From owner-freebsd-ipfw  Tue Aug 27 17:19:22 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9139A37B401
	for <freebsd-ipfw@FreeBSD.ORG>; Tue, 27 Aug 2002 17:19:18 -0700 (PDT)
Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9AE4B43E72
	for <freebsd-ipfw@FreeBSD.ORG>; Tue, 27 Aug 2002 17:19:17 -0700 (PDT)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by skywalker.rogness.net (8.11.3/8.11.3) with ESMTP id g7S0EWD35575;
	Tue, 27 Aug 2002 18:14:32 -0600 (MDT)
	(envelope-from nick@rogness.net)
Date: Tue, 27 Aug 2002 18:14:29 -0600 (MDT)
From: Nick Rogness <nick@rogness.net>
To: cjclark@alum.mit.edu
Cc: John Resnier <john_resnier@yahoo.com>, <freebsd-ipfw@FreeBSD.ORG>
Subject: Re: Policy routing using IPFW for multiple ISP's
In-Reply-To: <20020827215445.GA8419@blossom.cjclark.org>
Message-ID: <20020827180538.K34809-100000@skywalker.rogness.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

On Tue, 27 Aug 2002, Crist J. Clark wrote:

> On Tue, Aug 27, 2002 at 09:41:48AM -0600, Nick Rogness wrote:
> > On Mon, 26 Aug 2002, Crist J. Clark wrote:
> >
> > > On Mon, Aug 26, 2002 at 02:59:59PM -0600, Nick Rogness wrote:
> > > > On Mon, 26 Aug 2002, John Resnier wrote:
> > > >
> > > > > Hey Crist
> > > > >
> > > > > Thanks for your help. Only reason why I didn't do it with a route is
> > > > > that I wanted ipfw to forward on the app layer.  Ideally, I would like
> > > > > to have all web traffic destined for the 66.25.xx.0/24 range to go out
> > > > > the DSL Gateway but the rest of the web traffic go out the Cable
> > > > > connection.
> > >
> > > <pedantic>You mean forward at the transport layer.</pedantic>
> > >
> > > > > The example I provided did not show all that information
> > > > > because I wanted to get this problem solved first. Any examples you
> > > > > would have on how to accomplish this would be awesome!!
> > > >
> > > >
> > > > 	# set next-hop address for packets leaving the ed0 interface
> > > > 	# to the DSL gateway address
> > > > 	fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out via ed0
> > > >
> > > > 	Also, make sure nat is working properly on rl0 interface and turn
> > > > 	on logging to help you debug (both in natd and ipfw).  What you
> > > > 	have below looks as if it should work ok.
> > >
> >
> > > I don't think that will do what he wants. You'll get asymetric routing
> > > in this case. The packet will go to the 199.185.xx.xx gateway and out
> > > that way, but it will come back the other way since it will have a
> > > source address on 24.86.xx.xx. In fact, it's quite possible that the DSL
> > > ISP will drop packets with a source address that doesn't belong to them.
> >
> > 	Um, I believe he is running nat on rl0 (his DSL).  As the packet
> > 	leaves rl0  it will be assigned the SRC IP of rl0.
>
> That's the problem, it won't. When the packet hit the 'fwd' rule above,
> it is accepted by the firewall and queued up on rl0. It doesn't continue
> through or start again through the rules with the new interface.

 Did this change?  I swear this used to work at one time.
 Either way he can still use:

 fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out recv fxp0 xmit ed0

 I believe that should work.

Nick Rogness <nick@rogness.net>
- WARNING TO ALL PERSONNEL:
   Firings will continue until morale improves.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message