From owner-freebsd-net@FreeBSD.ORG  Tue Aug 13 17:28:13 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 1A963DC8
 for <freebsd-net@freebsd.org>; Tue, 13 Aug 2013 17:28:13 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id D4EB2266F
 for <freebsd-net@freebsd.org>; Tue, 13 Aug 2013 17:28:12 +0000 (UTC)
Received: from Julian-MBP3.local (etroy.elischer.org [121.45.226.51])
 (authenticated bits=0)
 by vps1.elischer.org (8.14.7/8.14.6) with ESMTP id r7DHBvlB013510
 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
 Tue, 13 Aug 2013 10:12:01 -0700 (PDT)
 (envelope-from julian@freebsd.org)
Message-ID: <520A68D8.20402@freebsd.org>
Date: Wed, 14 Aug 2013 01:11:52 +0800
From: Julian Elischer <julian@freebsd.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;
 rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Olivier Nicole <olivier2553@gmail.com>
Subject: Re: Different providers for different nat clients
References: <520A2279.6050600@artem.ru>
 <CA+g+BviFey6vXyydtroWc0wPxK+ZAhSet_=zUQzR836sGT=QzQ@mail.gmail.com>
 <520A249A.8030502@artem.ru>
 <CA+g+BvgOn5eRubgrpk=oETsEFYGPhTY4GNMvyps+6cmSY+YE9Q@mail.gmail.com>
In-Reply-To: <CA+g+BvgOn5eRubgrpk=oETsEFYGPhTY4GNMvyps+6cmSY+YE9Q@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Olivier Nicole <on@cs.ait.ac.th>, FreeBSD Net <freebsd-net@freebsd.org>,
 "artem@artem.ru" <artemkuchin76@gmail.com>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 17:28:13 -0000

On 8/13/13 8:34 PM, Olivier Nicole wrote:
> Artem,
>
>> Um.. i was planning to use the included natd
>> But i think it has only one external address to use
> I think there is a couple of rules to add to ipfw to enable NAT, that
> maybe where you divert to here or there:
>
> ipfw add divert natd all from 192.169.x.y to any via ISPB
> ipfw add divert natd all from any to any via ISPA
>
> That's the direction I would look at.

Ok here are some thoughts..
you want existing sessions from the offending client to continue to 
run through the original interface, or their session will immediately 
die. so you need to use dynamic session based routing.
one way to so this is using the
keep-state and check state rules in ipfw.

if you do a  rule like
  check-state
  fwd ISP2 ip from table(1) to any in recv $LAN keep-state
  fwd ISP1 ip from any to any in recv $LAN keep-state


then that session will continue to do that even if the contents of 
table(1) change.

then you can use  NAT rules on each $ISP interface to ensure that 
packets get translated correctly
it's up to you to arrange the contents of the table..

I can't remember off hand whether a firewall pass terminates on a fwd 
rule match or not..
you may want to check that.

I think you should divide your rules up into rules for each interface 
and direction using skipto,
and then in each section have specialist rules for just that traffic.
so with 3 interfaces you would have 6 sets of rules, (say 1000, 2000, 
3000, 4000, 5000 and 6000)
and the very first rules would be:
skipto 1000 ip from any to any in recv $LAN
skipto 2000 ip from any to any out xmit $LAN
skipto 3000 ip from any to any in recv $ISP1
skipto 4000 ip from any to any out xmit $ISP1
skipto 5000 ip from any to any in recv $ISP2
skipto 6000 ip from any to any out xmit $ISP2
[handle loopback packets here]

at 1000 you have the rules above.
at 3000 , 4000, 5000 and 6000 you have NAT rules (with different NAT 
instances for each interface.

you can use whatever method you like (e.g. dummynet accounting?) to 
work out how much traffic is going, and add and remove entries in the 
table.

remember though to make sure exisiting sessions don't get switched!

Julian


>
> Best regards,
>
> Olivier
>
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>