From owner-freebsd-ipfw Fri Apr 12 6:40:50 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.mipk-kspu.kharkov.ua (flash.mipk-kspu.kharkov.ua [194.44.157.113]) by hub.freebsd.org (Postfix) with ESMTP id C33D137B404 for ; Fri, 12 Apr 2002 06:40:30 -0700 (PDT) Received: from mipk-kspu.kharkov.ua (rainbow.mipk-kspu.kharkov.ua [192.168.9.241]) by mail.mipk-kspu.kharkov.ua (8.11.6/8.11.1) with ESMTP id g3CDdhk13322 for ; Fri, 12 Apr 2002 16:39:45 +0300 (EEST) (envelope-from artem@mipk-kspu.kharkov.ua) Message-ID: <3CB6E3B8.F26ECFDB@mipk-kspu.kharkov.ua> Date: Fri, 12 Apr 2002 16:40:08 +0300 From: "Artyom V. Viklenko" Organization: IIAT NTU "KPI" X-Mailer: Mozilla 4.78 [en] (WinNT; U) X-Accept-Language: ru,uk,en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: policy-driven routing with ipfw Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi! Help me, please. I have FreeBSD 4.5-STABE box with 3 NICs (NE2000-clones). First - ed0 - connected to internal network with address, say, 192.168.1.1. Second - ed1 - connected to ISP #1 with ip 10.0.1.1. Third - ed2 - to ISP #2 with ip 10.0.2.1. The default route is through ed1. Clients with ips 192.168.1.1-192.168.1.127 should get access to outside world via ed1, and rest client - via ed2. I have set up 'ipfw fwd' rules to point out ISPs' router addresses, say 10.0.1.254 and 10.0.2.254 respectively: # ipfw add 1000 fwd 10.0.1.254 ip from 192.168.1.0/25 to not 192.168.1.0/24 in recv ed0 # ipfw add 2000 fwd 10.0.2.254 ip from 192.168.1.128/25 to not 192.168.1.0/24 in recv ed0 All ok at this point. The last wish is to use NAT on both outside interfaces to hide internal network. And I have set up two divert rules and natd daemons: # natd -p 2000 -interface ed1 # natd -p 2001 -interface ed2 # ipfw add 3000 divert 2000 ip from any to any via ed1 # ipfw add 4000 divert 2001 ip from any to any via ed2 But packets never pass to these rules. :( ipfw(8) man page says that search terminates on matching fwd rule. But as I remember, ip packet passes ipfw rules twice. First pass, IMHO, will change next hop at entering stack via ed0. And at second pass when packet leawing machine via ed1(2) packet should be diverted. Where is my mistake? What I'm doing wrong? Kernel variable net.inet.ip.fw.one_pass does not affect this situation. This is only for pipes, isn't it? -- Sincerely yours, Artyom V. Viklenko. ====================================================== System Administrator artem@mipk-kspu.kharkov.ua ------------------------------------------------------ IIAT NTU "KhPI" 21, Frunze Str., Kharkov Ukraine 61002 Phone: +380 (572) 400026 Fax: +380 (572) 474062 ====================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message