Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 08 Dec 2008 13:53:59 -0800
From:      Julian Elischer <julian@elischer.org>
To:        "Eric W. Bates" <ericx@vineyard.net>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ipfw policy routing esp
Message-ID:  <493D9777.8070508@elischer.org>
In-Reply-To: <493D8A3F.6040502@vineyard.net>
References:  <493D8A3F.6040502@vineyard.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Eric W. Bates wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> We have a bewildering problem attempting to policy route esp traffic.
> 
> We have 2 up steam internet sources: a routable T1 and a cable modem.
> The cable modem provides better bandwidth so while we default to the T1,
> we use policy routing to send some of our traffic out the cable modem.
> 
> In particular we use the cable modem for all the port 80 traffic via
> squid. squid's source IP is the one belonging to the cable network and
> we have the following ipfw rule for the policy route:
> 
> ${fwcmd} add 64902 fwd ${cable_gw} ip from ${net_wan3_local} to any
> 
> cable_gw is the cable company's router.
> net_wan3_local is the cable company's IP on our external interface.
> 
> This works great for all port 80 tcp traffic.
> 
> To this we added some IPSec. Racoon is hanging off the same
> ${net_wan3_local} and the udp port 500 traffic passes in and out thru
> the cable interface as we hoped.
> 
> The bewildering part is that while the esp traffic can demonstrably be
> seen to be hitting the policy route rule, those packets continue to pass
> out the default route to the T1 rather than being forwarded to the cable
> router as we want.
> 
> Any thoughts?
> Is this a known problem.

There are definitely some oddnesses with IPSEC encapsulation
and routes etc.

If you are using 7.1-PRERELEASE  or 8 you might consider using setfib
to assign a separate routing table to the tcp traffic.


> 
> Thank you for your time.
> 
> - --
> Eric W. Bates
> ericx@vineyard.net
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFJPYo/D1roJTQ4LlERAp//AJ9C5VFQWk0Q5iwKVD6elTItny8pLgCbB5Tn
> 9a3/ut3rswi7nPs10nCkk9s=
> =wW3o
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?493D9777.8070508>