From owner-freebsd-net@FreeBSD.ORG Tue Jan 20 15:43:22 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 974E11065680 for ; Tue, 20 Jan 2009 15:43:22 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31]) by mx1.freebsd.org (Postfix) with ESMTP id 4E08B8FC27 for ; Tue, 20 Jan 2009 15:43:22 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so1463772ywe.59 for ; Tue, 20 Jan 2009 07:43:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=3MxdA9TYEFwM98ghX1rcffe/gYQe5Ak+B5uO1sLywTY=; b=Uz+RV3vHP1BaKhrrdLlzpdEPxjRuaDzZmROBiYmhm1REU7SpoCn7vLzqgibeOZC+cj 8xlvaOvVcJsvD4C6OXGR+4SfBmq1JaM1HLOV0lc9r0lKKHdu+0+2YrKo29pSYbJbSFRt qFcTprTLOa/GVbI18eWya5WCa7FwnCawXlEDo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Mtk9yDw44IdbEBvTSz4Vy8bNSq55+fTQgPuoDLCQ/Q7xOQCbbHzHZv3zAekDWjFjmA i7LQ5Pe0Mkg5P/GaUS63cjuST+mN926o+VoE5lpfvUbEkAuzlZdW53eS64AjuLAzspG6 dkm+lIEe0tu5xJnO+bBTAMMWXSKa2P2w9e7dA= MIME-Version: 1.0 Received: by 10.142.135.16 with SMTP id i16mr2908748wfd.192.1232464870213; Tue, 20 Jan 2009 07:21:10 -0800 (PST) In-Reply-To: <8461C1DA26D349A7B4AA821D8461A923@adnote989> References: <4970DB6C.4030200@elischer.org> <8461C1DA26D349A7B4AA821D8461A923@adnote989> Date: Tue, 20 Jan 2009 13:21:10 -0200 Message-ID: From: Eduardo Meyer To: Luiz Otavio O Souza Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Julian Elischer Subject: Re: Multiple Routing Tables (FIB) + IPFW problem as (I?) expected X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2009 15:43:23 -0000 On Mon, Jan 19, 2009 at 2:24 PM, Luiz Otavio O Souza wrote: >>> obviously you did some other commands here.. >>> something generated 2 million packets.. >> >> Julian, its a production enviroment, firewall was up for a few >> minutes. Thats the reason. >> >>> I was thinking of adding a 'reroute' ipfw keyword.. kind of like >>> 'fwd {original dest} ip from any to any' >>> because 'fwd' does cause the routing decision to be redone. >>> >>> The fib of the process that opens the socket controls where packets from >>> the >>> local machine are sent. >> >> divert does cause this too, not "not fib X" seems to work fine... >> >> I wish you could make the "setfib" action be kept in state with >> keep-state only for the static rules, but I guess it will be done for >> all dynamic rules too, since keep-state makes dynamic rules repeat the >> static one, right? >> >> would something like >> >> ipfw add prob 0.5 setfib 1 all from X to any out keep-state >> >> be used to balance (per session) between FIB tables? > > divert ? i think you want to say natd... > > Again... you are using setfib after the route table decisions... > > To use natd with setfib you need to setup two instances of natd, one for > each uplink interface: > > ipfw add divert 8668 all from any to any via ${outnic1} > ipfw add divert 8669 all from any to any via ${outnic2} > > And on internal nic: > > ipfw add setfib 1 tcp from ${inet} to any 80 IN VIA ${iif} > > So the http traffic will be routed thru fib 1 and should appear on correct > uplink interface, and natd can do his the dirty work. > > I don't known about prob... you will need to send the connection setup > packets (for tcp) and subsequent packets through the same link. i don't know > if you can achive this with prob + keep-state. > > Luiz > Yes, you are right. Now its way easier to do policy routing and advanced PBR. However Im still trying to balance outgoing traffic throught multiple FIBs, per session. But add prob 0.5 setfib 1 tcp from ${inet} to any 80 in via ${iif} setup keep-state is not working as I expected... Some sessions just fail. I guess I need some special behavior on the "keep-state" action. -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br