From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 12 14:43:42 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B43C816A4CE for ; Wed, 12 Nov 2003 14:43:42 -0800 (PST) Received: from smtp07.wxs.nl (smtp07.wxs.nl [195.121.6.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0EDF43FDD for ; Wed, 12 Nov 2003 14:43:41 -0800 (PST) (envelope-from akruijff@www.kruijff.org) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp07.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with ESMTP id <0HO900FXXGGS37@smtp07.wxs.nl> for freebsd-ipfw@freebsd.org; Wed, 12 Nov 2003 23:43:41 +0100 (MET) Received: from Alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.9p2/8.12.9) with ESMTP id hACMhhHG002872; Wed, 12 Nov 2003 23:43:43 +0100 (CET envelope-from akruijff@Alex.lan) Received: (from akruijff@localhost) by Alex.lan (8.12.9p2/8.12.9/Submit) id hACMhgqQ002871; Wed, 12 Nov 2003 23:43:42 +0100 (CET envelope-from akruijff) Date: Wed, 12 Nov 2003 23:43:41 +0100 From: Alex de Kruijff In-reply-to: <20031111093609.GI94551@SonnIT.DK> To: "Gorm J. Siiger" Message-id: <20031112224341.GF963@dds.nl> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.1i References: <20031111093609.GI94551@SonnIT.DK> cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw FWD, NAT and routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2003 22:43:42 -0000 On Tue, Nov 11, 2003 at 10:36:09AM +0100, Gorm J. Siiger wrote: > Hi > > I'm experimenting with a dual ISP setup using NAT, as eacy ISP has provided > me with a subnet of official IP adresses. > > Network setup: > > -------- -------- > | ISP1 | | ISP2 | > -------- -------- > | | > | -------- | > -----| FW |---- > -------- > | > | > -------- > |Server| > -------- > > ISP1 LAN : 20.0.0.0/29 > ISP2 LAN : 21.0.0.0/29 > Server LAN : 10.0.0.0/24 > Server IP on ISP1: 20.0.0.2 > Server IP on LAN: 10.0.0.2 > Server IP on ISP2: 21.0.0.2 > Server IP on LAN: 10.0.0.3 > > The default gateway for the FW box is ISP1 > > I can connect to the whole world via ISP1 from the server with source IP > 10.0.0.2 but when I try to connect to a host via ISP2 from source 10.0.0.3 > the TCP connection is very slow, and there is a lot of retransmissions. > > If I change the FW's default gateway to ISP2 it works like a charm. > > Any suggestions on how to fix this problem. I don't understand what you wan't to achieve, rigth now. Do you want ISP2 to be used only when the clients open the IP in the 21/29 range? Adding to /etc/rc.conf to set the routes up defaultroute="ISP1_GATEWAY" static_routes="isp2" route_isp2="-net 21.0.0.0 ISP2_GATEWAY" If you only have one server that uses two IP's then forget about using natd. Natd is for sharing a IP adress with multiple computers. > /usr/local/etc/natd.conf > use_sockets > unregistered_only yes > alias_address 20.0.0.6 > redirect_address 10.0.0.2 20.0.0.2 > redirect_address 10.0.0.3 21.0.0.2 Read the section about alias_address of the manual natd. This tell you way your having problems. If you do need natd, because you have server behing you gateway, then you need to have one running on if_isp1 and one on if_isp2 with unique configuration files. You need two write your own scripts that do this and place then in /etc/local/etc/rc.d/, since this can not be done from rc.conf. > /etc/rc.firewall > ${fwcmd} add 400 divert natd all from any to any via ${isp0if} > ${fwcmd} add 405 divert natd all from any to any via ${isp1if} > ${fwcmd} add 505 fwd 21.0.0.0 ip from 21.0.0.0/29 to any Please read the section about forward of the manual ipfw. You seem to have a wrong idee about what to put afther the fwd action. 21.0.0.0 isn't a valid adress. If you need a specilised firewall then I would advice against modifing rc.firewall and use another configfile instead. The reason behing it is that this file could be overriden if you update you OS. You can do this by adding this to rc.conf: firewall_enable="YES" firewall_type="/etc/firewall.conf" This file sould contain something like: add 100 skipto 10000 ip from any to any via if_isp1 add 200 skipto 20000 ip from any to any via if_isp2 add 300 skipto 30000 ip from any to any via if_local add 400 allow ip from any to any via lo0 add 500 deny ip from any to any # Now the firewall is still simple. But if your needs grow the rules # grow in number. Splitting this up early cuts the number of rules # pakkets have to go thoug with out the need to do so. add 10100 divert natd1 ip from any to any add 19999 allow ip from any to any add 20100 divert natd2 ip from any to any add 29999 allow ip from any to any add 30100 fwd ISP2_address from 10.0.0.3 to any add 39999 allow ip from any to any -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/