From owner-freebsd-questions@FreeBSD.ORG Wed Dec 6 22:42:12 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2978116A66C for ; Wed, 6 Dec 2006 22:42:12 +0000 (UTC) (envelope-from ccowart@hal.rescomp.berkeley.edu) Received: from rescomp.berkeley.edu (keyserver.Rescomp.Berkeley.EDU [169.229.70.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id 353A943CEC for ; Wed, 6 Dec 2006 22:40:49 +0000 (GMT) (envelope-from ccowart@hal.rescomp.berkeley.edu) Received: by rescomp.berkeley.edu (Postfix, from userid 1225) id 2C8FD5B764; Wed, 6 Dec 2006 14:41:29 -0800 (PST) Date: Wed, 6 Dec 2006 14:41:29 -0800 From: Christopher Cowart To: freebsd-questions@freebsd.org Message-ID: <20061206224129.GH28806@rescomp.berkeley.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5vjQsMS/9MbKYGLq" Content-Disposition: inline User-Agent: Mutt/1.5.9i Subject: Multihomed router with NAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 22:42:12 -0000 --5vjQsMS/9MbKYGLq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, I'm working on a router that acts as a captive portal and transparent http proxy for unregistered or disabled hosts that plug in to our network. The router has a public administrative interface on em0,=20 192.168.100.10/24. The router has a physically seperate interface,=20 192.168.200.10/24 on vlan200 using em1, for the NAT clients. The router also has the interface vlan100 on em1 with the address 10.100.0.1/16. The "captured" machines are assigned addresses on the 10.100/16 subnet. The router's firewall allows certain http traffic through the NAT, such as windows updates. All other http requests are forwarded through an instance of squid to an apache instance. The system's default route is configured on the administrative interface, via 192.168.100.1. My firewall includes the rule: $cmd 0013 divert natd ip from not me to any via vlan200 The NAT does not work. From a "captured" machine, I am able to ping both 192.168.200.10 and the gateway 192.168.200.1, but nothing off-subnet. We suspect the packets leaving the NAT, tagged with source-address 192.168.200.10 are being routed via the system's default route at 192.168.100.1. The router is dropping these packets on the floor, because the source address doesn't match the subnet it's routing. Is it possible to tell the system to use a different default route based on the source address of the packet? We want to keep the administrative interface on a separate subnet from the client traffic. I tried using an ipfw fwd rule: $cmd 0014 fwd 192.168.200.1 ip from 192.168.200.10 to not \ 192.168.200.10/24 But this had no effect. Any suggestions would be greatly appreciated. Thanks, --=20 Chris Cowart Unix Systems Administrator Residential Computing, UC Berkeley "May all your pushes be popped" --5vjQsMS/9MbKYGLq Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFFd0cZV3SOqjnqPh0RAjyzAJ9y7c1f216OzIIdCQmNy325J8emVACfbF14 lTwhUexGIL083+c7jojHErw= =mJo6 -----END PGP SIGNATURE----- --5vjQsMS/9MbKYGLq--