Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 Jul 2009 15:13:03 +0200
From:      Giuliano Gavazzi <>
To:        Kim Attree <>
Cc:        "" <>
Subject:   Re: Problem with source based policy routing
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On M 6 Jul, 2009, at 10:36 , Kim Attree wrote:

> Hey Guys,
> I'm having a problem with source-based policy routing in IPFW, I'm  
> trying to run a load-balanced SMTP System over two links.
> Primary link is re0, lets give it an ip of
> Secondary link is re1, with an ip of
> Default gateway for the box is (so ALL outgoing  
> traffic goes out of re0, unless hardcoded into the routing table for  
> destinations instead)
> Default gateway for re1 is
> I want re1 to be able to accept SMTP, but respond to the originating  
> IP over the same link re1 (instead of the default gateway).
> With this in mind, I setup my NAT accordingly:
> <snip>
> port 8669
> alias_address
> same_ports yes
> use_sockets yes
> log_ipfw_denied yes
> redirect_port tcp
> </snip>
> And the IPFW rules such:
> <snip>
> # NATD Statements
> add 00097 divert 8668 all from any to any via re0
> add 00097 divert 8669 all from any to any via re1

why NAT? Unless you also want to spread outgoing traffic from internal  
hosts, presumably based on dest port or network, then NAT is of no use  
(except the one via re0 that is presumably used for internal hosts).  
Incoming packets don't need any rules as the gw knows  
how to reach your host, you only need to fwd (that is to route) your  
outgoing packets according to the source. I have a similar setup (with  
also 2 NATs because I do use both gateways also for natted hosts).

The fwd rule would be very early, just after the loopback rules,  
UNLESS you want to block outgoing traffic on some ports:

add 50 fwd src-ip not dst-ip

That should do it.

NOTE: if you also do NAT on that port (re1), then you need this also  
after the corresponding nat rule.
But I urge you to distinguish between necessarily natted traffic (that  
is traffic coming from internal hosts) and traffic coming from the  
host itself, by using an alias on the same subnet (say  
for the natted traffic. This way you avoid natting traffic that does  
not need it, and can easily distinguish between incoming traffic for  
your host ( and for natted hosts (


Want to link to this message? Use this URL: <>