Date: Wed, 17 May 2006 20:02:34 +0300 From: vladone <vladone@spaingsm.com> To: ipfw@freebsd.org Subject: Re: IPFW - Two External Interfaces Message-ID: <1295471077.20060517200234@spaingsm.com> In-Reply-To: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello PFS, Wednesday, May 17, 2006, 12:56:46 AM, you wrote: > I am attempting to use IPFW (and either IPNAT or natd) to do the following: > I have two connections to the outside world coming in to my firewall. > em0 has a static ip and is going to a bridged DSL connection, then > bge1 has a static ip and is going to a a few bonded DS1s. bge0 goes to > my internal network. I am attempting to have NAT on both external > interfaces, and have most outbound traffic move across bge1, while > traffic from/to a particular internal system (We'll call it > internal_system for purposes of this message) to/from a particular > remote system (This we'll call remote_system) port 80 moves across > the DSL line on em0. > Here is an attempt at a pretty ascii picture > ISP 1 > [192.168.2.254] > | > | > [bge1:192.168.2.1] > FIREWALL[bge0:10.0.0.1]-------[10.0.0.2]internal_system > [em0:192.168.1.1] > | > | > [192.168.1.254] > ISP 2 > Here are the rules I've tried using in congunction with natd: > #Send incoming traffic to natd > 00400 divert 8869 ip from any to any in via bge1 > 00450 divert 8868 ip from any to any in via em0 > 00500 check-state > #Check for internal_system port 80 traffic > 0600 skipto 900 from $internal_system to $remote_system 80 > #Send Most Traffic out via bge1 > 00700 divert 8869 ip from $local_net to any in > 00750 divert 8869 ip from $local_net to any out > #Send "special" traffic out via em0 > 00900 divert 8868 ip from $internal_system to $remote_system 80 in > 00950 divert 8868 ip from $remote_system to $remote_system 80 out > #policy route to get traffic to the correct ISP > 02000 fwd $isp2_gw ip from $isp2_ip to any > 02500 fwd $isp1_gw ip from $isp1_ip to any > Two instances of natd are running, one on port 8868 with an alias > address of $isp1_ip, the other is on port 8869 with an alias address > of $isp2_ip > With the above ipfw rules in place, a > $ping -S $isp2_ip google.com > Should result in a ping across em0 to google, however it acts as > though it cannot even reach the $isp2_gw. > I have been able to get everything to work exactly as I want it to > using pf on FreeBSD, but I've been told that ipfw is preferred within In my mind, for an normal situation (two interfaces, one internal, and another external), u need two rules for divert traffic (sometimes only one). In your case, u have two "channels", so u need about four divert rules: divert 8869 ip from any to any in via bge1 divert 8868 ip from any to any in via em0 ........................................... divert 8869 ip from $first_class to any in via bge0 divert 8868 ip from $second_class to any in via bge0 For port forwarding, u can use natd.conf, for each instance. U dont need to forward traffic with fwd. In your example u have six divert rules. Something is wrong. U need to pay atention where put fwd command in relation with divert rules. -- Best regards, vladone mailto:vladone@spaingsm.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1295471077.20060517200234>