Date: Sat, 5 Oct 2002 09:50:00 -0700 From: Darcy Buskermolen <darcy@wavefire.com> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: Policy routing using IPFW for multiple ISP's Message-ID: <200210050950.00061.darcy@wavefire.com> In-Reply-To: <20020829194300.GB17576@blossom.cjclark.org> References: <20020827215445.GA8419@blossom.cjclark.org> <20020827180538.K34809-100000@skywalker.rogness.net> <20020829194300.GB17576@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > Um, I believe he is running nat on rl0 (his DSL). As the packet > > > > leaves rl0 it will be assigned the SRC IP of rl0. > > > > > > That's the problem, it won't. When the packet hit the 'fwd' rule above, > > > it is accepted by the firewall and queued up on rl0. It doesn't > > > continue through or start again through the rules with the new > > > interface. > > > > Did this change? I swear this used to work at one time. > > Either way he can still use: > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out recv fxp0 xmit > > ed0 > > > > I believe that should work. > > This made me think. I don't think this used to work, but you should be > able to do this now. > > In the past, you could only 'fwd' outgoing packets. That won't work > here since once the packets hit the 'fwd' they are out of the firewall > rules, out the speficied interface, and on the wire before they can > ever be processed by a natd(8) handling packets crossing the other > interface. > > But now that we can use 'fwd' on incoming packets, you should be able > to do this. However, you'd need to change the above rule to, > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 in via fxp0 > > Now, the packets are routed out the other interface _AND_ go through > the ipfw(8) rules on that interface. That means that they will go to > the natd(8) watching the other interface. I just tried this nearly exact configuration, and I see packets heading out the external interface with a source address of private IP space wb0 = DLS ed0 = Cable wb1 = Internal net 00101 fwd ip.of.dsl.gateway tcp from any to ip.of.test.host 80 in recv wb1 00998 divert 8668 ip from any to any via wb0 00999 divert 8669 ip from any to any via ed0 A tcpdump on wb0 shows the following: 09:44:51.005399 192.168.1.59.4348 > ip.of.test.host.http: S 902332116:902332116(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 09:44:53.919608 192.168.1.49.4348 > ip.of.test.host.http: S 902332116:902332116(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 09:44:59.938801 192.168.1.59.4348 > ip.of.test.host.http: S 902332116:902332116(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) natd is properly configured, because if I remove the fwd rule, and just apply a: route add ip.of.test.host ip.of.dsl.gateway Packets get sent back and forth as they should (however this way isn't a poert based routing). Hopfuly this information will help. -- Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210050950.00061.darcy>