Date: Tue, 20 Sep 2005 15:07:50 +0200 From: G Bryant <bsdt@roamingsolutions.net> To: freebsd-ipfw@freebsd.org Subject: multiple incoming lines Message-ID: <433009A6.9070705@roamingsolutions.net>
next in thread | raw e-mail | index | archive | help
Hi all, I hope someone can help me with a routing / Natd / ipfw problem i'm having. Setup description: 1x FreeBSD 5.4 3x NIC's: 1x LAN, 2x connected to external DSL modems int_if - LAN ext_if1 - ISP1 ext_if2 - ISP2 Both dsl modems use NAT too, so it is a nat - nat, but did have it working for a single external line. I am running 2 natd's that use the 2 external if's. My problem is that when I define a default route (internal IP of dsl modem for ISP1), all the outgoing packets only want to use that route (duh!), but when I try to send the packets out the ext_if2 by divert natd2, it doesn't send them out ext_if2 - even tried to fwd IP_modem_ISP2, but nothing going. With no default route defined, I get the message - no route to destination. I simplified my ipfw to try get this working, but haven't got it right yet. I have seen posts of other people saying they have this solution working, but so far no joy. If you have any suggestions, I'd love to hear them. Thankx a mil Gray relevant config files below ------------------------------------------------------------- natd1.conf: interface rl0 dynamic pid_file /var/run/natd1.pid port natd1 ------------------------------------------------------------- natd2.conf: interface rl1 dynamic pid_file /var/run/natd2.pid port natd2 ------------------------------------------------------------- rc.conf: hostname="fw.a.b.c" network_interfaces="lo0 vr0 rl0 rl1" # Configure the internal network ifconfig_vr0="inet 192.168.1.1 netmask 255.255.255.0" # Configure the external networks (connected to the internet) ifconfig_rl0="inet 192.168.0.75 netmask 255.255.255.0" ifconfig_rl1="inet 192.168.8.69 netmask 255.255.255.0" defaultrouter="192.168.0.1" # - Enabling the FreeBSD Firewall, IPFirewall (IPFW)- gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.rules" firewall_logging="YES" # - Enabling the specific NAT server for IPFW natd_enable="YES" natd_flags="-f /etc/natd1.conf" natd2_enable="YES" natd2_flags="-f /etc/natd2.conf" ------------------------------------------------------------- ipfw.rules: #!/bin/sh ################ Start of IPFW rules file ############################### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" skip="skipto 10000" ext_if1="rl0" # public interface name of NIC ext_if2="rl1" int_if="vr0" # private interface name of NIC # Setup the different Sets to be used for different connection options ipfw -q set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 # Initially only enable set 1 (and 2 and 12 when we have 2 WAN links) ipfw -q set enable 2 ################################################################# # Check and drop packets that are appearing to come from # the destination LAN i.e. a spoofed source ip address $cmd deny ip from any to any not antispoof in ################################################################# # No restrictions on Loopback Interface # Protect spoofing to localhost $cmd allow ip from any to any via lo0 $cmd deny ip from any to 127.0.0.0/8 $cmd deny ip from 127.0.0.0/8 to any ################################################################# # check if packet is inbound and nat address if it is $cmd 1000 divert natd1 ip from any to any in via $ext_if1 $cmd 1000 divert natd2 ip from any to any in via $ext_if2 ################################################################# # Allow the rest of the LAN traffic in and out $cmd allow ip from any to any via $int_if ################################################################# # Allow the packet through if it has previously been added to the # the "dynamic" rules table by an allow keep-state statement. $cmd check-state ################################################################# # Interface facing Public Internet (Outbound Section) ################################################################# $cmd $skip all from any to any out via $ext_if1 $cmd $skip all from any to any out via $ext_if2 ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# $cmd allow all from any to any in via $ext_if1 $cmd allow all from any to any in via $ext_if2 # This is skipto location for outbound stateful rules $cmd 10000 set 12 prob 0.5 skipto 10050 ip from any to any out via $ext_if1 keep-state $cmd 10020 set 1 divert natd1 ip from any to any out via $ext_if1 $cmd 10020 set 1 divert natd1 ip from any to any out via $ext_if2 $cmd 10030 set 1 allow ip from any to any out $cmd 10050 set 2 divert natd2 ip from any to any out via $ext_if1 $cmd 10050 set 2 divert natd2 ip from any to any out via $ext_if2 $cmd 10060 set 2 fwd 192.168.8.1 ip from 192.168.8.69 to any out via $ext_if1 $cmd 10100 allow ip from any to any out via $ext_if1 $cmd 10110 allow ip from any to any out via $ext_if2 # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 19990 deny log all from any to any ################ End of IPFW rules file ###############################
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?433009A6.9070705>