Date: Fri, 19 May 2006 20:36:44 +0300 From: vladone <vladone@spaingsm.com> To: ipfw@freebsd.org Subject: Re[2]: IPFW - Two External Interfaces Message-ID: <1892564672.20060519203644@spaingsm.com> In-Reply-To: <996142470605182053j3cdd06b4v2f28a424edd0cbdc@mail.gmail.com> References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> <001c01c67945$b770dfd0$af00a8c0@orange> <996142470605182053j3cdd06b4v2f28a424edd0cbdc@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello PFS, Friday, May 19, 2006, 6:53:57 AM, you wrote: > On 5/16/06, Matthew <drinking.coffee@gmail.com> wrote: >> I recommend you install tcptraceroute: /usr/ports/net/tcptraceroute/ >> >> tcptraceroute will let you specify the interface so you can test your >> configuration. >> >> For example, I have a FWD rule: >> ipfw add 420 fwd 192.168.10.10 tcp from 84.16.244.0/24 to any >> >> [root@c3p0][~]$ tcptraceroute -s 84.16.244.178 -i gif0 www.google.com >> Selected device gif0, address 84.16.244.178, port 12154 for outgoing pac= kets >> Tracing the path to www.google.com (72.14.203.99) on TCP port 80, 30 hops >> max >> 1 192.168.10.10 (192.168.10.10) 107.013 ms 106.731 ms 106.697 ms >> 2 fragw.gatewayrouter.net (84.16.224.1) 107.287 ms 107.211 ms 107.3= 52 >> ms >> 3 fragw1.gatewayrouter.net (217.20.117.10) 106.937 ms 107.240 ms >> 106.986 ms >> 4 rtr-1.decix-germany.eweka.nl (80.81.192.224) 107.090 ms 107.509 ms >> 107.103 ms >> >> -- Matthew >> >> > This really highlights my problem that traffic with a source ip of > 192.168.1.1 isn't being forwarded properly to 192.168.1.254. I have > removed all my NAT related rules for testing and have just the > following: > ipfw -f flush > ipfw -f pipe flush > ipfw add fwd 192.168.1.254 tcp from 192.168.1.1 to any > ipfw add allow all from any to any > When I do a tcptraceroute as outlined above: > $sudo tcptraceroute -s 192.168.1.1 -i em0 google.com > Selected device em0, address 192.168.1.1, port 56472 for outgoing packets > Tracing the path to google.com (72.14.207.99) on TCP port 80, 30 hops max > 1 * * * > I get nowhere. > I can get out just fine on bge1, since 192.168.2.254 is my default > gateway on the machine. > I am starting to feel like the fwd directive is simply broken on this > machine... Could there be some kernel options that I'm missing? Are > there any other places I should look for something silly that might be > breaking forward? Again, this did in fact work with pf on this > machine, due to "policy" I need to get it working in ipfw. > Jared Baldridge > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" Try with simply configuration. In your situation, you NEED to put at leat one divert rule because u have an router. For beginning, u dont need to use fwd. Try to work with route command. From=20man ipfw: " .............. The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them. .............. " I think that u have an problem with route's in that machine In relation with choice ipfw vs. pf, who know what u use? :) Explain that some thinks can be done with pf and anothers with ipfw. Pf have some problems, in older versions freebsd. What version use? 6.0 have some bugs, try 5.4 or 6.1 --=20 Best regards, vladone mailto:vladone@spaingsm.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1892564672.20060519203644>