From owner-freebsd-ipfw@FreeBSD.ORG Fri May 19 22:59:20 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B72816A46A for ; Fri, 19 May 2006 22:59:20 +0000 (UTC) (envelope-from andywhite@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81A6C43D49 for ; Fri, 19 May 2006 22:59:19 +0000 (GMT) (envelope-from andywhite@gmail.com) Received: by nz-out-0102.google.com with SMTP id l8so553089nzf for ; Fri, 19 May 2006 15:59:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=XQf77K635s0k9/lAhFN2/RKzdo2y5ZvFj4jKsHw5EYbbeQYwRNc/Yf12w3I51LXCUE/oW7uPgomHkfSRDE5q5bncczug74XsGrYhRz4qEoNpINUTPJFJt60Omsij0+7gUlx8AeVWS+vVt1qIkUdtiwgEBN+VqbIqTitSLabz0zQ= Received: by 10.36.42.17 with SMTP id p17mr1918594nzp; Fri, 19 May 2006 15:59:18 -0700 (PDT) Received: by 10.36.159.10 with HTTP; Fri, 19 May 2006 15:59:18 -0700 (PDT) Message-ID: Date: Fri, 19 May 2006 15:59:18 -0700 From: "Andrew White" To: "PFS IT" In-Reply-To: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> MIME-Version: 1.0 References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2006 22:59:20 -0000 your rules don't forward ping to isp2, only port 80 ... try 00400 divert 8869 ip from any to any in via bge1 00450 divert 8868 ip from any to any in via em0 00500 check-state #Check for internal_system port 80 traffic 0600 skipto 900 from $internal_system to $remote_system 80 keep-state #Send Most Traffic out via bge1 00700 divert 8869 ip from $local_net to any in keep-state 00750 divert 8869 ip from $local_net to any out keep-state #Send "special" traffic out via em0 00900 divert 8868 ip from $local_net to any in 00950 divert 8868 ip from $local_net to any out #policy route to get traffic to the correct ISP 02000 fwd $isp2_gw ip from $isp2_ip to any 02500 fwd $isp1_gw ip from $isp1_ip to any 65000 allow ip from any to any --- the key to this config is line 600, what ever it matches will go to line 70= 0 and get the isp address, then get routed to isp 2. With this config a ping won't match, only a port 80 or http request ... .Andrew On 5/16/06, PFS IT wrote: > > I am attempting to use IPFW (and either IPNAT or natd) to do the > following: > > I have two connections to the outside world coming in to my firewall. > em0 has a static ip and is going to a bridged DSL connection, then > bge1 has a static ip and is going to a a few bonded DS1s. bge0 goes to > my internal network. I am attempting to have NAT on both external > interfaces, and have most outbound traffic move across bge1, while > traffic from/to a particular internal system (We'll call it > internal_system for purposes of this message) to/from a particular > remote system (This we'll call remote_system) port 80 moves across > the DSL line on em0. > > Here is an attempt at a pretty ascii picture > > > ISP 1 > [192.168.2.254] > | > | > [bge1:192.168.2.1] > FIREWALL[bge0:10.0.0.1]-------[10.0.0.2]internal_system > [em0:192.168.1.1] > | > | > [192.168.1.254] > ISP 2 > > Here are the rules I've tried using in congunction with natd: > > #Send incoming traffic to natd > 00400 divert 8869 ip from any to any in via bge1 > 00450 divert 8868 ip from any to any in via em0 > 00500 check-state > > #Check for internal_system port 80 traffic > 0600 skipto 900 from $internal_system to $remote_system 80 > > #Send Most Traffic out via bge1 > 00700 divert 8869 ip from $local_net to any in > 00750 divert 8869 ip from $local_net to any out > > #Send "special" traffic out via em0 > 00900 divert 8868 ip from $internal_system to $remote_system 80 in > 00950 divert 8868 ip from $remote_system to $remote_system 80 out > > #policy route to get traffic to the correct ISP > 02000 fwd $isp2_gw ip from $isp2_ip to any > 02500 fwd $isp1_gw ip from $isp1_ip to any > > > Two instances of natd are running, one on port 8868 with an alias > address of $isp1_ip, the other is on port 8869 with an alias address > of $isp2_ip > > With the above ipfw rules in place, a > > $ping -S $isp2_ip google.com > > Should result in a ping across em0 to google, however it acts as > though it cannot even reach the $isp2_gw. > > I have been able to get everything to work exactly as I want it to > using pf on FreeBSD, but I've been told that ipfw is preferred within > the organization. > > > Any suggestions would be greatly appreciated. > > > Jared Baldridge > Systems Administrator > PFS > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >