Date: Mon, 15 Dec 2003 09:57:44 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: freebsd-questions@freebsd.org Subject: Re: ipnat+ipfw + 3 gateways Message-ID: <20031215155744.GW64340@seekingfire.com> In-Reply-To: <198144994821.20031215072521@vkt.lt> References: <20031214233809.GS64340@seekingfire.com> <MIEPLLIBMLEEABPDBIEGEEKFFAAA.fbsd_user@a1poweruser.com> <20031215004603.GT64340@seekingfire.com> <198144994821.20031215072521@vkt.lt>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 15, 2003 at 07:25:21AM -0800, hugle wrote: > now about this script. Let's reduce this this to pseudo code to simplify the discussion: map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 (some ports) -> (gw2) map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 (other ports) -> (gw1) map rl1 from 192.168.0.0/16 ! to 192.168.0.0/16 -> (gw3) > in MY opinion these rules should WORK. but as it seems, they don't I assume that vlan0, fxp0 and rl1 are your *external* NICs? I'll show what I have set up for comparison. I have two Internet gateways and I do some source-routing by destination (not by port, as you are trying to do). I'll leave out the IPFW traffic shaping for simplicity. My ruleset is getting fairly complex these days ;-) A bit of background: I bring in a /25 subnet across an OpenVPN tunnel (where I run zebra/quagga OSPF routing ... some details at http://www.rospa.ca/projects/). In order for me to use these additional IPs on my internal network, I need to ensure that my gateway source-routes them ('fwd' in IPFW parlance) to my tunnel-peer as my regular default gateway would packet filter them out (a surprisingly sane policy for an ISP *grin*). Key for the lines that follow: * rl1 is my external NIC for the primary Internet gateway * rl2 is my external NIC for the secondary Internet gateway * tun6 is the tunnel that I bring a source-routed /25 in on Here's the relevant part of my /etc/ipnat.rules. Note that I've obscured external IPs by replacing them with a descriptive tag in ()'s: ### TCP/UDP # Note that maps to rl2 only work because I have static routes that # would route traffic for those particular destinations to the # secondary gateway in any case ... the mapping just forces the correct # source IP address to be used. # ... specific destination #1 map rl2 from 192.168.23.0/24 to (net destination #1)/24 -> rl2/32 # ... specific destination #2 map rl2 from 192.168.23.0/24 to (net destination #2)/24 -> rl2/32 # ... specific destination #3 map rl2 from 192.168.23.0/24 to (host destination #3)/32 -> rl2/32 # Map all regular traffic out the primary Internet connection map rl1 192.168.23.0/24 -> rl1/32 portmap tcp/udp 48000:50000 ### ICMP and other (on the primary internet connection) map rl1 192.168.23.0/24 -> rl1/32 I set the static routes via rc.conf, a simplified version of which is: ### Routes defaultrouter="(primary gateway)" static_routes="destination1 destination2 destination3" route_destination1="(net destination #1)/24 (secondary gateway)" route_destination2="(net destination #2)/24 (secondary gateway)" route_destination3="(host destination #3)/32 (secondary gateway)" And here's the relevant part of my /etc/ipf.rules: # Respond to traffic sent to the /25 via tun6 # Note that the "on 'interface'" has to be the one with my default route # Note that I use a !/16 instead of a /24 as I have more than one # internal class C (the meta-network) pass out quick on rl1 to tun6 from (obscured)/25 to !192.168.0.0/16 # Respond to traffic sent to my secondary connection via the same IP pass out quick on rl1 to rl2 from (obscured)/32 to any -T -- To imagine a human world without ethics, but in which life goes well, it is necessary to suppose a golden age: a world without competition, or causes of strife, or clashing desires, or envy or malice. - Simon Blackburn (Ruling Passions)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031215155744.GW64340>