From owner-freebsd-questions@FreeBSD.ORG Mon Aug 4 07:47:45 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD58237B401 for ; Mon, 4 Aug 2003 07:47:45 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AB4643F3F for ; Mon, 4 Aug 2003 07:47:41 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h74ElOcU009216 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 4 Aug 2003 15:47:36 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h74ElOta009215; Mon, 4 Aug 2003 15:47:24 +0100 (BST) (envelope-from matthew) Date: Mon, 4 Aug 2003 15:47:24 +0100 From: Matthew Seaman To: fbsdquestions@worldinternet.org Message-ID: <20030804144724.GC7562@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , fbsdquestions@worldinternet.org, questions@freebsd.org References: <1060003482.e2623ffc060f8@mail.worldinternet.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uXxzq0nDebZQVNAZ" Content-Disposition: inline In-Reply-To: <1060003482.e2623ffc060f8@mail.worldinternet.org> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-8.6 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: questions@freebsd.org Subject: Re: ipfw - natd - squid - 3 Nic's - 1 FBSD 5.1 server and routing question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 14:47:46 -0000 --uXxzq0nDebZQVNAZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 04, 2003 at 06:24:42AM -0700, fbsdquestions@worldinternet.org w= rote: > I could sure use an idea for solving the following. We have a perfectly > functional but saturated ds0 with our telco that is very expensive. We > have squid running with transparent proxy for our LAN that consists of > about 10-15 users. [ fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 8= 0 ] > It works fine but still not enough bandwidth so we contracted a connection > with a cable company that we plan to use for all outgoing requests for > port 80 from squid. The problem is that I can't get the outgoing requests > from squid to use the nic that is connected to the cable company. >=20 > Squid is setup to use the Cable companies IP > tcp_outgoing_address 10.24.194.163 > but since the default gateway is to the telco interface, the request is s= ent > to the telco. >=20 > I'm not sure how to make this work. Our three nic's are set up as follows >=20 > rl1 > 192.168.5.0/24 --- > Internal Network \ > \ rl0 [TelCo] > ------ 200.79.x.0/28 --- INTERNET > / natd-ipfw-squid > rl2 / routing: default 200.79.x.1 > 10.24.194.163/20 --- > Cable Network >=20 > Our firewall configuration has been reduced to the following until we can > get this to work. >=20 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80 > 65100 divert 8668 ip from any to any via rl0 > 65500 allow ip from any to any > 65535 allow ip from any to any >=20 > Everything works great with rl1 -> rl0 but rl2 is basically useless. > I have tried many different approaches and none have worked. I'm probably > complicating it too much. >=20 > Any help or suggestions will be appreciated. This sounds to me like a policy based routing problem -- googling for "policy based routing FreeBSD" in Google Groups should prove informative. However, the mechanism is basically the same as you've used to implement your transparent proxy. All you need to do is insert another rule to trap the port 80 traffic coming out of Squid and send the packets to the next-hop gateway on your rl2 interface. That presumably has it's default route set via the cable network. Something like: 00500 fwd 10.24.207.254 tcp from me to any 80 (assuming that 10.24.207.254 is the router address in the cable companies' network.) Since your Squid is already using a Cable Co. address as the source address on any outgoing packets this should cause all in- and out-going HTTP traffic to pass via the Cable Co. network. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --uXxzq0nDebZQVNAZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/LnH8dtESqEQa7a0RAn3VAJ0XsqX/Ce1ME2leJdx4s925LdPaQwCcDDQQ KvW/HvzgcIVW0UAxUNxJ+5k= =8PuG -----END PGP SIGNATURE----- --uXxzq0nDebZQVNAZ--