Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 2 Oct 2006 09:55:02 +0300
From:      Oleg Tarasov <subscriber@osk.com.ua>
To:        freebsd-ipfw@freebsd.org
Subject:   ipfw forward does not work
Message-ID:  <1667794444.20061002095502@osk.com.ua>
next in thread | raw e-mail | index | archive | help 
Hello,

I've got a machine running FreeBSD 6.0. This problem occured on 6.0-p0
and 6.0-p12.

Introduction
=============
I've got two internet connections from two different providers. One
is the main and second for failover. Both interfaces have attached
natd using divert function of ipfw. Here are interface parameters:

ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1492
        inet xxx.xxx.xxx.xxx --> XXX.XXX.XXX.XXX netmask 0xffffffff
ng8: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1492
        inet yyy.yyy.yyy.yyy --> YYY.YYY.YYY.YYY netmask 0xffffffff

Here yyy.yyy.yyy.yyy is an IP address of main connection.

routing table looks like this:
-------------------------
default            YYY.YYY.YYY.YYY    UGS         0    21878    ng8
yyy.yyy.yyy.yyy    lo0                UHS         0       51    lo0
xxx.xxx.xxx.xxx    lo0                UHS         0        0    lo0
127.0.0.1          127.0.0.1          UH          0     3810    lo0
192.168.82         link#1             UC          0        0    rl0
192.168.82.253     00:30:4f:27:ae:85  UHLW        1       74    lo0
YYY.YYY.YYY.YYY    yyy.yyy.yyy.yyy    UH          3        0    ng8
XXX.XXX.XXX.XXX    xxx.xxx.xxx.xxx    UH          3        0    ng0
-------------------------

My kernel is compiled using following options:
-------------------------
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=300
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPFIREWALL_FORWARD
options         IPDIVERT
options         IPSTEALTH
options         DUMMYNET
options         HZ=1000
-------------------------

Both interfaces have real IPs and should simultaneously work supplying
DNS, mail and other services.

Usually this is implemented configuring ipfw fwd command for policy
routing so I've inserted two following lines into ipfw script:
-------------------------
fwd XXX.XXX.XXX.XXX ip from xxx.xxx.xxx.xxx to any out xmit ng8
fwd YYY.YYY.YYY.YYY ip from yyy.yyy.yyy.yyy to any out xmit ng0
-------------------------

This usually works and works on my second server. But for some reason
here I met strange behaviour. It just seems that fwd command does not
do anything at all.

When I ping xxx.xxx.xxx.xxx (which is failover one) icmp packets come
into ng0 but replies from xxx.xxx.xxx.xxx go through default route on
ng8. This should be normal if there were no fwd commands. But I see
counters on the rule increasing and logging these rules shows
following lines:
Oct  2 08:35:49 central kernel: ipfw: 20500 Forward to XXX.XXX.XXX.XXX
     ICMP:0.0 xxx.xxx.xxx.xxx some.outer.ip.address out via ng8

but packets still go out through ng8 using default route.
There can be two reasons as I see. First is that fwd command does not
work for some reason and the second is that system routing table
considered that default route is preferrable over direct route to
router. The second near impossible so I wonder...

Please tell me if possible how to locate the possible reason of this
problem!

-- 
Best regards,
 Oleg Tarasov                          mailto:subscriber@osk.com.ua

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1667794444.20061002095502>