Date: Tue, 27 Dec 2005 02:38:18 +0600 From: "mitrohin a.s." <swp@swp.pp.ru> To: freebsd-net@freebsd.org Subject: ipfw forward bug? Message-ID: <20051226203817.GA27151@swp.pp.ru>
next in thread | raw e-mail | index | archive | help
helo.
i have strangle problem with forward rule.
isp1 +----------+
<-----[fxp0:x.x.x.1/24] router_1 [re0:10.200.1.1/24]--------+
| [xl2:10.4.2.1/24]---+ |
+----------+ | |
+--------+ | |
| host_1 [10.4.2.121/24]-----------------------+ |
+--------+ |
|
isp2 +----------+ |
<-----[xl2:172.16.42.2/24] router_2 [re0:10.200.1.2/24]-----+
+----------+
router_1 propagate defaultroute via fxp0 (isp1) for local network.
router_2 have link via xl2 to isp2 and defaultroute to 10.200.1.1.
i want to lead external traffic of host_1 via isp2, but have got
trouble.
router_2 ipfw rules:
root@main# ipfw -c show
00100 321246 89176165 allow via lo0
00200 40 2000 deny { src-ip 127.0.0.0/8 or dst-ip 127.0.0.0/8 }
00400 7226 231262 allow dst-ip 224.0.0.0/4
00500 354153 88470867 allow src-ip 10.0.0.0/8 dst-ip 10.0.0.0/8
00600 0 0 check-state
00700 65 5460 skipto 50000 log proto icmp dst-ip 10.4.2.121 in keep-state
00800 0 0 skipto 50000 log proto icmp dst-ip 10.4.2.121 out keep-state
00900 0 0 skipto 50000 log proto icmp src-ip 10.4.2.121 in keep-state
01000 0 0 skipto 50000 log proto icmp src-ip 10.4.2.121 out keep-state
01800 133396 44504758 allow
50000 32 2688 fwd 172.16.42.1 log src-ip 10.4.2.121 in
50100 26445 5425866 allow
! rule 800,900,1000 for test only.
make ping from external host now.
-bash-2.05b$ ping -c 1 olymp.uni-altai.ru
PING olymp.uni-altai.ru (83.246.136.148): 56 data bytes
--- olymp.uni-altai.ru ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
! isp2 cisco make nat 83.246.136.145 to 10.4.2.121 and vise versa.
router_2 security.log contain
Dec 27 00:52:22 main kernel: ipfw: \
700 SkipTo 50000 ICMP:8.0 80.71.162.250 10.4.2.121 in via xl2
Dec 27 00:52:22 main kernel: ipfw: \
700 SkipTo 50000 ICMP:8.0 80.71.162.250 10.4.2.121 out via re0
Dec 27 00:52:22 main kernel: ipfw: \
700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: \
50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FORWARD !!!
Dec 27 00:52:22 main kernel: ipfw: \
700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 out via re0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ BUT GO TO DEFAULTROUTE !!! ... ?
why "out via re0"? i expect "out via xl2".
and loop
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 out via re0
...
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 out via re0
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 out via re0
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
send-pr?
/swp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051226203817.GA27151>