Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Sep 2003 00:57:28 +0300
From:      Ruslan Ermilov <ru@freebsd.org>
To:        Martin Bartelds <bts@iae.nl>
Cc:        "ipfw@freebsd.org" <ipfw@freebsd.org>
Subject:   Re: IPFW/routing wishes
Message-ID:  <20030915215728.GD14510@sunbay.com>
In-Reply-To: <200309151438.1937858.6@btsoftware.com>
References:  <200309151438.1937858.6@btsoftware.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--3Gf/FFewwPeBMqCJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Sep 15, 2003 at 02:38:17PM +0200, Martin Bartelds wrote:
> What I do seriously mis in FreeBSD, is the possibilty to have NATD active=
=20
> on more then 1 network address/card and do packet routing based=20
> on packet information.
>=20
I have a config with two ISPs, each providing us with a small
block of IP addresses, and I have the solution that:

- does source-based routing with the help of "ipfw fwd",
- provides multi-NAT for internal hosts, destination-based.

The last part is done by allocating two distinct IP addresses,
one from each block, and "routing" the packets to a corresponding
natd(8) process, like this:

In /etc/rc.conf:

	natd_enable=3D"YES"
	natd_interface=3D"x.x.x.x"
	natd2_enable=3D"YES"
	natd2_interface=3D"y.y.y.y"
	natd2_flags=3D"-p natd2"

In /etc.rc.firewall:

	# EXTERNAL INTERFACE RULESET

	# Spoof protection.
	[...]

	# NAT.
	${fwcmd} add divert natd2 ip from ${inet} to ${isp2_net} out
	${fwcmd} add divert natd2 ip from any to y.y.y.y in
	${fwcmd} add deny ip from any to y.y.y.y in

	${fwcmd} add divert natd ip from ${inet} to any out
	${fwcmd} add divert natd ip from any to x.x.x.x in
	${fwcmd} add deny ip from any to x.x.x.x in


Cheers,
--=20
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software Ltd,
ru@FreeBSD.org		FreeBSD committer

--3Gf/FFewwPeBMqCJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE/ZjXIUkv4P6juNwoRAlSGAJsE2cLJytsHVdpShL6yiSeIRCzALwCfeTdK
6AwOYafAiu0baEP0gaepK9Q=
=QDjF
-----END PGP SIGNATURE-----

--3Gf/FFewwPeBMqCJ--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030915215728.GD14510>