From owner-freebsd-ipfw@FreeBSD.ORG Mon May 24 15:08:49 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D70D016A4CE for ; Mon, 24 May 2004 15:08:49 -0700 (PDT) Received: from mail.hostthecoast.org (dsl-230-142.ipns.com [209.210.230.142]) by mx1.FreeBSD.org (Postfix) with SMTP id BEDA343D3F for ; Mon, 24 May 2004 15:08:48 -0700 (PDT) (envelope-from jtd@hostthecoast.org) Received: (qmail 27105 invoked from network); 24 May 2004 22:09:54 -0000 Received: from dsl-230-144.ipns.com (HELO Jay) (209.210.230.144) by mail.hostthecoast.org with SMTP; 24 May 2004 22:09:54 -0000 From: "J.T. Davies" To: Date: Mon, 24 May 2004 15:08:00 -0700 Message-ID: <000101c441db$a384f720$90e6d2d1@Jay> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: RE: ISP redundancy and with IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 May 2004 22:08:50 -0000 Hi Simon, >From another IPFW newbie (myself), I solved it with the following: The two router computers would use NATD to redirect the port traffic = inside. On the webserver (if you're fortunate enough to have FreeBSD on that, = which I did), I also enabled IPFW and used two rules: The first would route traffic back to the .1 router if it came from that router. The second would be the same, but direct to .2. I think I used = the forward action with IPFW. (Forward to .1 if the traffic came from .1, forward to .2 if the traffic came from .2) I don't have that configuration anymore to share, but it worked rather = well. It may not have been the best solution (aside from installing another = port), but it did work well! J.T. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org = [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Simon Chang Sent: Monday, May 24, 2004 6:31 AM To: freebsd-ipfw@freebsd.org Subject: ISP redundancy and with IPFW Hello all, IPFW newbie question. I am lucky enough to have 2 ADSL connections with 6 static addresses on = each router. I have a web server that needs to be always availaible from the=20 internet for our road warriors. What I would like to do is give this web = server a private address say 10.0.0.1 and put it behind a freeBSD/IPFW=20 firewall. I would then like to nat this private address to a public = address=20 from each ISP's range. Say 100.1.1.2 for ISP1 (The ISP router address is 100.1.1.1) and = 200.2.2.2 for ISP2 (The ISP router address is 200.2.2.1) This would mean that our roadwarriors could type into their browsers = either=20 http://100.1.1.2 or http://200.2.2.2 and arrive at the web server. The problem I'm not sure about is how to configure the return routing of = the packets (I don't think I can use a default router on the firewall). Say for example ISP1 was down - 100.1.1.2 does not work, so the user = types=20 200.2.2.2 the packet arrives at the firewall is natted to 10.0.0.1 and = sent=20 to the web server. The retun packet is returned to the firewall where = the=20 souce is "unnattted" to 200.2.2.2 (destination could be anything), how = do I=20 specify a rule that says for this source address (in ISP2's network) = send=20 the packet to ISP2's router (200.2.2.1)? Obviously I cannot route by destination address as this could be = anything=20 (for the return packets). Is this possible with IPFW? and Nat together? Has anyone a similar rule set that they could send me? Cheers, Simon Chang. _________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE*=20 http://join.msn.com/?page=3Dfeatures/virus _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"