Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 08 Dec 2008 15:57:35 -0500
From:      "Eric W. Bates" <ericx@vineyard.net>
To:        freebsd-net@freebsd.org
Subject:   ipfw policy routing esp
Message-ID:  <493D8A3F.6040502@vineyard.net>

next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have a bewildering problem attempting to policy route esp traffic.

We have 2 up steam internet sources: a routable T1 and a cable modem.
The cable modem provides better bandwidth so while we default to the T1,
we use policy routing to send some of our traffic out the cable modem.

In particular we use the cable modem for all the port 80 traffic via
squid. squid's source IP is the one belonging to the cable network and
we have the following ipfw rule for the policy route:

${fwcmd} add 64902 fwd ${cable_gw} ip from ${net_wan3_local} to any

cable_gw is the cable company's router.
net_wan3_local is the cable company's IP on our external interface.

This works great for all port 80 tcp traffic.

To this we added some IPSec. Racoon is hanging off the same
${net_wan3_local} and the udp port 500 traffic passes in and out thru
the cable interface as we hoped.

The bewildering part is that while the esp traffic can demonstrably be
seen to be hitting the policy route rule, those packets continue to pass
out the default route to the T1 rather than being forwarded to the cable
router as we want.

Any thoughts?
Is this a known problem?

Thank you for your time.

- --
Eric W. Bates
ericx@vineyard.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJPYo/D1roJTQ4LlERAp//AJ9C5VFQWk0Q5iwKVD6elTItny8pLgCbB5Tn
9a3/ut3rswi7nPs10nCkk9s=
=wW3o
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?493D8A3F.6040502>