Date: Thu, 29 Aug 2002 12:43:00 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Nick Rogness <nick@rogness.net> Cc: John Resnier <john_resnier@yahoo.com>, freebsd-ipfw@FreeBSD.ORG Subject: Re: Policy routing using IPFW for multiple ISP's Message-ID: <20020829194300.GB17576@blossom.cjclark.org> In-Reply-To: <20020827180538.K34809-100000@skywalker.rogness.net> References: <20020827215445.GA8419@blossom.cjclark.org> <20020827180538.K34809-100000@skywalker.rogness.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 27, 2002 at 06:14:29PM -0600, Nick Rogness wrote:
> On Tue, 27 Aug 2002, Crist J. Clark wrote:
>
> > On Tue, Aug 27, 2002 at 09:41:48AM -0600, Nick Rogness wrote:
> > > On Mon, 26 Aug 2002, Crist J. Clark wrote:
> > >
> > > > On Mon, Aug 26, 2002 at 02:59:59PM -0600, Nick Rogness wrote:
> > > > > On Mon, 26 Aug 2002, John Resnier wrote:
> > > > >
> > > > > > Hey Crist
> > > > > >
> > > > > > Thanks for your help. Only reason why I didn't do it with a route is
> > > > > > that I wanted ipfw to forward on the app layer. Ideally, I would like
> > > > > > to have all web traffic destined for the 66.25.xx.0/24 range to go out
> > > > > > the DSL Gateway but the rest of the web traffic go out the Cable
> > > > > > connection.
> > > >
> > > > <pedantic>You mean forward at the transport layer.</pedantic>
> > > >
> > > > > > The example I provided did not show all that information
> > > > > > because I wanted to get this problem solved first. Any examples you
> > > > > > would have on how to accomplish this would be awesome!!
> > > > >
> > > > >
> > > > > # set next-hop address for packets leaving the ed0 interface
> > > > > # to the DSL gateway address
> > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out via ed0
> > > > >
> > > > > Also, make sure nat is working properly on rl0 interface and turn
> > > > > on logging to help you debug (both in natd and ipfw). What you
> > > > > have below looks as if it should work ok.
> > > >
> > >
> > > > I don't think that will do what he wants. You'll get asymetric routing
> > > > in this case. The packet will go to the 199.185.xx.xx gateway and out
> > > > that way, but it will come back the other way since it will have a
> > > > source address on 24.86.xx.xx. In fact, it's quite possible that the DSL
> > > > ISP will drop packets with a source address that doesn't belong to them.
> > >
> > > Um, I believe he is running nat on rl0 (his DSL). As the packet
> > > leaves rl0 it will be assigned the SRC IP of rl0.
> >
> > That's the problem, it won't. When the packet hit the 'fwd' rule above,
> > it is accepted by the firewall and queued up on rl0. It doesn't continue
> > through or start again through the rules with the new interface.
>
> Did this change? I swear this used to work at one time.
> Either way he can still use:
>
> fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out recv fxp0 xmit ed0
>
> I believe that should work.
This made me think. I don't think this used to work, but you should be
able to do this now.
In the past, you could only 'fwd' outgoing packets. That won't work
here since once the packets hit the 'fwd' they are out of the firewall
rules, out the speficied interface, and on the wire before they can
ever be processed by a natd(8) handling packets crossing the other
interface.
But now that we can use 'fwd' on incoming packets, you should be able
to do this. However, you'd need to change the above rule to,
fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 in via fxp0
Now, the packets are routed out the other interface _AND_ go through
the ipfw(8) rules on that interface. That means that they will go to
the natd(8) watching the other interface.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020829194300.GB17576>