Date: Sun, 14 Mar 2004 01:19:45 +1100 From: Tony Frank <tfrank@optushome.com.au> To: asd ads <jason_highland@yahoo.com> Cc: Tony Frank <tfrank@optushome.com.au> Subject: Re: Multiple natd and inbound web traffic Message-ID: <20040313141945.GA64101@marvin.home.local> In-Reply-To: <20040309171513.96071.qmail@web41305.mail.yahoo.com> References: <20040309112748.GB8528@marvin.home.local> <20040309171513.96071.qmail@web41305.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi there again, Bit of a delay due to some work committments. Note, preferably post your comments in-line so it's easier to track the history of the message & contents etc. On Tue, Mar 09, 2004 at 09:15:13AM -0800, asd ads wrote: > > > I have the following setup below. A FreeBSD 4.9 > > > machine with 3 nics fxp0, fxp1 and ed0. Fxp0 is > > > connected to my DSL connection, fxp1 is connected > > to > > > my Cable connection and ed0 is my internal > > network. > > > > > > > > > xx.xx.12.1 yy.yy.34.1 > > > --------- ------ > > > | DSL | |Cable| > > > --------- ------ > > > | | > > > \ / > > > \ / > > > \ / > > > \ / > > > \ / > > > fxp0 | | fxp1 > > > .12.2 | |.34.2 > > > | | > > > ----------------- > > > | FW | > > > | Default route | > > > | xx.xx.12.1 | > > > | | > > > ----------------- > > > | > > > |ed0 > > > |192.168.200.1 > > > | > > > | > > > ----- > > > | | > > > | | Web Server > > > | | 192.168.200.10:80 > > > | | > > > ----- > > > > > > What I'm trying to do: > > > > > > Need to have inbound web traffic (from both > > > connections) foward to the same internal web > > server. > > > > > > Problem: > > > > > > When a web connection is made to > > xx.xx.12.2:80(DSL), > > > its nated to 192.168.200.10:80(websrv) and then > > back > > > to the client(all is well at this point). > > > > > > The problem occars when a connection is made to > > > yy.yy.34.2:80(cable), it's nated with the second > > > instance of nat to 192.168.200.10:80(websrv) but > > when > > > it trys to respond back to the client the default > > > route forces it back thru the first connection. > > > > > > Does anyone have a good example of a fwd & divert > > > rules that would help with this issue? You need a way to distinguish the 'uplink' traffic as 'belonging' to either uplink (DSL or cable) Easiest way I can think of is to use a IP alias on the webserver and direct (via natd) the traffic from DSL to IP1 and from cable to IP2. Then you can forward traffic from IP1 to DSL, and from IP2 to cable. So from your example above I select 192.168.200.11 as second IP for cable traffic. A sample config that will possibly work for you: 1. Build a kernel with at least the following options: options IPFIREWALL options IPFW2 options IPFIREWALL_FORWARD options IPDIVERT 2. Configure second IP address on webserver # ifconfig fxp0 inet 192.168.200.11 netmask 255.255.255.255 alias Also ensure that httpd etc is listening on both IP addresses. 2. Start two instances of natd (one for each 'public' interface) Include redirection either in config file or on commandline # /sbin/natd -f /etc/natd.conf -n fxp0 -p 8668 -redirect_port tcp 192.168.200.10:80 80 # /sbin/natd -f /etc/natd.conf -n fxp1 -p 8669 -redirect_port tcp 192.168.200.11:80 80 My natd.conf looks like this: dynamic yes log_denied yes deny_incoming no use_sockets yes same_ports yes target_address 255.255.255.255 log_ipfw_denied yes 2. Configure suitable ipfw divert & forwarding rules You will need to combine this with an existing rc.firewall for the full script logic required. inside_if="ed0" outside_if1="fxp0" outside_ip1="xx.xx.12.2" uplink_ip1="xx.xx.12.1" inside_ip1="192.168.200.10" outside_if2="fxp1" outside_ip2="yy.yy.34.2" uplink_ip2="yy.yy.34.1" inside_ip2="192.168.200.11" # First place any generic rules - eg can stop spoofing etc (refer default rc.firewall for sample) # Rules to jump to correct processing locations for outside/transit traffic ${fwcmd} add 05000 skipto 10000 ip from ${inside_ip2} to any out xmit ${outside_if1} ${fwcmd} add 05010 skipto 11000 ip from ${inside_ip1} to any out xmit ${outside_if2} ${fwcmd} add 05020 skipto 12000 ip from any to any via ${outside_if1} ${fwcmd} add 05030 skipto 13000 ip from any to any via ${outside_if2} # Fallthrough - 'inside' traffic (anything via fxp0) ${fwcmd} add 09999 allow ip from any to any # or could use: ${fwcmd} add 09999 skipto 50000 ip from any to any # Special case "policy routing" rules: # divert traffic from cable inside IP to cable instance of natd # After natd ip src will be rewritten to IP of cable interface, so send packet to cable next-hop ${fwcmd} add 10000 divert 8669 ip from ${inside_ip2} to any out xmit ${outside_if1} ${fwcmd} add 10005 fwd ${uplink_ip2} ip from ${outside_ip2} to any # divert traffic from dsl inside IP to dsl instance of natd # After natd ip src will be rewritten to IP of dsl interface, so send packet to dsl next-hop ${fwcmd} add 11000 divert 8668 ip from ${inside_ip1} to any out xmit ${outside_if2} ${fwcmd} add 11005 fwd ${uplink_ip1} ip from ${outside_ip1} to any # General natd rules for 'normal' transit traffic ${fwcmd} add 12000 divert 8668 ip from any to any via ${outside_if1} ${fwcmd} add 12010 skipto 50000 ip from any to any ${fwcmd} add 13000 divert 8669 ip from any to any via ${outside_if2} ${fwcmd} add 13010 skipto 50000 ip from any to any # Final set of more specific rules to control transit traffic if needed ${fwcmd} add 50000 allow ip from any to any # Everything else is denied and logged [XXX should never hit this - catchall XXX] ${fwcmd} add 65000 deny log logamount 0 all from any to any ### end Note also that some of the other available firewall packages (ipfilter, pf) offer a few other options in this domain. It might be worth looking at them too. Hope it helps, Tony
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040313141945.GA64101>