From owner-freebsd-net@FreeBSD.ORG Thu Jul 12 14:19:45 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3F5AF16A400 for ; Thu, 12 Jul 2007 14:19:45 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from alf.aws-net.org.ua (alf.aws-net.org.ua [85.90.196.192]) by mx1.freebsd.org (Postfix) with ESMTP id 5F37413C489 for ; Thu, 12 Jul 2007 14:19:43 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from [10.100.0.23] (vl-office.vl.net.ua [194.44.81.189]) by alf.aws-net.org.ua (8.13.8/8.13.8) with ESMTP id l6CEJee5031046 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 12 Jul 2007 17:19:41 +0300 (EEST) (envelope-from artem@aws-net.org.ua) Message-ID: <4696387F.4080404@aws-net.org.ua> Date: Thu, 12 Jul 2007 17:19:43 +0300 From: Artyom Viklenko Organization: Art&Co. User-Agent: Thunderbird 2.0.0.4 (Windows/20070604) MIME-Version: 1.0 To: Andrea Venturoli References: <4695FEF4.4030708@netfence.it> <469616B2.2020803@aws-net.org.ua> <46961C0B.6060004@netfence.it> In-Reply-To: <46961C0B.6060004@netfence.it> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded STARTTLS authentication, not delayed by milter-greylist-3.0 (alf.aws-net.org.ua [192.168.32.253]); Thu, 12 Jul 2007 17:19:42 +0300 (EEST) X-Virus-Scanned: ClamAV version 0.90.3, clamav-milter version 0.90.3 on localhost X-Virus-Status: Clean Cc: freebsd-net@freebsd.org Subject: Re: Again two ADSL lines, routing problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2007 14:19:45 -0000 Andrea Venturoli wrote: > Artyom Viklenko ha scritto: > >> You have to enforce simmetrical routing on your FreeBSD box. >> You can use, for example, PF firewall Using such options and features >> as labels and route-to/reply-to statemens. >> >> Also it is possible with ipfw, but I prefer PF. :) > > > Thanks, this is interesting. However I failed to understand what you > mean exactly. > Do you have any pointer to a document that explains this? > I searched in PF's and ipfw's manual, but found nothing that I could > relate to this. > > Also, I'm right now using ipfw... > > bye & Thanks > av. Very brief example (just to show main idea). Assume you have thre interfaces in router fxp0 - lan, fxp1 - adsl1, fxp2 - adsl2. fxp0 - 192.168.0.1, fxp1 - 192.168.1.2, fxp2 - 192.168.2.2 adsl1 - 192.168.1.1, adsl2 - 192.168.2.1 $server="192.168.0.2" $adsl1="192.168.1.1" $adsl2="192.168.2.1" pass in on fxp1 inet from any to $server keep state tag ADSL1 pass in on fxp2 inet from any to $server keep state tag ADSL2 pass out on fxp0 reply-to (fxp1 $adsl1) from any to $server tagged ADSL1 keep state pass out on fxp0 reply-to (fxp2 $adsl2) from any to $server tagged ADSL2 keep state This is just part of whole rulebase regarding your problem. Packets coming in via adsl1 will pass and got tagged by ADSL1 tag. Also, state will be created. Then packet will pass out to server, state will be created. and all replies from server will be frowarded back via adsl1. Same for traffic from adsl2. Also, see OpenBSD PF FAQ. Hope this helps. -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem FreeBSD: The Power to Serve - http://www.freebsd.org