Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 6 Jul 2009 10:36:18 +0200
From:      Kim Attree <kim.attree@playsafesa.com>
To:        "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>
Subject:   Problem with source based policy routing
Message-ID:  <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com>
next in thread | raw e-mail | index | archive | help 

Hey Guys,

=20

I'm having a problem with source-based policy routing in IPFW, I'm trying t=
o run a load-balanced SMTP System over two links.

Primary link is re0, lets give it an ip of 192.168.1.1
Secondary link is re1, with an ip of 192.168.2.1

Default gateway for the box is 192.168.1.254 (so ALL outgoing traffic goes =
out of re0, unless hardcoded into the routing table for destinations instea=
d)
Default gateway for re1 is 192.168.2.254

I want re1 to be able to accept SMTP, but respond to the originating IP ove=
r the same link re1 (instead of the default gateway).
With this in mind, I setup my NAT accordingly:

<snip>
port 8669
alias_address 192.168.2.1
same_ports yes
use_sockets yes
log_ipfw_denied yes
redirect_port tcp 10.0.0.1:25 192.168.2.1:25
</snip>

And the IPFW rules such:

<snip>
# NATD Statements
add 00097 divert 8668 all from any to any via re0
add 00097 divert 8669 all from any to any via re1

# Testing incoming SMTP over re1
add 00098 skipto 00100 tcp from any to not 192.168.2.1
add 00099 fwd 192.168.2.254 tcp from any to any
</snip>

Tcpdump shows packets coming in:

<snip>
#>Tcpdump -n -i re1 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re1, link-type EN10MB (Ethernet), capture size 96 bytes
11:15:41.594659 IP xxx.xxx.xxx.xxx.2097 > 192.168.2.1.25: S 842708044:84270=
8044(0) win 65535 <mss 1300,nop,nop,sackOK>
11:15:44.596798 IP xxx.xxx.xxx.xxx.2097 > 192.168.2.1.25: S 842708044:84270=
8044(0) win 65535 <mss 1300,nop,nop,sackOK>
11:15:50.617271 IP xxx.xxx.xxx.xxx.2097 > 192.168.2.1.25: S 842708044:84270=
8044(0) win 65535 <mss 1300,nop,nop,sackOK>
^C
3 packets captured
566 packets received by filter
0 packets dropped by kernel
</snip>

But nothing going out:

What am I doing wrong ???

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00265389C30B444288C246DF37651D0C37637A1893>