From owner-freebsd-isp@FreeBSD.ORG Tue Oct 19 19:24:16 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C74116A4CE for ; Tue, 19 Oct 2004 19:24:16 +0000 (GMT) Received: from mail.parperfeito.com.br (host-84.c8b96a.parperfeito.com.br [200.185.106.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA92443D2F for ; Tue, 19 Oct 2004 19:24:15 +0000 (GMT) (envelope-from jfassad@parperfeito.com.br) Received: from [127.0.0.1] (unknown [192.168.4.2]) by mail.parperfeito.com.br (Postfix) with ESMTP id B34265DC9B3 for ; Tue, 19 Oct 2004 16:24:10 -0300 (GMT+3) Message-ID: <417569E0.90707@parperfeito.com.br> Date: Tue, 19 Oct 2004 16:24:16 -0300 From: =?ISO-8859-1?Q?Jo=E3o_Assad?= User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: isp@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: problem configuring ipfilter for multiple network routing X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 19:24:16 -0000 Hello guys, I have a firewall with 3 network interfaces, 2 external (fxp1 and fxp2) and 1 internal (fxp0) fxp0 is connected to my private network while fxp1 and fxp2 are connected to two different ISPs. Im trying to use ipfilter to route outgoing packets trough two different interfaces and their respective gateways based on the packet's source IP. My problem is that when a packet comes from 10.1.0.0/16, it is correctly routed through the fxp2 interface and reach the destination... but the reply packets are lost in my firewall and never reach the sender IP from 10.1.0.0/16 network. packets coming from 10.0.0.0/16 work perfectly. You can see what Im trying to do at http://www.bsdnews.org/01/policy_routing.php - *Example 3 - Routing for Multiple Network* The difference is that Im using stateful rules. My guess is that the reply packets coming from the destination IP do not match the rules in the state table created by ipfilter a telnet to www.google.com 80 will generate this rule in the state table: 10.1.4.1 -> 216.239.39.99 ttl 3596 pass 0x5006 pr 6 state 4/3 pkts 4 bytes 188 32830 -> 80 fd654c28:18ea8803 5840<<0:8190<<0 pass out quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in fxp0,fxp2 out fxp1,fxp0 Any idea on how to fix it ? ipnat and ipfilter configuration below: Thanks in advance. ----ipnat.rules: map fxp1 10.0.0.0/16 -> a.b.c.d/32 portmap tcp/udp 1025:65000 map fxp1 10.0.0.0/16 -> a.b.c.d/32 map fxp2 10.1.0.0/16 -> e.f.g.h/32 portmap tcp/udp 1025:65000 map fxp2 10.1.0.0/16 -> e.f.g.h/32 ----ipf.rules: pass out quick on fxp1 to fxp2:fxp2_gateway from 10.1.0.0/16 to any keep state block return-rst in log on fxp1 proto tcp all flags S head 100 pass in proto tcp from any to 10.0.5.1/32 port = 25 flags S keep state group 100 block out log on fxp1 all head 150 pass out proto tcp all flags S/SA keep state group 150 pass out proto udp all keep state group 150 pass out proto icmp all keep state group 150 block return-icmp-as-dest(port-unr) in log on fxp1 proto udp all head 155 block in proto udp from any to a.b.c.d/32 port = 137 group 155 block return-rst in log on fxp2 proto tcp all flags S head 200 pass in proto tcp from any to 10.1.5.1/32 port = 25 flags S keep state group 100 block out log on fxp2 all head 250 pass out proto tcp all flags S/SA keep state group 250 pass out proto udp all keep state group 250 pass out proto icmp all keep state group 250 block return-icmp-as-dest(port-unr) in log on fxp2 proto udp all head 255 block in proto udp from any to e.f.g.h/32 port = 137 group 255 pass in quick on fxp0 all pass out quick on fxp0 all pass in quick on lo0 all pass out quick on lo0 all -- -------------------------------- - João Assad - ParPerfeito Comunicação LTDA - http://www.parperfeito.com.br/