From owner-freebsd-net@FreeBSD.ORG Tue Jan 27 10:59:38 2015 Return-Path: Delivered-To: net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 66AE7245 for ; Tue, 27 Jan 2015 10:59:38 +0000 (UTC) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 2B96E401 for ; Tue, 27 Jan 2015 10:59:38 +0000 (UTC) Received: from [127.0.0.1] (nat.in.devexperts.com [89.113.128.63]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 208DF5C003 for ; Tue, 27 Jan 2015 13:59:25 +0300 (MSK) Message-ID: <54C76F8A.4070104@FreeBSD.org> Date: Tue, 27 Jan 2015 13:59:22 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: net@FreeBSD.org Subject: ipfw, source-based routing, "forward" action and unknown GW address Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 10:59:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I have typical task at hands: two providers, no AS, no real IPv4 addresses in network, IPv4 NAT for both connections. Typical solution for this task is two NATs, "global" rule for outgoing packets and two "forward" rules based on source address after "nat global", am I right? But here is problem: "forward" rule uses "next hop IP". And one of my providers change this IP from time to time. It assigns same IP for me (I'm paying for "fixed IP") via DHCP, but "default router" option could be different (looks like load-balancing). Is here any way to solve this "source based routing" problem without changing rules in firewall on each DHCP lease re-acquisition? - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJUx2+KXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePCPAQAKVXGb9QmahvGNvTAwWp1gDj AxWNnEkBQau209kkUFGma55VtLe5vjXwmjnxyC66zAec2Je44TAF1vYtr0GAevVp nRnLznsb+mN3tqI5Y5nlqugJyBzJiJWE6p5uFHsDxmYXmyA0/kQoLUt3JjlyZfLg JDpMUrJ6KIqwgVmq8gASVQhMzsLkreBItht20tFjEdUxcVnXISkpLfTbXJXZb0yi SntAwsrVaMhwpuSskiz26TTersVDHppKILGaJTSCYff6Tm0tLFeHwRKneK+KqBRk YCgCsD3gT8yPpRjqdBSawSapVpl1J2eRHSiZ+fo4DpAt3XHUkZD+HAFdWwszrD2X fdwAnHP94scjK//mV6MZXSS7sp8iAgGmm+sTeVl9N4F43hYazSyANwXjdcNm/Sc2 kZnYrWJInJUfP+6w+jWG7YaYMhC4hdxlEyeMoh37x6roUMWCUxraqQ/HUKlPiwtV EhEPhRnUr6ZQv2Qv5WhjjaRYnLgNUb/M//EVftOsYdmek/uScunz5KCa9IM6SR+m T6aa6YmJ7vAI12b04muG6/niknKavbmvn1bSvzDhxax/CivPp+paJkiPlq4MvNcv uEClqKQ28GcC3vOmx3ILjtOFXaqqBGqh7rj2EkPMSaOvw+7tVK5JaWBGy9WqQTLY 2GsVhcwZUT7xrjoa9tyX =LJQo -----END PGP SIGNATURE-----