Date: Mon, 09 Jun 2008 14:43:42 +0430 From: "H.fazaeli" <fazaeli@sepehrs.com> To: David Martens <dmartens@fresnochristian.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: fwd problem Message-ID: <484D0256.6000108@sepehrs.com> In-Reply-To: <5ADDFC1B-9902-46FB-8C0A-AD153E0B3D30@fresnochristian.com> References: <2D6927C5-B7C7-454B-83E0-FAD76878356C@fresnochristian.com> <4847B603.6080105@sepehrs.com> <5ADDFC1B-9902-46FB-8C0A-AD153E0B3D30@fresnochristian.com>
next in thread | previous in thread | raw e-mail | index | archive | help
. on gateway, place fwd rule before divert. . run tcpdump & 'ipfw -a list' on __proxy__ and see if packets really reach the proxy/squid or not. . A network diagram would be helpful in the case the problem still persist. David Martens wrote: > I've taken H.Fazaeli's suggestion and moved the proxy to the same > class C as the gateway with no change. > > So now my rule set on the gateway is: > > 00100 allow ip from any to any via lo0 > 00110 deny ip from any to 127.0.0.0/8 via en0 > 00800 divert 8668 ip from any to any via en0 > 00850 deny ip from any to any in frag > 00890 allow ip from any to 192.168.0.2 > 00990 fwd 192.168.0.2 tcp from 192.168.1.60 to any 80 > > > And on the proxy: > > 00080 allow tcp from any to any out > 00100 fwd 127.0.0.1,8082 tcp from 192.168.1.60 to any dst-port 80 > > > For testing purposes I've set the forward to only a single ip > address. Eventually this will be set to the entire /22 subnet. > > A tcpdump on the LAN interface on the gateway indicates traffic from > 192.168.1.60 & and fwd rule increments, but the packets don't make it > to the proxy. They are not dropped, the requested web pages load fine > in the browser, just no proxy. > > > > > On Jun 5, 2008, at 2:46 AM, H.fazaeli wrote: > >> >> This is what is happening: >> >> 1. Client's packet match with fwd rule on gateway. >> 2. gateway tries to fwd packet to 192.168.3.2. For this, it should >> replace >> destination mac address with that of proxy (192.168.3.22). >> 3. gateway fails to obtain proxy mac address, since it is not on the >> same >> subnet as proxy (can not use arp). >> 4. fwd rule drops the packet. >> >> FIX: assign a 192.168.3.XXX address to the gateway's interface >> which proxy is supposed to be reachable from. >> >> >> >> David Martens wrote: >>> I'm trying to set up a transparent proxy using two machines, the >>> gateway and the proxy. The proxy is 192.168.3.22 and is listening >>> on port 8082. The gateway is 192.168.0.1, subnet is 255.255.252.0 >>> so everything is on the same subnet. >>> >>> I set the following rules on the gateway: >>> >>> 00100 allow ip from any to any via lo0 >>> 00110 deny ip from any to 127.0.0.0/8 via en0 >>> 00800 divert 8668 ip from any to any via en0 >>> 00850 deny ip from any to any in frag >>> 00990 fwd 192.168.3.22 tcp from 192.168.1.0/24 to any 80 >>> >>> When I get a packet count (ipfw -a list) rule 990 increments when I >>> try to access a web page. >>> >>> On the proxy box I have the following rules: >>> >>> 00100 allow tcp from 192.168.3.22 to any >>> 00110 fwd 127.0.0.1,8082 tcp from 192.168.0.1/22 to any dst-port 80 >>> >>> rule 110 never receives any forwarded packets. Any ideas what I've >>> done wrong here? The http requests do go out, but are not forwarded >>> through the proxy. >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >>> >> >> -- >> >> >> Best regards. >> >> Hooman Fazaeli <hf@sepehrs.com> >> Sepehr S. T. Co. Ltd. >> >> Web: http://www.sepehrs.com >> Tel: (9821)88975701-2 >> Fax: (9821)88983352 >> >> >> >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > -- Best regards. Hooman Fazaeli <hf@sepehrs.com> Sepehr S. T. Co. Ltd. Web: http://www.sepehrs.com Tel: (9821)88975701-2 Fax: (9821)88983352
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?484D0256.6000108>