Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Sep 2005 15:07:50 +0200
From:      G Bryant <bsdt@roamingsolutions.net>
To:        freebsd-ipfw@freebsd.org
Subject:   multiple incoming lines
Message-ID:  <433009A6.9070705@roamingsolutions.net>

next in thread | raw e-mail | index | archive | help
Hi all,
I hope someone can help me with a routing / Natd / ipfw problem i'm having.
Setup description:
1x FreeBSD 5.4
3x NIC's:  1x LAN, 2x connected to external DSL modems
int_if - LAN
ext_if1 - ISP1
ext_if2 - ISP2

Both dsl modems use NAT too, so it is a nat - nat, but did have it 
working for a single external line.
I am running 2 natd's that use the 2 external if's.

My problem is that when I define a default route (internal IP of dsl 
modem for ISP1), all the outgoing packets only want to use that route 
(duh!),
but when I try to send the packets out the ext_if2 by divert natd2, it 
doesn't send them out ext_if2 - even tried to fwd IP_modem_ISP2, but 
nothing going.
With no default route defined, I get the message - no route to destination.

I simplified my ipfw to try get this working, but haven't got it right 
yet.   I have seen posts of other people saying they have this solution 
working, but so far no joy.
If you have any suggestions, I'd love to hear them. Thankx a mil
Gray

relevant config files below
-------------------------------------------------------------
natd1.conf:
interface rl0
dynamic
pid_file /var/run/natd1.pid
port natd1

-------------------------------------------------------------
natd2.conf:
interface rl1
dynamic
pid_file /var/run/natd2.pid
port natd2
-------------------------------------------------------------
rc.conf:
hostname="fw.a.b.c"
network_interfaces="lo0 vr0 rl0 rl1"
# Configure the internal network
ifconfig_vr0="inet 192.168.1.1 netmask 255.255.255.0"
# Configure the external networks (connected to the internet)
ifconfig_rl0="inet 192.168.0.75 netmask 255.255.255.0"
ifconfig_rl1="inet 192.168.8.69 netmask 255.255.255.0"
defaultrouter="192.168.0.1"

# - Enabling the FreeBSD Firewall, IPFirewall (IPFW)-
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"

# - Enabling the specific NAT server for IPFW
natd_enable="YES"
natd_flags="-f /etc/natd1.conf"
natd2_enable="YES"
natd2_flags="-f /etc/natd2.conf"

-------------------------------------------------------------
ipfw.rules:
#!/bin/sh
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 10000"
ext_if1="rl0"         # public interface name of NIC
ext_if2="rl1"
int_if="vr0"    # private interface name of NIC

# Setup the different Sets to be used for different connection options
ipfw -q set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 
21 22 23 24 25 26 27 28 29 30 31
# Initially only enable set 1 (and 2 and 12 when we have 2 WAN links)
ipfw -q set enable 2

#################################################################
# Check and drop packets that are appearing to come from
# the destination LAN i.e. a spoofed source ip address
$cmd deny ip from any to any not antispoof in

#################################################################
# No restrictions on Loopback Interface
# Protect spoofing to localhost
$cmd allow ip from any to any via lo0
$cmd deny ip from any to 127.0.0.0/8
$cmd deny ip from 127.0.0.0/8 to any

#################################################################
# check if packet is inbound and nat address if it is
$cmd 1000 divert natd1 ip from any to any in via $ext_if1
$cmd 1000 divert natd2 ip from any to any in via $ext_if2

#################################################################
# Allow the rest of the LAN traffic in and out
$cmd allow ip from any to any via $int_if

#################################################################
# Allow the packet through if it has previously been added to the
# the "dynamic" rules table by an allow keep-state statement.
$cmd check-state

#################################################################
# Interface facing Public Internet (Outbound Section)
#################################################################
$cmd $skip all from any to any out via $ext_if1
$cmd $skip all from any to any out via $ext_if2


#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
$cmd allow all from any to any in via $ext_if1
$cmd allow all from any to any in via $ext_if2

# This is skipto location for outbound stateful rules
$cmd 10000 set 12 prob 0.5 skipto 10050 ip from any to any out via 
$ext_if1 keep-state
$cmd 10020 set 1 divert natd1 ip from any to any out via $ext_if1
$cmd 10020 set 1 divert natd1 ip from any to any out via $ext_if2
$cmd 10030 set 1 allow ip from any to any out
$cmd 10050 set 2 divert natd2 ip from any to any out via $ext_if1
$cmd 10050 set 2 divert natd2 ip from any to any out via $ext_if2
$cmd 10060 set 2 fwd 192.168.8.1 ip from 192.168.8.69 to any out via 
$ext_if1
$cmd 10100 allow ip from any to any out via $ext_if1
$cmd 10110 allow ip from any to any out via $ext_if2

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 19990 deny log all from any to any

################ End of IPFW rules file ###############################





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?433009A6.9070705>