Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 16 Aug 2005 00:38:09 -0700
From:      Julian Elischer <julian@elischer.org>
To:        Donatas <donatas@lrtc.net>
Cc:        freebsd-net@freebsd.org
Subject:   Re: routing problem (with corrected scheme)
Message-ID:  <430197E1.9060803@elischer.org>
In-Reply-To: <000d01c5a223$53799840$0500a8c0@donatas>
References:  <026001c59e7a$c6ca69c0$9f90a8c0@donatas> <42FBC0AE.8020803@elischer.org> <027701c59f02$0eb808a0$9f90a8c0@donatas> <42FCF148.5010400@elischer.org> <000d01c5a223$53799840$0500a8c0@donatas>

next in thread | previous in thread | raw e-mail | index | archive | help
Donatas wrote:
> Hello Julian,
> 
> 
>> Do the users have to have real IP addresses or can they have NAT'd addresses? In other words,
>> do they have INCOMING sessions or just outgoing sessions?
> 
> actualy there are hundreds of users with registered(real) IP's. So nat'ing, looking the most
> logical solution, in this case can't be realized.
> 
> 
>> If the latter then you could put a NATD on each of the vlan interfaces on the user router, so
>> that the return packets will automatically go back to the vlan from which they came.
> 
> 
>> Why do you need DIFFERENT VLANS between the two routers for data that will eventually go to
>> different places? Why can't that decision be made on the core router? Is it just so you can
>> shape traffic between the two routers? why not do the shaping on the core router?
> 
> as far as shaping of unsecure zone cannot be realized on the core router (due tu enormous load of
> machine), we must put those options on user-router. We need to shape USA and EUROPE traffic
> separately and differently per user. Using ipfw that traffic can be recognized only using two
> different interfaces. We can't avoid usage of vlan's by adding aditinal physical interface on
> core router, but it won't solve inbound-routes problem.
> 
> 
>> actually you should be able to do it with ipfw's 'fwd' rule without NAT. 

>> ipfw add 1000 fwd  ip4 ip from any to ${USER_NETWORK} in recv em0 

>> ipfw add 1001 fwd  ip3 ip from any to ${USER_NETWORK} in recv em1
> 
> yes, i've been thinking of "fwd" rules, but as I have allready mentioned - there are hundreds of
> real IP's behind the user router, all of them are in differen (mixed) subents. Core router's
> average cpu load (running on dual xeon 2.8) is 80%.We can't describe all inbound traffic with two
> ipfw rules because of subnet difference. If we put several hundred of fwd rules on core-router,
> it will simply fail. And the number of these rules has a tendence to increase in about 40/month. 
> So, the only solution in this case seems to be routing-back to those two USA and EUROPE vlan's.


Actually, I jsut realised that you do not need to specify each subnet
and you can do it with just 1 firewall rule.

you make all the routes for the custommers use  only one
of the VLANS, and then you use the fwd rule to divert those that
came in through one the trunks (say the Europe trunk) to use the
other vlan..

e.g.

for each custommer:
route add $CUSTOMER_NET1 ip3
route add $CUSTOMER_NET2 1p3


then for the firewall you just need to add one simple rule:

ipfw add 1000 fwd ip4 ip from any to any out recv em0 xmit vlan{mumble}

where vlan{mumble} is the vlan that goes to ip3

this says
"if you are going out an dyou are going to ip3 but came in on em0
then go to ip4 instead."


The trick is to do it on OUTPUT processing so that the route has
already been chosen and to filter on that.


> 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?430197E1.9060803>