From owner-freebsd-ipfw@FreeBSD.ORG Wed May 17 17:02:32 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7B8316A6CF for ; Wed, 17 May 2006 17:02:32 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AE5A43D62 for ; Wed, 17 May 2006 17:02:30 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 96D4124C5BA for ; Wed, 17 May 2006 18:34:25 +0200 (CEST) Date: Wed, 17 May 2006 20:02:34 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <1295471077.20060517200234@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 May 2006 17:02:34 -0000 Hello PFS, Wednesday, May 17, 2006, 12:56:46 AM, you wrote: > I am attempting to use IPFW (and either IPNAT or natd) to do the following: > I have two connections to the outside world coming in to my firewall. > em0 has a static ip and is going to a bridged DSL connection, then > bge1 has a static ip and is going to a a few bonded DS1s. bge0 goes to > my internal network. I am attempting to have NAT on both external > interfaces, and have most outbound traffic move across bge1, while > traffic from/to a particular internal system (We'll call it > internal_system for purposes of this message) to/from a particular > remote system (This we'll call remote_system) port 80 moves across > the DSL line on em0. > Here is an attempt at a pretty ascii picture > ISP 1 > [192.168.2.254] > | > | > [bge1:192.168.2.1] > FIREWALL[bge0:10.0.0.1]-------[10.0.0.2]internal_system > [em0:192.168.1.1] > | > | > [192.168.1.254] > ISP 2 > Here are the rules I've tried using in congunction with natd: > #Send incoming traffic to natd > 00400 divert 8869 ip from any to any in via bge1 > 00450 divert 8868 ip from any to any in via em0 > 00500 check-state > #Check for internal_system port 80 traffic > 0600 skipto 900 from $internal_system to $remote_system 80 > #Send Most Traffic out via bge1 > 00700 divert 8869 ip from $local_net to any in > 00750 divert 8869 ip from $local_net to any out > #Send "special" traffic out via em0 > 00900 divert 8868 ip from $internal_system to $remote_system 80 in > 00950 divert 8868 ip from $remote_system to $remote_system 80 out > #policy route to get traffic to the correct ISP > 02000 fwd $isp2_gw ip from $isp2_ip to any > 02500 fwd $isp1_gw ip from $isp1_ip to any > Two instances of natd are running, one on port 8868 with an alias > address of $isp1_ip, the other is on port 8869 with an alias address > of $isp2_ip > With the above ipfw rules in place, a > $ping -S $isp2_ip google.com > Should result in a ping across em0 to google, however it acts as > though it cannot even reach the $isp2_gw. > I have been able to get everything to work exactly as I want it to > using pf on FreeBSD, but I've been told that ipfw is preferred within In my mind, for an normal situation (two interfaces, one internal, and another external), u need two rules for divert traffic (sometimes only one). In your case, u have two "channels", so u need about four divert rules: divert 8869 ip from any to any in via bge1 divert 8868 ip from any to any in via em0 ........................................... divert 8869 ip from $first_class to any in via bge0 divert 8868 ip from $second_class to any in via bge0 For port forwarding, u can use natd.conf, for each instance. U dont need to forward traffic with fwd. In your example u have six divert rules. Something is wrong. U need to pay atention where put fwd command in relation with divert rules. -- Best regards, vladone mailto:vladone@spaingsm.com