Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 28 Jan 2017 13:58:01 +0100
From:      Rakor <>
Subject:   How to use IPFW to filter routing
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi there,

I have a router from my ISP giving me a connection to the internet ans =
SIP. Behind I have a FreeBSD-Box which should route and seperate my =
The setup is like this:

           +------------+                  +------------+          =
+------------+   VLAN1
           | ISP-Router |  | BSD-Router |  Trunk   | =
L2-SWITCH  |-----------
Internet---|            |------------------|            |----------| =
VLANS      |   VLAN2
           |            |            igb2  |   IPFW     | igb0     |     =
           +------------+                  +------------+          =
+------------+   VLAN3

I can route my VLANs to the Internet and I can route traffic from one =
VLAN to another VLAN, all without using IPFW. But I don't know how to =
setup my IPFW. Lets say VLAN1 is allowed to communicate with VLAN2 and =
with the internet. VLAN3 is allowed to communicate only with the =
As far as I know a packet is once scanned by IPFW an then first hit =
wins. So, if I set the following a packet coming from VLAN3 for port 80 =
is permitted to travel all way it wants, even to VLAN2. Putting an other =
rule behind just allowing to travel out using igb2 is not checked, =
because the search terminated after first hit.
	ipfw add allow tcp to any 80 setup keep-state

If I try the follwing the packets are all rejected. I think the =
inspection is done before the routing, so IPFW does not know it should =
be forwarded using igb2.
	ipfw add allow tcp to any 80 out via igb2 setup =

So I don=E2=80=99t know how to filter packets that should be routed in a =
exact manner. Can you help me?


Want to link to this message? Use this URL: <>