From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 30 11:18:56 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9894816A4CE for ; Tue, 30 Nov 2004 11:18:56 +0000 (GMT) Received: from mail.jrv.org (rrcs-24-73-246-106.sw.biz.rr.com [24.73.246.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21D1F43D1F for ; Tue, 30 Nov 2004 11:18:56 +0000 (GMT) (envelope-from james@jrv.org) Received: from [127.0.0.1] (zippy.housenet.jrv [192.168.3.156]) (authenticated bits=0) by mail.jrv.org (8.12.11/8.12.10) with ESMTP id iAUBIsix052178 for ; Tue, 30 Nov 2004 05:18:55 -0600 (CST) (envelope-from james@jrv.org) Message-ID: <41AC571E.2020503@jrv.org> Date: Tue, 30 Nov 2004 05:18:54 -0600 From: "James R. Van Artsalen" User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: FreeBSD 5.3 routing IPFW FWD'd packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2004 11:18:56 -0000 FreeBSD 5.3 may send IPFW FWD forwarded packets to a destination other than the one specified in the FWD action. FreeBSD 5.2.1 works as expected. I have two WAN links but only one local Ethernet. The system has an IP alias. Each application can decide which WAN link to use by using one or the other IP address. In 5.2.1 and earlier I used IPFW to send packets sourced on the IP alias address to the second WAN router. The system IP address is 192.168.3.155/8 and the IP alias is 192.168.254.155/8. One WAN gateway is the default route and is at 192.168.3.145 and the other WAN gateway is at 192.168.254.145. To use the main WAN one just opens a socket as usual, which gets a source address of 192.168.3.155. To use the second WAN the socket is opened with the source address set to 192.168.254.155. The following IPFW rules state that a direct access to 192.168.254/8 proceeds unmolested, but any packet sourced on the IP alias address of 192.168.254.155 and not to 192.168.254/8 is forwarded to the second WAN gateway at 192.168.254.145 (which will send it to the Internet). ${fwcmd} 64000 add allow ip from any to 192.168.254.0/24 ${fwcmd} 64005 add fwd 192.168.254.145 log ip from 192.168.254.155 to any With FreeBSD 5.2.1 when rule 64005 matches the packet goes to 192.168.254.145 as the FWD specifies. But with FreeBSD 5.3 the logs on the gateways show that the packet goes to 192.168.3.145, the system default gateway, instead of 192.168.254.145 as specified. The syslog shows the packets are in fact matching rule 64005. Packets sent to the directly reachable net 192.168.254/8 (rule 64000) seem to work. Is it possible that packets are somehow being routed after being FWD'd by IPFW?