to probably run 2 vnet jails one for each ip. Annoying to
have to have the extra maintenance and resource overhead I know, but its
not a bad thing security wise
Post by Adrian Chadd
Hi,
So the "freebsd clean" solution would be to create two listen sockets,
one per IP address, and and have each IP address / routing table in a
separate FIB, or separate vnet.
I don't know if anyone has set that up though. It would be nice to
teach some web servers and proxy serversabout FreeBSD FIBs.
-adrian
Post by Patrick Gibson
I'm wondering if anyone has managed to figure out a way to have an
Amazon EC2 instance behind a VPC work with multiple public IP
addresses? The issue is with asymmetric routing. It's been resolved in
the Linux world
(http://blog.bluemalkin.net/multiple-ips-and-enis-on-ec2-in-a-vpc/),
but I can't seem to get it working under FreeBSD. Using the setfib
command, I'm able to manually go out through either interface, but for
incoming packets to a webserver that listens to both interfaces, no
dice. :(
Patrick
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
krad
2015-05-20 07:36:39 UTC
Permalink
oh and dont run pf if you are going to try vnet jails as the two dont play
at present
Post by krad
you best bet is to probably run 2 vnet jails one for each ip. Annoying to
have to have the extra maintenance and resource overhead I know, but its
not a bad thing security wise
Post by Adrian Chadd
Hi,
So the "freebsd clean" solution would be to create two listen sockets,
one per IP address, and and have each IP address / routing table in a
separate FIB, or separate vnet.
I don't know if anyone has set that up though. It would be nice to
teach some web servers and proxy serversabout FreeBSD FIBs.
-adrian
Post by Patrick Gibson
I'm wondering if anyone has managed to figure out a way to have an
Amazon EC2 instance behind a VPC work with multiple public IP
addresses? The issue is with asymmetric routing. It's been resolved in
the Linux world
(http://blog.bluemalkin.net/multiple-ips-and-enis-on-ec2-in-a-vpc/),
but I can't seem to get it working under FreeBSD. Using the setfib
command, I'm able to manually go out through either interface, but for
incoming packets to a webserver that listens to both interfaces, no
dice. :(
Patrick
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
a***@fieldphone.com
2016-07-28 20:32:16 UTC
Permalink
Post by krad
oh and dont run pf if you are going to try vnet jails as the two dont play
at present
Post by krad
you best bet is to probably run 2 vnet jails one for each ip. Annoying to
have to have the extra maintenance and resource overhead I know, but its
not a bad thing security wise
Post by Adrian Chadd
Hi,
So the "freebsd clean" solution would be to create two listen sockets,
one per IP address, and and have each IP address / routing table in a
separate FIB, or separate vnet.
I don't know if anyone has set that up though. It would be nice to
teach some web servers and proxy serversabout FreeBSD FIBs.
-adrian
Post by Patrick Gibson
I'm wondering if anyone has managed to figure out a way to have an
Amazon EC2 instance behind a VPC work with multiple public IP
addresses? The issue is with asymmetric routing. It's been resolved in
the Linux world
(http://blog.bluemalkin.net/multiple-ips-and-enis-on-ec2-in-a-vpc/),
but I can't seem to get it working under FreeBSD. Using the setfib
command, I'm able to manually go out through either interface, but for
incoming packets to a webserver that listens to both interfaces, no
dice. :(
Patrick
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
_______________________________________________
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
Any news on this? I have setup 3 ec2 network interfaces add assigned them to my vanilla FreeBSD 10.3 ami instance. It all looks good but I can only ping the default interface.
Loading...