Date: Sat, 5 May 2007 01:23:07 -0300 (BRT) From: "Patrick Tracanelli" <eksffa@freebsdbrasil.com.br> To: "Jason Hills" <jazzhills@gmail.com> Cc: ipfw@freebsd.org Subject: Re: Policy Routing natd+ipfw Message-ID: <56951.BUtUVAZEUwM=.1178338987.squirrel@webmail.freebsdbrasil.com.br> In-Reply-To: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> How can I do policy routing with ipfw+natd? > > I started 2 natd processes, using natd.conf and natd2.conf > respectively, but things dont work. My rules are: Long time ago, PHK added an (undocumented, except for commit logs) feature in natd(8), called "instances". To use it, you can start a config file with the "instance" keyword followed with an identifier, and in a certain moment use the "instance" keyword again, with a second identifier. Each block will create different natd instances which can be used with independent configurations. However they are run by the same proccess. Here is an (production) example: ########################### instance default interface vr0 dynamic yes use_sockets yes same_ports yes unregistered_only yes port 8668 log yes log_denied yes log_ipfw_denied yes #punch_fw 10:39 log_facility security redirect_port tcp 10.69.69.69:2234-2240 2234-2240 redirect_port tcp 10.69.69.39:80 3980 redirect_port tcp 10.69.69.39:6969 3969 redirect_port tcp 10.69.69.13:4662 4662 redirect_port udp 10.69.69.13:4672 4672 ############################### instance interna2 interface xl0 dynamic yes use_sockets no same_ports no unregistered_only yes port 8669 log yes log_denied yes log_ipfw_denied yes #punch_fw 10:39 reverse yes > > ext_ifi1="em0" > ext_ifi2="em1" > > divert 8668 ip from $net1 to any out via $ext_if1 > divert 8669 ip from $net2 to any out via $ext_if2 Wrong concepts here. Since you mentioned the default gateway is on ext_ifi1, packets will never reach ext_if2, so how can it be diverted? According to Cisco's literature: "Policy-based routing provides a tool for forwarding and routing data packets based on policies defined by network administrators. In effect, it is a way to have the policy override routing protocol decisions. Policy-based routing includes a mechanism for selectively applying policies based on access list, packet size or other criteria." So, the above excerpt explains what you should do to DO policy routing: override routing protocol decisions. To do so in your enviroment, divert packets to the second link when they reach the main outgoing interface (tradditional path the packet would flow, according to routing table): divert 8669 ip from $net2 to any out via $ext_if1 Yes, this WILL work. Packets will be diverted to second natd instance when it reaches the main outgoing interface (as main, I want you to read: the one used by default route). So, here you are forgetting another mandatory flow control: you have to send packets from your second-link IP address to your second-link gateway. IPFW´s "fwd" action will do this like a charm =) > > divert 8668 ip from any to any via $ext_if1 > divert 8669 ip from any to any via $ext_if2 > > My defaultrouter is the one on $ext_if1. > > It works for port 8668 but doesnt work for 8669 (the second xDSL link) > > -- > Jazzie Hills -- Patrick Tracanelli (31) 3281 9633 sip://313306@sip.freebsdbrasil.com.br
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56951.BUtUVAZEUwM=.1178338987.squirrel>