From owner-freebsd-net@FreeBSD.ORG Mon Dec 8 21:53:59 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 994291065673 for ; Mon, 8 Dec 2008 21:53:59 +0000 (UTC) (envelope-from prvs=julian=2217c4452@elischer.org) Received: from smtp-outbound.ironport.com (smtp-outbound.ironport.com [63.251.108.112]) by mx1.freebsd.org (Postfix) with ESMTP id 845368FC17 for ; Mon, 8 Dec 2008 21:53:59 +0000 (UTC) (envelope-from prvs=julian=2217c4452@elischer.org) Received: from jelischer-laptop.sfo.ironport.com (HELO julian-mac.elischer.org) ([10.251.22.38]) by smtp-outbound.ironport.com with ESMTP; 08 Dec 2008 13:54:00 -0800 Message-ID: <493D9777.8070508@elischer.org> Date: Mon, 08 Dec 2008 13:53:59 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.18 (Macintosh/20081105) MIME-Version: 1.0 To: "Eric W. Bates" References: <493D8A3F.6040502@vineyard.net> In-Reply-To: <493D8A3F.6040502@vineyard.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: ipfw policy routing esp X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2008 21:53:59 -0000 Eric W. Bates wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > We have a bewildering problem attempting to policy route esp traffic. > > We have 2 up steam internet sources: a routable T1 and a cable modem. > The cable modem provides better bandwidth so while we default to the T1, > we use policy routing to send some of our traffic out the cable modem. > > In particular we use the cable modem for all the port 80 traffic via > squid. squid's source IP is the one belonging to the cable network and > we have the following ipfw rule for the policy route: > > ${fwcmd} add 64902 fwd ${cable_gw} ip from ${net_wan3_local} to any > > cable_gw is the cable company's router. > net_wan3_local is the cable company's IP on our external interface. > > This works great for all port 80 tcp traffic. > > To this we added some IPSec. Racoon is hanging off the same > ${net_wan3_local} and the udp port 500 traffic passes in and out thru > the cable interface as we hoped. > > The bewildering part is that while the esp traffic can demonstrably be > seen to be hitting the policy route rule, those packets continue to pass > out the default route to the T1 rather than being forwarded to the cable > router as we want. > > Any thoughts? > Is this a known problem. There are definitely some oddnesses with IPSEC encapsulation and routes etc. If you are using 7.1-PRERELEASE or 8 you might consider using setfib to assign a separate routing table to the tcp traffic. > > Thank you for your time. > > - -- > Eric W. Bates > ericx@vineyard.net > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJPYo/D1roJTQ4LlERAp//AJ9C5VFQWk0Q5iwKVD6elTItny8pLgCbB5Tn > 9a3/ut3rswi7nPs10nCkk9s= > =wW3o > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"