Date: Tue, 16 Sep 2003 00:57:28 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: Martin Bartelds <bts@iae.nl> Cc: "ipfw@freebsd.org" <ipfw@freebsd.org> Subject: Re: IPFW/routing wishes Message-ID: <20030915215728.GD14510@sunbay.com> In-Reply-To: <200309151438.1937858.6@btsoftware.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
On Mon, Sep 15, 2003 at 02:38:17PM +0200, Martin Bartelds wrote:
> What I do seriously mis in FreeBSD, is the possibilty to have NATD active
> on more then 1 network address/card and do packet routing based
> on packet information.
>
I have a config with two ISPs, each providing us with a small
block of IP addresses, and I have the solution that:
- does source-based routing with the help of "ipfw fwd",
- provides multi-NAT for internal hosts, destination-based.
The last part is done by allocating two distinct IP addresses,
one from each block, and "routing" the packets to a corresponding
natd(8) process, like this:
In /etc/rc.conf:
natd_enable="YES"
natd_interface="x.x.x.x"
natd2_enable="YES"
natd2_interface="y.y.y.y"
natd2_flags="-p natd2"
In /etc.rc.firewall:
# EXTERNAL INTERFACE RULESET
# Spoof protection.
[...]
# NAT.
${fwcmd} add divert natd2 ip from ${inet} to ${isp2_net} out
${fwcmd} add divert natd2 ip from any to y.y.y.y in
${fwcmd} add deny ip from any to y.y.y.y in
${fwcmd} add divert natd ip from ${inet} to any out
${fwcmd} add divert natd ip from any to x.x.x.x in
${fwcmd} add deny ip from any to x.x.x.x in
Cheers,
--
Ruslan Ermilov Sysadmin and DBA,
ru@sunbay.com Sunbay Software Ltd,
ru@FreeBSD.org FreeBSD committer
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE/ZjXIUkv4P6juNwoRAlSGAJsE2cLJytsHVdpShL6yiSeIRCzALwCfeTdK
6AwOYafAiu0baEP0gaepK9Q=
=QDjF
-----END PGP SIGNATURE-----
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030915215728.GD14510>