From owner-freebsd-questions@FreeBSD.ORG Tue Aug 7 16:08:29 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
by hub.freebsd.org (Postfix) with ESMTP id 0B16F16A418
for <freebsd-questions@freebsd.org>;
Tue, 7 Aug 2007 16:08:29 +0000 (UTC)
(envelope-from ngharibyan@mail.ru)
Received: from mx27.mail.ru (mx27.mail.ru [194.67.23.64])
by mx1.freebsd.org (Postfix) with ESMTP id 946A213C458
for <freebsd-questions@freebsd.org>;
Tue, 7 Aug 2007 16:08:28 +0000 (UTC)
(envelope-from ngharibyan@mail.ru)
Received: from [91.103.27.104] (port=50174 helo=sis2w001)
by mx27.mail.ru with asmtp
id 1IIRbe-000PLL-00; Tue, 07 Aug 2007 20:08:26 +0400
From: "Narek Gharibyan" <ngharibyan@mail.ru>
To: "'Julian Elischer'" <julian@elischer.org>
References: <017001c7cf86$daa2ad10$180ca8c0@arm.synisys.com>
<46AAED33.1070307@elischer.org>
<005901c7d101$9ab0f7d0$180ca8c0@arm.synisys.com>
<46AB8AEA.5030409@elischer.org>
<006601c7d147$18087880$180ca8c0@arm.synisys.com>
<46AB9D65.4020409@elischer.org>
<006701c7d1b6$e49ee4a0$180ca8c0@arm.synisys.com>
<46AC5471.2090209@elischer.org>
<006801c7d1e5$4cefac00$180ca8c0@arm.synisys.com>
<46AD0058.3020107@elischer.org>
Date: Tue, 7 Aug 2007 21:08:23 +0500
Message-ID: <001701c7d90d$304d8f20$180ca8c0@arm.synisys.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
thread-index: AcfSI7Gtx41dbnIOQDeQMJ68jvt+VgG5840g
In-Reply-To: <46AD0058.3020107@elischer.org>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
Cc: freebsd-questions@freebsd.org
Subject: RE: Policy - based Routing problem Need help
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Aug 2007 16:08:29 -0000
Thank you very much,
Relaying on your help reach to success but rules differ from yours a little
bit. My working rules listed below:
ipfw add fwd A all from ${inet1}:${imask1} to any out recv ${iif1}
ipfw add fwd B all from ${inet}:${imask} to any out recv ${iif}
ipfw add fwd G all from any to ${inet1}:${imask1} out via ${iif1}
ipfw add fwd H all from any to ${inet}:${imask} out via ${iif}
ipfw add fwd A all from ${onet1}:${omask1} to any out
ipfw add fwd B all from ${onet}:${omask} to any out
ipfw add fwd A all from ${inet1}:${imask1} to any out
ipfw add fwd B all from ${inet}:${imask} to any out
The only problem last is when someone (from provider A) try to access ftp
server via B it connects but didn't do "Get Directory" command. Ipfw doesn't
matter I checked. I think it is specification of ftp- data 20 port
(connection opening problem). Can you describe me how it take place via 20
port or find the wrong line in ipfw fwd rules?
Best regards,
Narek
-----Original Message-----
From: Julian Elischer [mailto:julian@elischer.org]
Sent: Monday, July 30, 2007 2:02 AM
To: Narek Gharibyan
Subject: Re: Policy - based Routing problem Need help
Narek Gharibyan wrote:
> Yes your written rules are correct, You think exactly
> I want to do ALSO
>
> 1. Packets coming from ISP-B (B network)into C SHOULD go out only via xx0
> (as they came)
# make sure WE can talk to the back nets
# and ourself
ipfw add 1 allow ip from any to any via lo0
ipfw add 2 allow ip from me to G
ipfw add 3 allow ip from me to H
# the next 2 rules are not actually needed as any packets
# going to G and H will go the right way anyhow.
# ipfw add 4 fwd (G) ip from any to G out recv xx0
# ipfw add 5 fwd (H) ip from any to H out recv xx1
# The next rules ARE needed.
ipfw add 6 fwd (A) ip from G to any out recv yy0
ipfw add 7 fwd (B) ip from H to any out recv yy1
ipfw add 8 fwd (A) ip from (C) to any out
ipfw add 9 fwd (B) ip from (D) to any out
> 2. Packets coming from ISP-A (A network) into D Should go out only via xx1
> (as they came)
>
> Saying by another words packets should leave my network via interface they
> came.
>
> 3. Packets coming from E should go out via xx0
> 4. Packets coming from F should go out via xx1
>
> Also I try from inside to forward packets without default gateway using
via
> A or B with the commands
>
> Ipfw add fwd A all from G to any xmit (or via) xx0
>
> and it didn't work, I've compiled my kernel with IPFIREWALL,
> IPFIREWALL_FORWARD, and set net.inet.ip.forwarding=1 in sysctl.conf.
Surely
> I will try your configuration on Monday, but it seems ipfw fwd nothing do
> forwarding. So how to write for reaching the results (1.,2.,3.,4.)?
>
> Regards,
> Narek
>
> -----Original Message-----
> From: Julian Elischer [mailto:julian@elischer.org]
> Sent: Sunday, July 29, 2007 1:49 PM
> To: Narek Gharibyan
> Subject: Re: Policy - based Routing problem Need help
>
> Narek Gharibyan wrote:
>> The right drawing is that one below
>>
>> _______ ___________
>> -[ISP-A](A)----(C)[xx0 yy0](E)--(G)[NAT ]
>> [ FBSD ] [ Windows ](X)-----LAN
>> -[ISP-B](B)----(D)[xx1 yy1](F)--(H)[NAT ]
>> ~~~~~~~ ~~~~~~~~~~~
>>
>> We can't use only FreeBSD box, we need also use Windows box, due to our
>> company's policy. So you suggestion is not an option. I think we need a
>> different solution.
>
> ok.
>
> now that we have established the exact layout,
> what is it exactly that you want to do?
>
> I gather that you want packets that come into D to go out of F
> and packets that come in through C should go out via E
>
> this is achieved by:
> ipfw add 1 fwd (G) ip from any to G out recv xx0
> ipfw add 2 fwd (H) ip from any to H out recv xx1
>
> what else do you wish it to do?
>
>> Regards,
>> Narek
>>