From owner-freebsd-net@FreeBSD.ORG Mon Dec 8 21:15:13 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C8AFD1065679 for ; Mon, 8 Dec 2008 21:15:13 +0000 (UTC) (envelope-from ericx@vineyard.net) Received: from vineyard.net (k1.vineyard.net [204.17.195.90]) by mx1.freebsd.org (Postfix) with ESMTP id 89DE08FC14 for ; Mon, 8 Dec 2008 21:15:13 +0000 (UTC) (envelope-from ericx@vineyard.net) Received: from localhost (loopback [127.0.0.1]) by vineyard.net (Postfix) with ESMTP id 1E55B91522 for ; Mon, 8 Dec 2008 16:06:27 -0500 (EST) X-Virus-Scanned: by AMaViS-king1 at Vineyard.NET Received: from vineyard.net ([127.0.0.1]) by localhost (king1.vineyard.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id qJg59neyiwoy for ; Mon, 8 Dec 2008 16:06:26 -0500 (EST) Received: from [204.17.195.104] (fortiva.vineyard.net [204.17.195.104]) by vineyard.net (Postfix) with ESMTP id D9A0B91517 for ; Mon, 8 Dec 2008 16:06:26 -0500 (EST) Message-ID: <493D8C4C.5030105@vineyard.net> Date: Mon, 08 Dec 2008 16:06:20 -0500 From: "Eric W. Bates" User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) MIME-Version: 1.0 To: freebsd-net@freebsd.org X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [Fwd: ipfw policy routing esp] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2008 21:15:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I forgot to mention: we are using 6.2-RELEASE-p1. - -------- Original Message -------- Subject: ipfw policy routing esp Date: Mon, 08 Dec 2008 15:57:35 -0500 From: Eric W. Bates To: freebsd-net@freebsd.org We have a bewildering problem attempting to policy route esp traffic. We have 2 up steam internet sources: a routable T1 and a cable modem. The cable modem provides better bandwidth so while we default to the T1, we use policy routing to send some of our traffic out the cable modem. In particular we use the cable modem for all the port 80 traffic via squid. squid's source IP is the one belonging to the cable network and we have the following ipfw rule for the policy route: ${fwcmd} add 64902 fwd ${cable_gw} ip from ${net_wan3_local} to any cable_gw is the cable company's router. net_wan3_local is the cable company's IP on our external interface. This works great for all port 80 tcp traffic. To this we added some IPSec. Racoon is hanging off the same ${net_wan3_local} and the udp port 500 traffic passes in and out thru the cable interface as we hoped. The bewildering part is that while the esp traffic can demonstrably be seen to be hitting the policy route rule, those packets continue to pass out the default route to the T1 rather than being forwarded to the cable router as we want. Any thoughts? Is this a known problem? Thank you for your time. - -- Eric W. Bates ericx@vineyard.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJPYxMD1roJTQ4LlERAoDTAKDJPqrxuz0hOPrAPJFS67Aduqw66gCgseE6 XOj2frj9zTFp70UcQcuBgQA= =qa+4 -----END PGP SIGNATURE-----