From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 6 08:35:39 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B234310656A6 for ; Mon, 6 Jul 2009 08:35:39 +0000 (UTC) (envelope-from kim.attree@playsafesa.com) Received: from exchange.playsafesa.com (exchange.playsafesa.com [196.212.35.153]) by mx1.freebsd.org (Postfix) with ESMTP id C6B4E8FC32 for ; Mon, 6 Jul 2009 08:35:38 +0000 (UTC) (envelope-from kim.attree@playsafesa.com) Received: from server-02.playsafesa.com ([10.0.15.253]) by server-02.playsafesa.com ([10.0.15.253]) with mapi; Mon, 6 Jul 2009 10:36:18 +0200 From: Kim Attree To: "freebsd-ipfw@freebsd.org" Date: Mon, 6 Jul 2009 10:36:18 +0200 Thread-Topic: Problem with source based policy routing Thread-Index: AQHJ/ZPw2ilYkcMByECGjLDcr+t9sZBoLhxQ Message-ID: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Problem with source based policy routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 08:35:40 -0000 Hey Guys, =20 I'm having a problem with source-based policy routing in IPFW, I'm trying t= o run a load-balanced SMTP System over two links. Primary link is re0, lets give it an ip of 192.168.1.1 Secondary link is re1, with an ip of 192.168.2.1 Default gateway for the box is 192.168.1.254 (so ALL outgoing traffic goes = out of re0, unless hardcoded into the routing table for destinations instea= d) Default gateway for re1 is 192.168.2.254 I want re1 to be able to accept SMTP, but respond to the originating IP ove= r the same link re1 (instead of the default gateway). With this in mind, I setup my NAT accordingly: port 8669 alias_address 192.168.2.1 same_ports yes use_sockets yes log_ipfw_denied yes redirect_port tcp 10.0.0.1:25 192.168.2.1:25 And the IPFW rules such: # NATD Statements add 00097 divert 8668 all from any to any via re0 add 00097 divert 8669 all from any to any via re1 # Testing incoming SMTP over re1 add 00098 skipto 00100 tcp from any to not 192.168.2.1 add 00099 fwd 192.168.2.254 tcp from any to any Tcpdump shows packets coming in: #>Tcpdump -n -i re1 port 25 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on re1, link-type EN10MB (Ethernet), capture size 96 bytes 11:15:41.594659 IP xxx.xxx.xxx.xxx.2097 > 192.168.2.1.25: S 842708044:84270= 8044(0) win 65535 11:15:44.596798 IP xxx.xxx.xxx.xxx.2097 > 192.168.2.1.25: S 842708044:84270= 8044(0) win 65535 11:15:50.617271 IP xxx.xxx.xxx.xxx.2097 > 192.168.2.1.25: S 842708044:84270= 8044(0) win 65535 ^C 3 packets captured 566 packets received by filter 0 packets dropped by kernel But nothing going out: What am I doing wrong ???