From owner-freebsd-ipfw@FreeBSD.ORG Sat May 5 21:23:40 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 502EC16A402 for ; Sat, 5 May 2007 21:23:40 +0000 (UTC) (envelope-from jazzhills@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id 0E7F713C469 for ; Sat, 5 May 2007 21:23:39 +0000 (UTC) (envelope-from jazzhills@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so31329and for ; Sat, 05 May 2007 14:23:39 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kxaIRWuQhb9DnGM5QTXW5ZFA3p50w+m80nTdClkUfzt6CLltoZ0S01jgABzX1KdOpKHczgPVLpbKuRehgrRzvtmJsSsTn3RKTv4m6Z1DMO03ZelrmtxahS6kSkaY1wM2nt9+3fMXz18weXgpmMENJC7eW7E6q98tszvJEisGUxY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mgryAV8lidjgQ+AXq6GSVEQGmec7Nj2a0gVIJR+yhnRM7ve63mOqDz3u1OnDd28WizPQwbbk+oA4vkXNgLD7IvgLkA6LNpAUe0f9dCgG9QqHRc1/NUIsyOxI9lGdn+3fWT2Udfh/cNeLk/IEyJkT4LLnNjVfUDXGTpJyEBi9Y0w= Received: by 10.100.165.9 with SMTP id n9mr3728632ane.1178400219146; Sat, 05 May 2007 14:23:39 -0700 (PDT) Received: by 10.100.94.8 with HTTP; Sat, 5 May 2007 14:23:39 -0700 (PDT) Message-ID: <33910a2c0705051423j53ad82aem5dc779ecba438d6b@mail.gmail.com> Date: Sat, 5 May 2007 18:23:39 -0300 From: "Jason Hills" To: "Patrick Tracanelli" In-Reply-To: <56951.BUtUVAZEUwM=.1178338987.squirrel@webmail.freebsdbrasil.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> <56951.BUtUVAZEUwM=.1178338987.squirrel@webmail.freebsdbrasil.com.br> Cc: ipfw@freebsd.org Subject: Re: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 May 2007 21:23:40 -0000 On 5/5/07, Patrick Tracanelli wrote: > > How can I do policy routing with ipfw+natd? > > > > I started 2 natd processes, using natd.conf and natd2.conf > > respectively, but things dont work. My rules are: > > Long time ago, PHK added an (undocumented, except for commit logs) featur= e > in natd(8), called "instances". To use it, you can start a config file > with the "instance" keyword followed with an identifier, and in a certain > moment use the "instance" keyword again, with a second identifier. Each > block will create different natd instances which can be used with > independent configurations. However they are run by the same proccess. > > Here is an (production) example: Very good, it worked fine. I am happy I can stop running 2 natds. It was ug= ly. > > To do so in your enviroment, divert packets to the second link when they > reach the main outgoing interface (tradditional path the packet would > flow, according to routing table): > > divert 8669 ip from $net2 to any out via $ext_if1 > > Yes, this WILL work. Packets will be diverted to second natd instance whe= n > it reaches the main outgoing interface (as main, I want you to read: the > one used by default route). It sounds like it worked. Packets hit the rule correctly, but I dont go to Internet. > > So, here you are forgetting another mandatory flow control: you have to > send packets from your second-link IP address to your second-link gateway= . > IPFW=B4s "fwd" action will do this like a charm =3D) I believe this is why I dont get to internet. I didnt understand this ipfw fwd thing you mentioned. Could you give some example? > > > > > divert 8668 ip from any to any via $ext_if1 > > divert 8669 ip from any to any via $ext_if2 > > > > My defaultrouter is the one on $ext_if1. > > > > It works for port 8668 but doesnt work for 8669 (the second xDSL link) > > > > -- > > Jazzie Hills > > > -- > Patrick Tracanelli > (31) 3281 9633 > sip://313306@sip.freebsdbrasil.com.br > > --=20 Jazzie Hills