From owner-freebsd-ipfw@FreeBSD.ORG Fri May 19 17:36:55 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6857316A420 for ; Fri, 19 May 2006 17:36:55 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF74643D72 for ; Fri, 19 May 2006 17:36:48 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 38D2F24C5F8 for ; Fri, 19 May 2006 19:08:27 +0200 (CEST) Date: Fri, 19 May 2006 20:36:44 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <1892564672.20060519203644@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <996142470605182053j3cdd06b4v2f28a424edd0cbdc@mail.gmail.com> References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> <001c01c67945$b770dfd0$af00a8c0@orange> <996142470605182053j3cdd06b4v2f28a424edd0cbdc@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Cc: Subject: Re[2]: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2006 17:36:55 -0000 Hello PFS, Friday, May 19, 2006, 6:53:57 AM, you wrote: > On 5/16/06, Matthew wrote: >> I recommend you install tcptraceroute: /usr/ports/net/tcptraceroute/ >> >> tcptraceroute will let you specify the interface so you can test your >> configuration. >> >> For example, I have a FWD rule: >> ipfw add 420 fwd 192.168.10.10 tcp from 84.16.244.0/24 to any >> >> [root@c3p0][~]$ tcptraceroute -s 84.16.244.178 -i gif0 www.google.com >> Selected device gif0, address 84.16.244.178, port 12154 for outgoing pac= kets >> Tracing the path to www.google.com (72.14.203.99) on TCP port 80, 30 hops >> max >> 1 192.168.10.10 (192.168.10.10) 107.013 ms 106.731 ms 106.697 ms >> 2 fragw.gatewayrouter.net (84.16.224.1) 107.287 ms 107.211 ms 107.3= 52 >> ms >> 3 fragw1.gatewayrouter.net (217.20.117.10) 106.937 ms 107.240 ms >> 106.986 ms >> 4 rtr-1.decix-germany.eweka.nl (80.81.192.224) 107.090 ms 107.509 ms >> 107.103 ms >> >> -- Matthew >> >> > This really highlights my problem that traffic with a source ip of > 192.168.1.1 isn't being forwarded properly to 192.168.1.254. I have > removed all my NAT related rules for testing and have just the > following: > ipfw -f flush > ipfw -f pipe flush > ipfw add fwd 192.168.1.254 tcp from 192.168.1.1 to any > ipfw add allow all from any to any > When I do a tcptraceroute as outlined above: > $sudo tcptraceroute -s 192.168.1.1 -i em0 google.com > Selected device em0, address 192.168.1.1, port 56472 for outgoing packets > Tracing the path to google.com (72.14.207.99) on TCP port 80, 30 hops max > 1 * * * > I get nowhere. > I can get out just fine on bge1, since 192.168.2.254 is my default > gateway on the machine. > I am starting to feel like the fwd directive is simply broken on this > machine... Could there be some kernel options that I'm missing? Are > there any other places I should look for something silly that might be > breaking forward? Again, this did in fact work with pf on this > machine, due to "policy" I need to get it working in ipfw. > Jared Baldridge > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" Try with simply configuration. In your situation, you NEED to put at leat one divert rule because u have an router. For beginning, u dont need to use fwd. Try to work with route command. From=20man ipfw: " .............. The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them. .............. " I think that u have an problem with route's in that machine In relation with choice ipfw vs. pf, who know what u use? :) Explain that some thinks can be done with pf and anothers with ipfw. Pf have some problems, in older versions freebsd. What version use? 6.0 have some bugs, try 5.4 or 6.1 --=20 Best regards, vladone mailto:vladone@spaingsm.com