From owner-freebsd-security Wed Apr 4 0:25:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id E691637B724 for ; Wed, 4 Apr 2001 00:25:43 -0700 (PDT) (envelope-from cjclark@alum.mit.edu) Received: from alum.mit.edu ([207.88.154.6]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GB9BAB00.223; Wed, 4 Apr 2001 00:25:23 -0700 Message-ID: <3ACAE8CE.F9223E28@alum.mit.edu> Date: Wed, 04 Apr 2001 02:26:38 -0700 From: "Crist J. Clark" X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Matthew Reimer Cc: owensmk@earthlink.net, security@FreeBSD.ORG Subject: Re: Multiple Default Gateways using DIVERT References: <3ACA3077.BA9CFFCE@vpop.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Matthew Reimer wrote: > > Michael Owens wrote: > > > > My company has a single DSL line through which I have set up internet access > > via NAT using IPF. > > > > We are getting a second DSL line, and I was wondering what the best way, if > > any, would be to use NAT and different default gateways so as to divide up > > the groups by source address across them. I would like 10.10.10.1-128 to go > > through gateway 1 (say 2.2.2.1) and 10.10.10.129-254 through gateway 2 (say > > 2.2.2.2). I have searched the mail archives and seen various suggestions, but > > none seemed to address this specifically. > > > > I know this can't be done with IPF, Hmm... > > so I am asking if this is something that > > could be done with IPFW. From what I can tell, it might using divert, but I > > am not all that clear on divert's use in varying gateways. > > This might be a start, though I'm not sure how NAT should fit in. You'll > need the IPFIREWALL and IPFIREWALL_FORWARD kernel options. > > ipfw add 1000 fwd 2.2.2.1 ip from 10.10.10.0/25 to any > ipfw add 2000 fwd 2.2.2.2 ip from 10.10.10.128/25 to any Neither of the two responses I saw looked like they would do what the original poster wanted. It is a start, but this one will not work as shown with natd. The search will terminate with the above rules, before being divert(4)ed. The trick is going to be doing NAT on a packet, but still having some way to tell from which half of the 10.10.10.0/24 block it originated. What I think the best thing to do is run two natd(8) processses. If you have two DSL links, I assume you have at least two public IP addresses to play with. I will call them, oip1 and oip2. Start two natd(8)s, one of the public IPs each, # natd -a ${oip1} -p 8668 # natd -a ${oip2} -p 8669 Then, for your ipfw(8) rules, ipfw add 500 divert 8668 ip from 10.10.10.0/25 to any out via ${oif} ipfw add 600 divert 8669 ip from 10.10.10.128/25 to any out via ${oif} ipfw add 700 divert 8668 ip from any to ${oip1} in via ${oif} ipfw add 800 divert 8669 ip from any t0 ${oip2} in via ${oif} ipfw add 1000 fwd 2.2.2.1 ip from ${oip1} to any out via ${oif} ipfw add 2000 fwd 2.2.2.2 ip from ${oip2} to any out via ${oif} At least... I think that should do it. Looks good on the screen. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message