Date: Mon, 2 Oct 2006 10:56:13 +0300 From: Oleg Tarasov <subscriber@osk.com.ua> To: Oleg Tarasov <subscriber@osk.com.ua> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw forward does not work Message-ID: <1210406434.20061002105613@osk.com.ua> In-Reply-To: <1667794444.20061002095502@osk.com.ua> References: <1667794444.20061002095502@osk.com.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, [resolved] Recompiling the kernel using IPFIREWALL_FORWARD_EXTENDED solved the problem. I thought this one in 6.0-p12 is deprecated... Oleg Tarasov <subscriber@osk.com.ua> wrote: > Hello, > I've got a machine running FreeBSD 6.0. This problem occured on 6.0-p0 > and 6.0-p12. > Introduction > ============= > I've got two internet connections from two different providers. One > is the main and second for failover. Both interfaces have attached > natd using divert function of ipfw. Here are interface parameters: > ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1492 > inet xxx.xxx.xxx.xxx --> XXX.XXX.XXX.XXX netmask 0xffffffff > ng8: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1492 > inet yyy.yyy.yyy.yyy --> YYY.YYY.YYY.YYY netmask 0xffffffff > Here yyy.yyy.yyy.yyy is an IP address of main connection. > routing table looks like this: > ------------------------- > default YYY.YYY.YYY.YYY UGS 0 21878 ng8 > yyy.yyy.yyy.yyy lo0 UHS 0 51 lo0 > xxx.xxx.xxx.xxx lo0 UHS 0 0 lo0 > 127.0.0.1 127.0.0.1 UH 0 3810 lo0 > 192.168.82 link#1 UC 0 0 rl0 > 192.168.82.253 00:30:4f:27:ae:85 UHLW 1 74 lo0 > YYY.YYY.YYY.YYY yyy.yyy.yyy.yyy UH 3 0 ng8 > XXX.XXX.XXX.XXX xxx.xxx.xxx.xxx UH 3 0 ng0 > ------------------------- > My kernel is compiled using following options: > ------------------------- > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=300 > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_FORWARD > options IPDIVERT > options IPSTEALTH > options DUMMYNET > options HZ=1000 > ------------------------- > Both interfaces have real IPs and should simultaneously work supplying > DNS, mail and other services. > Usually this is implemented configuring ipfw fwd command for policy > routing so I've inserted two following lines into ipfw script: > ------------------------- > fwd XXX.XXX.XXX.XXX ip from xxx.xxx.xxx.xxx to any out xmit ng8 > fwd YYY.YYY.YYY.YYY ip from yyy.yyy.yyy.yyy to any out xmit ng0 > ------------------------- > This usually works and works on my second server. But for some reason > here I met strange behaviour. It just seems that fwd command does not > do anything at all. > When I ping xxx.xxx.xxx.xxx (which is failover one) icmp packets come > into ng0 but replies from xxx.xxx.xxx.xxx go through default route on > ng8. This should be normal if there were no fwd commands. But I see > counters on the rule increasing and logging these rules shows > following lines: > Oct 2 08:35:49 central kernel: ipfw: 20500 Forward to XXX.XXX.XXX.XXX > ICMP:0.0 xxx.xxx.xxx.xxx some.outer.ip.address out via ng8 > but packets still go out through ng8 using default route. > There can be two reasons as I see. First is that fwd command does not > work for some reason and the second is that system routing table > considered that default route is preferrable over direct route to > router. The second near impossible so I wonder... > Please tell me if possible how to locate the possible reason of this > problem! -- Best regards, Oleg Tarasov mailto:subscriber@osk.com.ua
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1210406434.20061002105613>