Date: Tue, 27 Aug 2002 18:14:29 -0600 (MDT) From: Nick Rogness <nick@rogness.net> To: cjclark@alum.mit.edu Cc: John Resnier <john_resnier@yahoo.com>, <freebsd-ipfw@FreeBSD.ORG> Subject: Re: Policy routing using IPFW for multiple ISP's Message-ID: <20020827180538.K34809-100000@skywalker.rogness.net> In-Reply-To: <20020827215445.GA8419@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 27 Aug 2002, Crist J. Clark wrote: > On Tue, Aug 27, 2002 at 09:41:48AM -0600, Nick Rogness wrote: > > On Mon, 26 Aug 2002, Crist J. Clark wrote: > > > > > On Mon, Aug 26, 2002 at 02:59:59PM -0600, Nick Rogness wrote: > > > > On Mon, 26 Aug 2002, John Resnier wrote: > > > > > > > > > Hey Crist > > > > > > > > > > Thanks for your help. Only reason why I didn't do it with a route is > > > > > that I wanted ipfw to forward on the app layer. Ideally, I would like > > > > > to have all web traffic destined for the 66.25.xx.0/24 range to go out > > > > > the DSL Gateway but the rest of the web traffic go out the Cable > > > > > connection. > > > > > > <pedantic>You mean forward at the transport layer.</pedantic> > > > > > > > > The example I provided did not show all that information > > > > > because I wanted to get this problem solved first. Any examples you > > > > > would have on how to accomplish this would be awesome!! > > > > > > > > > > > > # set next-hop address for packets leaving the ed0 interface > > > > # to the DSL gateway address > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out via ed0 > > > > > > > > Also, make sure nat is working properly on rl0 interface and turn > > > > on logging to help you debug (both in natd and ipfw). What you > > > > have below looks as if it should work ok. > > > > > > > > I don't think that will do what he wants. You'll get asymetric routing > > > in this case. The packet will go to the 199.185.xx.xx gateway and out > > > that way, but it will come back the other way since it will have a > > > source address on 24.86.xx.xx. In fact, it's quite possible that the DSL > > > ISP will drop packets with a source address that doesn't belong to them. > > > > Um, I believe he is running nat on rl0 (his DSL). As the packet > > leaves rl0 it will be assigned the SRC IP of rl0. > > That's the problem, it won't. When the packet hit the 'fwd' rule above, > it is accepted by the firewall and queued up on rl0. It doesn't continue > through or start again through the rules with the new interface. Did this change? I swear this used to work at one time. Either way he can still use: fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out recv fxp0 xmit ed0 I believe that should work. Nick Rogness <nick@rogness.net> - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020827180538.K34809-100000>