From owner-freebsd-ipfw@FreeBSD.ORG  Thu Feb  6 05:59:30 2014
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 155B4266;
 Thu,  6 Feb 2014 05:59:30 +0000 (UTC)
Received: from secure.freebsdsolutions.net (secure.freebsdsolutions.net
 [69.55.234.48])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id E45F91851;
 Thu,  6 Feb 2014 05:59:29 +0000 (UTC)
Received: from [192.168.2.46] (c-50-160-123-105.hsd1.ut.comcast.net
 [50.160.123.105]) (authenticated bits=0)
 by secure.freebsdsolutions.net (8.14.4/8.14.4) with ESMTP id s165xN2i082596
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT);
 Thu, 6 Feb 2014 00:59:25 -0500 (EST)
 (envelope-from lists@jnielsen.net)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
Subject: Re: IPFW fwd not working after upgrade from 9.2 to 10.0
From: John Nielsen <lists@jnielsen.net>
In-Reply-To: <CAHu1Y71Gzxxbh-KvDBNwtyHBFVr7eeE91KZ9mGS1Pq7m=Y6UUw@mail.gmail.com>
Date: Wed, 5 Feb 2014 22:59:21 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <BBD613C0-3C79-4C4C-A040-B6AEF465AE00@jnielsen.net>
References: <8C9CDEF4-A44A-4207-BB87-DA3E7CF89917@jnielsen.net>
 <CAHu1Y71Gzxxbh-KvDBNwtyHBFVr7eeE91KZ9mGS1Pq7m=Y6UUw@mail.gmail.com>
To: Michael Sierchio <kudzu@tenebras.com>
X-Mailer: Apple Mail (2.1827)
X-DCC-x.dcc-servers-Metrics: ns1.jnielsen.net 104; Body=3 Fuz1=3 Fuz2=3
X-Virus-Scanned: clamav-milter 0.97.8 at ns1.jnielsen.net
X-Virus-Status: Clean
Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>,
 "freebsd-stable@freebsd.org Stable" <freebsd-stable@freebsd.org>
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 05:59:30 -0000

On Feb 5, 2014, at 5:54 PM, Michael Sierchio <kudzu@tenebras.com> wrote:

> compile a kernel with more than the default 2 FIB tables (16 for =
example), and
>=20
> setfib 0 route add default $GATEWAY_A
> setfib 1 route add default $GATEWAY_B
> setfib 2 route add default $GATEWAY_C
>=20
> [ ... ]
>=20
> ipfw table 1 add $NET_LAN               0
> ipfw table 1 add $NET_VOIP              2
> ipfw table 1 add $NET_VPN               0
> ipfw table 1 add $NET_WIFI              0
> ipfw table 1 add $NET_GUEST             1
> ipfw table 1 add $NET_SECURITY          0
> ipfw table 1 add $NET_COMMON            1
> ipfw table 1 add $NET_FINANCE           1
> ipfw table 1 add $NET_CORE              2
> ipfw table 1 add $NET_EVENT             0
>=20
> [ ... ]
>=20
> ipfw add 00500 setfib tablearg ip from table\(1\) to any in lookup =
src-ip 1

Thanks for the suggestion, but unless something has changed recently =
using setfib with ipfw is only effective for routed traffic, not packets =
that originate locally (the routing decision has already been made by =
the time the outgoing packet goes through ipfw).

Running specific processes with an alternate FIB could be a partial =
workaround but it's a lot less elegant. Really I'd like to know what's =
going on in 10.0 that keeps the ipfw fwd solution from working like it =
did in 9.2.

JN