From owner-freebsd-questions@FreeBSD.ORG Wed Jul 25 23:16:57 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68F8616A418 for ; Wed, 25 Jul 2007 23:16:57 +0000 (UTC) (envelope-from ccowart@hal.rescomp.berkeley.edu) Received: from rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id 45C4F13C45E for ; Wed, 25 Jul 2007 23:16:57 +0000 (UTC) (envelope-from ccowart@hal.rescomp.berkeley.edu) Received: by rescomp.berkeley.edu (Postfix, from userid 1225) id 19E3B5B784; Wed, 25 Jul 2007 16:16:55 -0700 (PDT) Date: Wed, 25 Jul 2007 16:16:55 -0700 From: Christopher Cowart To: Narek Gharibyan Message-ID: <20070725231655.GT25792@rescomp.berkeley.edu> Mail-Followup-To: Narek Gharibyan , freebsd-questions@freebsd.org References: <012001c7cefa$13ea3350$180ca8c0@arm.synisys.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mW9eGbZzDIYYWqGs" Content-Disposition: inline In-Reply-To: <012001c7cefa$13ea3350$180ca8c0@arm.synisys.com> Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.9i Cc: freebsd-questions@freebsd.org Subject: Re: Policy Based Routing problem help me X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2007 23:16:57 -0000 --mW9eGbZzDIYYWqGs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 26, 2007 at 01:26:17AM +0500, Narek Gharibyan wrote: > I have a firewall/router with FreeBSD 6.2 installed on it. 2 ISP connecti= on > and 2 LAN connections. I need to do a policy-based routing. All I need th= at > packets coming from one ISP interface return to that interface (incoming > connections' source based routing) and the other hand do a IP based routi= ng > from the LAN (Some packets will goes out via ISP 1 some others via ISP 2 > depending on IPs requested). I tried to do that with ipfw fwd but it didn= 't > work any way (e.g. with ip.forwarding enabled or no). Even I've disabled = my > static routes, default gw. Just it do nothing. Sample configs are >=20 > ipfw add fwd ISP_gw from ${my lan} to any via ${eif} > ipfw add fwd ISP_gw from ${my lan} to any out via ${eif} > ipfw add fwd ISP_gw from any to any xmit ${eif} >=20 > Ipfw add fwd ISP_gw from any to any via ${eif} out >=20 > I don't use nat, proxy. Just need to route. Have you compiled your kernel with the following options? | options IPFIREWALL_FORWARD | options IPFIREWALL_FORWARD_EXTENDED I found that this kind of forwarding silently failed until I enabled the EXTENDED option in addition to the typical option. `man ipfw' briefly mentions these two kernel options in the fwd section. --=20 Chris Cowart Lead Systems Administrator Network & Infrastructure Services, RSSP-IT UC Berkeley --mW9eGbZzDIYYWqGs Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFGp9nnV3SOqjnqPh0RAlqTAJ9ECdaU1r2izPCJwM5nDcFrVAUwIwCgq05G KtXvIRpX6Uhu/+UlQAbwz2o= =0sWO -----END PGP SIGNATURE----- --mW9eGbZzDIYYWqGs--