From owner-freebsd-ipfw Mon Aug 26 12:45:52 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E09ED37B400 for ; Mon, 26 Aug 2002 12:45:47 -0700 (PDT) Received: from web40312.mail.yahoo.com (web40312.mail.yahoo.com [66.218.78.91]) by mx1.FreeBSD.org (Postfix) with SMTP id 5F80643E65 for ; Mon, 26 Aug 2002 12:45:47 -0700 (PDT) (envelope-from john_resnier@yahoo.com) Message-ID: <20020826194547.67628.qmail@web40312.mail.yahoo.com> Received: from [24.86.104.206] by web40312.mail.yahoo.com via HTTP; Mon, 26 Aug 2002 12:45:47 PDT Date: Mon, 26 Aug 2002 12:45:47 -0700 (PDT) From: John Resnier Subject: Re: Policy routing using IPFW for multiple ISP's To: "Crist J. Clark" Cc: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <20020823052506.GA82200@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hey Crist Thanks for your help. Only reason why I didn't do it with a route is that I wanted ipfw to forward on the app layer. Ideally, I would like to have all web traffic destined for the 66.25.xx.0/24 range to go out the DSL Gateway but the rest of the web traffic go out the Cable connection. The example I provided did not show all that information because I wanted to get this problem solved first. Any examples you would have on how to accomplish this would be awesome!! Thanks for all your time John Resnier --- "Crist J. Clark" wrote: > On Wed, Aug 21, 2002 at 12:32:13AM -0700, a a wrote: > > > > Here's my setup > > > > FreeBSD 4.6.2 box with 3 NICS > > > > Compiled with the following options > > options IPSTEALTH > > options IPFIREWALL > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_VERBOSE_LIMIT=100 > > options IPDIVERT > > options IPFIREWALL_FORWARD > > > > NIC1 - ed0 connected to my cable modem 24.86.xx.xx > Default Gateway > > NIC2 - rl0 conected to my DSL Modem 199.185.xx.xx > > NIC3 - fxp0 connected to my LAN 192.168.1.1 > > > > > > Here's the current IPFW rules > > > > 00100 fwd DSL-Gateway ip from any to 66.25.xx.0/24 > out xmit ed0 > > 00200 divert 8668 ip from any to any via ed0 > > 00200 divert 8669 ip from any to any via rl0 > > 65000 allow ip from any to any > > > > What I'm trying to do is have all traffic go thru > the cable connection except for traffic destined for > the 66.25.xx.0/24 range. I would like that range to > go thru the DSL connection. Currently its not > working. Has anyone tried this before? Is this > even possible? > > You want to route by _destination?_ Uhh, why not > just, > > # route add net 66.25.xx.0/24 gateway> > > You don't need 'fwd' or ipfw(8) to do that. > -- > Crist J. Clark | > cjclark@alum.mit.edu > | > cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Aug 26 14: 4:46 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C88A937B400; Mon, 26 Aug 2002 14:04:42 -0700 (PDT) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA30143E4A; Mon, 26 Aug 2002 14:04:41 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by skywalker.rogness.net (8.11.3/8.11.3) with ESMTP id g7QL00G32052; Mon, 26 Aug 2002 15:00:01 -0600 (MDT) (envelope-from nick@rogness.net) Date: Mon, 26 Aug 2002 14:59:59 -0600 (MDT) From: Nick Rogness To: John Resnier Cc: "Crist J. Clark" , Subject: Re: Policy routing using IPFW for multiple ISP's In-Reply-To: <20020826194547.67628.qmail@web40312.mail.yahoo.com> Message-ID: <20020826145304.F31482-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 26 Aug 2002, John Resnier wrote: > Hey Crist > > Thanks for your help. Only reason why I didn't do it with a route is > that I wanted ipfw to forward on the app layer. Ideally, I would like > to have all web traffic destined for the 66.25.xx.0/24 range to go out > the DSL Gateway but the rest of the web traffic go out the Cable > connection. The example I provided did not show all that information > because I wanted to get this problem solved first. Any examples you > would have on how to accomplish this would be awesome!! # set next-hop address for packets leaving the ed0 interface # to the DSL gateway address fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out via ed0 Also, make sure nat is working properly on rl0 interface and turn on logging to help you debug (both in natd and ipfw). What you have below looks as if it should work ok. What does: # sysctl net.inet.ip.forwarding show? > > > On Wed, Aug 21, 2002 at 12:32:13AM -0700, a a wrote: > > > > > > Here's my setup > > > > > > FreeBSD 4.6.2 box with 3 NICS > > > > > > Compiled with the following options > > > options IPSTEALTH > > > options IPFIREWALL > > > options IPFIREWALL_VERBOSE > > > options IPFIREWALL_VERBOSE_LIMIT=100 > > > options IPDIVERT > > > options IPFIREWALL_FORWARD > > > > > > NIC1 - ed0 connected to my cable modem 24.86.xx.xx > > Default Gateway > > > NIC2 - rl0 conected to my DSL Modem 199.185.xx.xx > > > NIC3 - fxp0 connected to my LAN 192.168.1.1 > > > > > > > > > Here's the current IPFW rules > > > > > > 00100 fwd DSL-Gateway ip from any to 66.25.xx.0/24 > > out xmit ed0 > > > 00200 divert 8668 ip from any to any via ed0 > > > 00200 divert 8669 ip from any to any via rl0 > > > 65000 allow ip from any to any > > > > > > What I'm trying to do is have all traffic go thru > > the cable connection except for traffic destined for > > the 66.25.xx.0/24 range. I would like that range to > > go thru the DSL connection. Currently its not > > working. Has anyone tried this before? Is this > > even possible? > Nick Rogness - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Aug 26 22:36:13 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1136D37B400 for ; Mon, 26 Aug 2002 22:36:11 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E26C43E3B for ; Mon, 26 Aug 2002 22:36:10 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020827053609.RPHR13899.sccrmhc02.attbi.com@blossom.cjclark.org>; Tue, 27 Aug 2002 05:36:09 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g7R5a8JK004866; Mon, 26 Aug 2002 22:36:09 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g7R5a8u1004865; Mon, 26 Aug 2002 22:36:08 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 26 Aug 2002 22:36:08 -0700 From: "Crist J. Clark" To: Nick Rogness Cc: John Resnier , freebsd-ipfw@FreeBSD.ORG Subject: Re: Policy routing using IPFW for multiple ISP's Message-ID: <20020827053607.GB4732@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020826194547.67628.qmail@web40312.mail.yahoo.com> <20020826145304.F31482-100000@skywalker.rogness.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020826145304.F31482-100000@skywalker.rogness.net> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Aug 26, 2002 at 02:59:59PM -0600, Nick Rogness wrote: > On Mon, 26 Aug 2002, John Resnier wrote: > > > Hey Crist > > > > Thanks for your help. Only reason why I didn't do it with a route is > > that I wanted ipfw to forward on the app layer. Ideally, I would like > > to have all web traffic destined for the 66.25.xx.0/24 range to go out > > the DSL Gateway but the rest of the web traffic go out the Cable > > connection. You mean forward at the transport layer. > > The example I provided did not show all that information > > because I wanted to get this problem solved first. Any examples you > > would have on how to accomplish this would be awesome!! > > > # set next-hop address for packets leaving the ed0 interface > # to the DSL gateway address > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out via ed0 > > Also, make sure nat is working properly on rl0 interface and turn > on logging to help you debug (both in natd and ipfw). What you > have below looks as if it should work ok. I don't think that will do what he wants. You'll get asymetric routing in this case. The packet will go to the 199.185.xx.xx gateway and out that way, but it will come back the other way since it will have a source address on 24.86.xx.xx. In fact, it's quite possible that the DSL ISP will drop packets with a source address that doesn't belong to them. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 27 8:46:47 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47B9B37B400 for ; Tue, 27 Aug 2002 08:46:45 -0700 (PDT) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B55E43E3B for ; Tue, 27 Aug 2002 08:46:44 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by skywalker.rogness.net (8.11.3/8.11.3) with ESMTP id g7RFfpi34445; Tue, 27 Aug 2002 09:41:52 -0600 (MDT) (envelope-from nick@rogness.net) Date: Tue, 27 Aug 2002 09:41:48 -0600 (MDT) From: Nick Rogness To: cjclark@alum.mit.edu Cc: John Resnier , Subject: Re: Policy routing using IPFW for multiple ISP's In-Reply-To: <20020827053607.GB4732@blossom.cjclark.org> Message-ID: <20020827093602.S34430-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 26 Aug 2002, Crist J. Clark wrote: > On Mon, Aug 26, 2002 at 02:59:59PM -0600, Nick Rogness wrote: > > On Mon, 26 Aug 2002, John Resnier wrote: > > > > > Hey Crist > > > > > > Thanks for your help. Only reason why I didn't do it with a route is > > > that I wanted ipfw to forward on the app layer. Ideally, I would like > > > to have all web traffic destined for the 66.25.xx.0/24 range to go out > > > the DSL Gateway but the rest of the web traffic go out the Cable > > > connection. > > You mean forward at the transport layer. > > > > The example I provided did not show all that information > > > because I wanted to get this problem solved first. Any examples you > > > would have on how to accomplish this would be awesome!! > > > > > > # set next-hop address for packets leaving the ed0 interface > > # to the DSL gateway address > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out via ed0 > > > > Also, make sure nat is working properly on rl0 interface and turn > > on logging to help you debug (both in natd and ipfw). What you > > have below looks as if it should work ok. > > I don't think that will do what he wants. You'll get asymetric routing > in this case. The packet will go to the 199.185.xx.xx gateway and out > that way, but it will come back the other way since it will have a > source address on 24.86.xx.xx. In fact, it's quite possible that the DSL > ISP will drop packets with a source address that doesn't belong to them. Um, I believe he is running nat on rl0 (his DSL). As the packet leaves rl0 it will be assigned the SRC IP of rl0. Hence, there will be no asymetric routing as all packets will have a source of 199.185.xx.xx leaving that interface. Just make sure his fwd statement is before his divert rules. Nick Rogness - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 27 14:54:51 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4868A37B400 for ; Tue, 27 Aug 2002 14:54:48 -0700 (PDT) Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id C444643E6E for ; Tue, 27 Aug 2002 14:54:47 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020827215447.LFZD1186.rwcrmhc52.attbi.com@blossom.cjclark.org>; Tue, 27 Aug 2002 21:54:47 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g7RLskJK008510; Tue, 27 Aug 2002 14:54:46 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g7RLsjiN008509; Tue, 27 Aug 2002 14:54:45 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 27 Aug 2002 14:54:45 -0700 From: "Crist J. Clark" To: Nick Rogness Cc: John Resnier , freebsd-ipfw@FreeBSD.ORG Subject: Re: Policy routing using IPFW for multiple ISP's Message-ID: <20020827215445.GA8419@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020827053607.GB4732@blossom.cjclark.org> <20020827093602.S34430-100000@skywalker.rogness.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020827093602.S34430-100000@skywalker.rogness.net> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Aug 27, 2002 at 09:41:48AM -0600, Nick Rogness wrote: > On Mon, 26 Aug 2002, Crist J. Clark wrote: > > > On Mon, Aug 26, 2002 at 02:59:59PM -0600, Nick Rogness wrote: > > > On Mon, 26 Aug 2002, John Resnier wrote: > > > > > > > Hey Crist > > > > > > > > Thanks for your help. Only reason why I didn't do it with a route is > > > > that I wanted ipfw to forward on the app layer. Ideally, I would like > > > > to have all web traffic destined for the 66.25.xx.0/24 range to go out > > > > the DSL Gateway but the rest of the web traffic go out the Cable > > > > connection. > > > > You mean forward at the transport layer. > > > > > > The example I provided did not show all that information > > > > because I wanted to get this problem solved first. Any examples you > > > > would have on how to accomplish this would be awesome!! > > > > > > > > > # set next-hop address for packets leaving the ed0 interface > > > # to the DSL gateway address > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out via ed0 > > > > > > Also, make sure nat is working properly on rl0 interface and turn > > > on logging to help you debug (both in natd and ipfw). What you > > > have below looks as if it should work ok. > > > > > I don't think that will do what he wants. You'll get asymetric routing > > in this case. The packet will go to the 199.185.xx.xx gateway and out > > that way, but it will come back the other way since it will have a > > source address on 24.86.xx.xx. In fact, it's quite possible that the DSL > > ISP will drop packets with a source address that doesn't belong to them. > > Um, I believe he is running nat on rl0 (his DSL). As the packet > leaves rl0 it will be assigned the SRC IP of rl0. That's the problem, it won't. When the packet hit the 'fwd' rule above, it is accepted by the firewall and queued up on rl0. It doesn't continue through or start again through the rules with the new interface. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 27 17:19:22 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9139A37B401 for ; Tue, 27 Aug 2002 17:19:18 -0700 (PDT) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AE4B43E72 for ; Tue, 27 Aug 2002 17:19:17 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by skywalker.rogness.net (8.11.3/8.11.3) with ESMTP id g7S0EWD35575; Tue, 27 Aug 2002 18:14:32 -0600 (MDT) (envelope-from nick@rogness.net) Date: Tue, 27 Aug 2002 18:14:29 -0600 (MDT) From: Nick Rogness To: cjclark@alum.mit.edu Cc: John Resnier , Subject: Re: Policy routing using IPFW for multiple ISP's In-Reply-To: <20020827215445.GA8419@blossom.cjclark.org> Message-ID: <20020827180538.K34809-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 27 Aug 2002, Crist J. Clark wrote: > On Tue, Aug 27, 2002 at 09:41:48AM -0600, Nick Rogness wrote: > > On Mon, 26 Aug 2002, Crist J. Clark wrote: > > > > > On Mon, Aug 26, 2002 at 02:59:59PM -0600, Nick Rogness wrote: > > > > On Mon, 26 Aug 2002, John Resnier wrote: > > > > > > > > > Hey Crist > > > > > > > > > > Thanks for your help. Only reason why I didn't do it with a route is > > > > > that I wanted ipfw to forward on the app layer. Ideally, I would like > > > > > to have all web traffic destined for the 66.25.xx.0/24 range to go out > > > > > the DSL Gateway but the rest of the web traffic go out the Cable > > > > > connection. > > > > > > You mean forward at the transport layer. > > > > > > > > The example I provided did not show all that information > > > > > because I wanted to get this problem solved first. Any examples you > > > > > would have on how to accomplish this would be awesome!! > > > > > > > > > > > > # set next-hop address for packets leaving the ed0 interface > > > > # to the DSL gateway address > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out via ed0 > > > > > > > > Also, make sure nat is working properly on rl0 interface and turn > > > > on logging to help you debug (both in natd and ipfw). What you > > > > have below looks as if it should work ok. > > > > > > > > I don't think that will do what he wants. You'll get asymetric routing > > > in this case. The packet will go to the 199.185.xx.xx gateway and out > > > that way, but it will come back the other way since it will have a > > > source address on 24.86.xx.xx. In fact, it's quite possible that the DSL > > > ISP will drop packets with a source address that doesn't belong to them. > > > > Um, I believe he is running nat on rl0 (his DSL). As the packet > > leaves rl0 it will be assigned the SRC IP of rl0. > > That's the problem, it won't. When the packet hit the 'fwd' rule above, > it is accepted by the firewall and queued up on rl0. It doesn't continue > through or start again through the rules with the new interface. Did this change? I swear this used to work at one time. Either way he can still use: fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out recv fxp0 xmit ed0 I believe that should work. Nick Rogness - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 29 13:31:58 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7117C37B400 for ; Thu, 29 Aug 2002 13:31:54 -0700 (PDT) Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BFAE43E6E for ; Thu, 29 Aug 2002 13:31:53 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc03.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020829194302.HIQE25638.sccrmhc03.attbi.com@blossom.cjclark.org>; Thu, 29 Aug 2002 19:43:02 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g7TJh1JK017700; Thu, 29 Aug 2002 12:43:01 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g7TJh0IF017699; Thu, 29 Aug 2002 12:43:00 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Thu, 29 Aug 2002 12:43:00 -0700 From: "Crist J. Clark" To: Nick Rogness Cc: John Resnier , freebsd-ipfw@FreeBSD.ORG Subject: Re: Policy routing using IPFW for multiple ISP's Message-ID: <20020829194300.GB17576@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020827215445.GA8419@blossom.cjclark.org> <20020827180538.K34809-100000@skywalker.rogness.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020827180538.K34809-100000@skywalker.rogness.net> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Aug 27, 2002 at 06:14:29PM -0600, Nick Rogness wrote: > On Tue, 27 Aug 2002, Crist J. Clark wrote: > > > On Tue, Aug 27, 2002 at 09:41:48AM -0600, Nick Rogness wrote: > > > On Mon, 26 Aug 2002, Crist J. Clark wrote: > > > > > > > On Mon, Aug 26, 2002 at 02:59:59PM -0600, Nick Rogness wrote: > > > > > On Mon, 26 Aug 2002, John Resnier wrote: > > > > > > > > > > > Hey Crist > > > > > > > > > > > > Thanks for your help. Only reason why I didn't do it with a route is > > > > > > that I wanted ipfw to forward on the app layer. Ideally, I would like > > > > > > to have all web traffic destined for the 66.25.xx.0/24 range to go out > > > > > > the DSL Gateway but the rest of the web traffic go out the Cable > > > > > > connection. > > > > > > > > You mean forward at the transport layer. > > > > > > > > > > The example I provided did not show all that information > > > > > > because I wanted to get this problem solved first. Any examples you > > > > > > would have on how to accomplish this would be awesome!! > > > > > > > > > > > > > > > # set next-hop address for packets leaving the ed0 interface > > > > > # to the DSL gateway address > > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out via ed0 > > > > > > > > > > Also, make sure nat is working properly on rl0 interface and turn > > > > > on logging to help you debug (both in natd and ipfw). What you > > > > > have below looks as if it should work ok. > > > > > > > > > > > I don't think that will do what he wants. You'll get asymetric routing > > > > in this case. The packet will go to the 199.185.xx.xx gateway and out > > > > that way, but it will come back the other way since it will have a > > > > source address on 24.86.xx.xx. In fact, it's quite possible that the DSL > > > > ISP will drop packets with a source address that doesn't belong to them. > > > > > > Um, I believe he is running nat on rl0 (his DSL). As the packet > > > leaves rl0 it will be assigned the SRC IP of rl0. > > > > That's the problem, it won't. When the packet hit the 'fwd' rule above, > > it is accepted by the firewall and queued up on rl0. It doesn't continue > > through or start again through the rules with the new interface. > > Did this change? I swear this used to work at one time. > Either way he can still use: > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out recv fxp0 xmit ed0 > > I believe that should work. This made me think. I don't think this used to work, but you should be able to do this now. In the past, you could only 'fwd' outgoing packets. That won't work here since once the packets hit the 'fwd' they are out of the firewall rules, out the speficied interface, and on the wire before they can ever be processed by a natd(8) handling packets crossing the other interface. But now that we can use 'fwd' on incoming packets, you should be able to do this. However, you'd need to change the above rule to, fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 in via fxp0 Now, the packets are routed out the other interface _AND_ go through the ipfw(8) rules on that interface. That means that they will go to the natd(8) watching the other interface. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 29 13:56:29 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D595737B400 for ; Thu, 29 Aug 2002 13:56:26 -0700 (PDT) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED5E243E42 for ; Thu, 29 Aug 2002 13:56:25 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by skywalker.rogness.net (8.11.3/8.11.3) with ESMTP id g7TKkIt42122; Thu, 29 Aug 2002 14:46:18 -0600 (MDT) (envelope-from nick@rogness.net) Date: Thu, 29 Aug 2002 14:46:18 -0600 (MDT) From: Nick Rogness To: cjclark@alum.mit.edu Cc: John Resnier , Subject: Re: Policy routing using IPFW for multiple ISP's In-Reply-To: <20020829194300.GB17576@blossom.cjclark.org> Message-ID: <20020829144219.G41479-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 29 Aug 2002, Crist J. Clark wrote: > > > > > > That's the problem, it won't. When the packet hit the 'fwd' rule above, > > > it is accepted by the firewall and queued up on rl0. It doesn't continue > > > through or start again through the rules with the new interface. > > > > Did this change? I swear this used to work at one time. > > Either way he can still use: > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out recv fxp0 xmit ed0 > > > > I believe that should work. > > This made me think. I don't think this used to work, but you should be > able to do this now. > > In the past, you could only 'fwd' outgoing packets. That won't work here > since once the packets hit the 'fwd' they are out of the firewall rules, > out the speficied interface, and on the wire before they can ever be > processed by a natd(8) handling packets crossing the other interface. > > But now that we can use 'fwd' on incoming packets, you should be able > to do this. However, you'd need to change the above rule to, > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 in via fxp0 > > Now, the packets are routed out the other interface _AND_ go through the > ipfw(8) rules on that interface. That means that they will go to the > natd(8) watching the other interface. Haven't tried this technique since it's been added. I do know, however, that the 'out recv fxp0 xmit ed0' thing DOES work as I have been using that for a while to interoperate with a squid proxy box. I'll look at the 'in via fxp0' fwd stuff to see if it works and report my findings. Cheers, Nick Rogness - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 29 14: 5: 6 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86F9A37B400 for ; Thu, 29 Aug 2002 14:05:04 -0700 (PDT) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id A946A43E6A for ; Thu, 29 Aug 2002 14:05:03 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by skywalker.rogness.net (8.11.3/8.11.3) with ESMTP id g7TKxWm42147; Thu, 29 Aug 2002 14:59:32 -0600 (MDT) (envelope-from nick@rogness.net) Date: Thu, 29 Aug 2002 14:59:28 -0600 (MDT) From: Nick Rogness To: cjclark@alum.mit.edu Cc: John Resnier , Subject: Re: Policy routing using IPFW for multiple ISP's In-Reply-To: <20020829144219.G41479-100000@skywalker.rogness.net> Message-ID: <20020829145520.H41479-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 29 Aug 2002, Nick Rogness wrote: > On Thu, 29 Aug 2002, Crist J. Clark wrote: > > > > > > > > > That's the problem, it won't. When the packet hit the 'fwd' rule above, > > > > it is accepted by the firewall and queued up on rl0. It doesn't continue > > > > through or start again through the rules with the new interface. > > > > > > Did this change? I swear this used to work at one time. > > > Either way he can still use: > > > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out recv fxp0 xmit ed0 > > > > > > I believe that should work. > > > > This made me think. I don't think this used to work, but you should be > > able to do this now. > > > > In the past, you could only 'fwd' outgoing packets. That won't work here > > since once the packets hit the 'fwd' they are out of the firewall rules, > > out the speficied interface, and on the wire before they can ever be > > processed by a natd(8) handling packets crossing the other interface. > > > > But now that we can use 'fwd' on incoming packets, you should be able > > to do this. However, you'd need to change the above rule to, > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 in via fxp0 > > > > Now, the packets are routed out the other interface _AND_ go through the > > ipfw(8) rules on that interface. That means that they will go to the > > natd(8) watching the other interface. > > Haven't tried this technique since it's been added. I do know, > however, that the 'out recv fxp0 xmit ed0' thing DOES work as I > have been using that for a while to interoperate with a squid > proxy box. I'll look at the 'in via fxp0' fwd stuff to see if it > works and report my findings. I take this comment back. I'm not sure it it will traverse the ipfw rules on the second interface as I'm running a variation on this. Sorry for the wasted arguement. I'm stupid and I have a small penis. Nick Rogness - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message