From owner-freebsd-questions@FreeBSD.ORG Tue Feb 26 14:37:23 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D50521065671 for ; Tue, 26 Feb 2008 14:37:23 +0000 (UTC) (envelope-from rve@techno-matic.dk) Received: from mail.webhotel.net (mail.webhotel.net [217.145.49.10]) by mx1.freebsd.org (Postfix) with SMTP id 3A4EA13C474 for ; Tue, 26 Feb 2008 14:37:23 +0000 (UTC) (envelope-from rve@techno-matic.dk) Received: (qmail 30842 invoked from network); 26 Feb 2008 15:09:11 +0100 Received: from unknown (HELO ws60b) (87.48.192.254) by mail.webhotel.net with SMTP; 26 Feb 2008 15:09:11 +0100 From: =?iso-8859-1?Q?Ren=E9_Vestergaard?= To: Date: Tue, 26 Feb 2008 15:10:41 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Importance: Normal Subject: IPFW2 script with natd and loadsharing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2008 14:37:23 -0000 I am trying to have both natd (divert) and loadsharing (pipe/queue) in the same IPFW2 firewall script. It works partly. That is, something is wrong because, pipe-bandwidth does not at all match the measured and by using the log-facility I found that the following package enter the script at rule 11: "TCP 207.46.211.119:80 192.168.12.150:1574 out via em0" but it looks like i had just been translated by rule number 400 The NIC with IP 192.168.10.248 is connected to WAN and the NIC with IP 192.168.12.10 is connected to LAN Here it my script: ------------------ # Firewall script (Kernel compilation: default-rule was set to allow) ipfw -f -q flush ipfw -q add 60000 allow all from any to any # Log-facility (for debuging) ipfw add 11 skipto 12 log all from any to any // Start ipfw pipe 1 config bw 80KByte/s # upload limit ipfw pipe 2 config bw 800KByte/s # download limit # Package going in the download-direction are translated by NATD # to get the destination .12-subnet IP address # (change destination ip address) ipfw add 100 divert natd ip from any to 192.168.10.248 // Download ipfw add 200 queue 1 ip from 192.168.12.0/24 to not 192.168.12.0/24 // Upload ipfw queue 1 config weight 10 pipe 1 mask src-ip 0x000000ff ipfw add 300 queue 2 ip from any to 192.168.12.0/24 // Download ipfw queue 2 config weight 10 pipe 2 mask dst-ip 0x000000ff # Package going in the upload-direction are translated by NATD # to get the source IP address of the WAN NIC (and the port number is also changed) ipfw add 400 divert natd ip from 192.168.12.0/24 to any // Upload ------------------ What is wrong?