From owner-freebsd-ipfw@FreeBSD.ORG Tue May 16 21:56:54 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E198816A7F0 for ; Tue, 16 May 2006 21:56:54 +0000 (UTC) (envelope-from pfsbsd@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C80A43D64 for ; Tue, 16 May 2006 21:56:47 +0000 (GMT) (envelope-from pfsbsd@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so79886uge for ; Tue, 16 May 2006 14:56:47 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=rR01SsnAq80oXqr/pdYv9kFDFDDXIfrkfDa/DxV9VAna199iRokUYG4XWgZmsJcCYdVP9ZmRFgQvkK3boqc9EGGFbTJOSFYzxCgLq6SekOTlZELG2+trTZ9EQOBaadRZ3gOkYlPpGoacOv2o71XEsmg3mR5YyECQWv6F67LBICk= Received: by 10.67.87.4 with SMTP id p4mr58607ugl; Tue, 16 May 2006 14:56:47 -0700 (PDT) Received: by 10.66.234.12 with HTTP; Tue, 16 May 2006 14:56:46 -0700 (PDT) Message-ID: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> Date: Tue, 16 May 2006 17:56:46 -0400 From: "PFS IT" To: freebsd-questions@freebsd.org, freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Cc: Subject: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 21:57:00 -0000 I am attempting to use IPFW (and either IPNAT or natd) to do the following: I have two connections to the outside world coming in to my firewall. em0 has a static ip and is going to a bridged DSL connection, then bge1 has a static ip and is going to a a few bonded DS1s. bge0 goes to my internal network. I am attempting to have NAT on both external interfaces, and have most outbound traffic move across bge1, while traffic from/to a particular internal system (We'll call it internal_system for purposes of this message) to/from a particular remote system (This we'll call remote_system) port 80 moves across the DSL line on em0. Here is an attempt at a pretty ascii picture ISP 1 [192.168.2.254] | | [bge1:192.168.2.1] FIREWALL[bge0:10.0.0.1]-------[10.0.0.2]internal_system [em0:192.168.1.1] | | [192.168.1.254] ISP 2 Here are the rules I've tried using in congunction with natd: #Send incoming traffic to natd 00400 divert 8869 ip from any to any in via bge1 00450 divert 8868 ip from any to any in via em0 00500 check-state #Check for internal_system port 80 traffic 0600 skipto 900 from $internal_system to $remote_system 80 #Send Most Traffic out via bge1 00700 divert 8869 ip from $local_net to any in 00750 divert 8869 ip from $local_net to any out #Send "special" traffic out via em0 00900 divert 8868 ip from $internal_system to $remote_system 80 in 00950 divert 8868 ip from $remote_system to $remote_system 80 out #policy route to get traffic to the correct ISP 02000 fwd $isp2_gw ip from $isp2_ip to any 02500 fwd $isp1_gw ip from $isp1_ip to any Two instances of natd are running, one on port 8868 with an alias address of $isp1_ip, the other is on port 8869 with an alias address of $isp2_ip With the above ipfw rules in place, a $ping -S $isp2_ip google.com Should result in a ping across em0 to google, however it acts as though it cannot even reach the $isp2_gw. I have been able to get everything to work exactly as I want it to using pf on FreeBSD, but I've been told that ipfw is preferred within the organization. Any suggestions would be greatly appreciated. Jared Baldridge Systems Administrator PFS