Date: Sat, 5 Oct 2002 09:50:00 -0700 From: Darcy Buskermolen <darcy@wavefire.com> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: Policy routing using IPFW for multiple ISP's Message-ID: <200210050950.00061.darcy@wavefire.com> In-Reply-To: <20020829194300.GB17576@blossom.cjclark.org> References: <20020827215445.GA8419@blossom.cjclark.org> <20020827180538.K34809-100000@skywalker.rogness.net> <20020829194300.GB17576@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > =09Um, I believe he is running nat on rl0 (his DSL). As the pack= et > > > > =09leaves rl0 it will be assigned the SRC IP of rl0. > > > > > > That's the problem, it won't. When the packet hit the 'fwd' rule ab= ove, > > > it is accepted by the firewall and queued up on rl0. It doesn't > > > continue through or start again through the rules with the new > > > interface. > > > > Did this change? I swear this used to work at one time. > > Either way he can still use: > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out recv fxp0 xmi= t > > ed0 > > > > I believe that should work. > > This made me think. I don't think this used to work, but you should be > able to do this now. > > In the past, you could only 'fwd' outgoing packets. That won't work > here since once the packets hit the 'fwd' they are out of the firewall > rules, out the speficied interface, and on the wire before they can > ever be processed by a natd(8) handling packets crossing the other > interface. > > But now that we can use 'fwd' on incoming packets, you should be able > to do this. However, you'd need to change the above rule to, > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 in via fxp0 > > Now, the packets are routed out the other interface _AND_ go through > the ipfw(8) rules on that interface. That means that they will go to > the natd(8) watching the other interface. I just tried this nearly exact configuration, and I see packets heading o= ut=20 the external interface with a source address of private IP space=20 wb0 =3D DLS ed0 =3D Cable wb1 =3D Internal net 00101 fwd ip.of.dsl.gateway tcp from any to ip.of.test.host 80 in recv wb= 1 00998 divert 8668 ip from any to any via wb0 00999 divert 8669 ip from any to any via ed0 A tcpdump on wb0 shows the following: 09:44:51.005399 192.168.1.59.4348 > ip.of.test.host.http: S=20 902332116:902332116(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 09:44:53.919608 192.168.1.49.4348 > ip.of.test.host.http: S=20 902332116:902332116(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) 09:44:59.938801 192.168.1.59.4348 > ip.of.test.host.http: S=20 902332116:902332116(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) natd is properly configured, because if I remove the fwd rule, and just a= pply=20 a: route add ip.of.test.host ip.of.dsl.gateway Packets get sent back and forth as they should (however this way isn't a = poert=20 based routing). Hopfuly this information will help. --=20 Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210050950.00061.darcy>