Date: Tue, 4 Mar 2008 10:46:24 +0100 From: =?iso-8859-1?Q?Ren=E9_Vestergaard?= <rve@techno-matic.dk> To: <freebsd-ipfw@freebsd.org> Subject: IPFW2 script with natd and dummynet (loadsharing) Message-ID: <BOELKALADIALJFGEKOGICENBECAA.rve@techno-matic.dk>
next in thread | raw e-mail | index | archive | help
I am trying to have both natd (divert) and loadsharing (pipe/queue) in the same IPFW2 firewall script. It works partly. That is, something is wrong because, pipe-bandwidth does not at all match the measured and by using the log-facility I found that the following package enter the script at rule 11: "TCP 207.46.211.119:80 192.168.12.150:1574 out via em0" but it looks like i had just been translated by rule number 400 In /etc/sysctl.conf i wrote: ------------------------------ net.inet.ip.forwarding=1 net.inet.ip.redirect=1 net.inet.ip.fw.enable=1 # Disable one_pass to allow both NATD and LOADSHARING (default is 1) net.inet.ip.fw.one_pass=0 ------------------------------ The NIC with IP 192.168.10.248 is connected to WAN and the NIC with IP 192.168.12.10 is connected to LAN Here is my script: ------------------------------ # Firewall script (Kernel compilation: default-rule was set to allow) ipfw -f -q flush ipfw -q add 60000 allow all from any to any # Log-facility (for debuging) ipfw add 11 skipto 12 log all from any to any ipfw pipe 1 config bw 80KByte/s # upload limit ipfw pipe 2 config bw 800KByte/s # download limit # Package going in the download-direction are translated by NATD # to get the destination .12-subnet IP address # (change destination ip address) ipfw add 100 divert natd ip from any to 192.168.10.248 // Download ipfw add 200 queue 1 ip from 192.168.12.0/24 to not 192.168.12.0/24 // Upload ipfw queue 1 config weight 10 pipe 1 mask src-ip 0x000000ff ipfw add 300 queue 2 ip from any to 192.168.12.0/24 // Download ipfw queue 2 config weight 10 pipe 2 mask dst-ip 0x000000ff # Package going in the upload-direction are translated by NATD # to get the source IP address of the WAN NIC (and the port number is also changed) ipfw add 400 divert natd ip from 192.168.12.0/24 to any // Upload ------------------------------ What is wrong?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BOELKALADIALJFGEKOGICENBECAA.rve>