From owner-freebsd-ipfw Fri Apr 12 14: 1:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id DBE0737B404 for ; Fri, 12 Apr 2002 14:01:11 -0700 (PDT) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g3CL9EE69490; Fri, 12 Apr 2002 16:09:14 -0500 (CDT) (envelope-from nick@rogness.net) Date: Fri, 12 Apr 2002 16:09:13 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: "Artyom V. Viklenko" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: policy-driven routing with ipfw In-Reply-To: <3CB6E3B8.F26ECFDB@mipk-kspu.kharkov.ua> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 12 Apr 2002, Artyom V. Viklenko wrote: > Hi! Help me, please. > > I have FreeBSD 4.5-STABE box with 3 NICs (NE2000-clones). > > First - ed0 - connected to internal network with address, say, > 192.168.1.1. Second - ed1 - connected to ISP #1 with ip 10.0.1.1. > Third - ed2 - to ISP #2 with ip 10.0.2.1. OK. > > The default route is through ed1. > > Clients with ips 192.168.1.1-192.168.1.127 should get access to > outside world via ed1, and rest client - via ed2. > OK. > I have set up 'ipfw fwd' rules to point out ISPs' router addresses, > say 10.0.1.254 and 10.0.2.254 respectively: > > # ipfw add 1000 fwd 10.0.1.254 ip from 192.168.1.0/25 to not > 192.168.1.0/24 in recv ed0 > # ipfw add 2000 fwd 10.0.2.254 ip from 192.168.1.128/25 to not > 192.168.1.0/24 in recv ed0 > > All ok at this point. > > The last wish is to use NAT on both outside interfaces to hide > > And I have set up two divert rules and natd daemons: > > # natd -p 2000 -interface ed1 > # natd -p 2001 -interface ed2 > # ipfw add 3000 divert 2000 ip from any to any via ed1 > # ipfw add 4000 divert 2001 ip from any to any via ed2 > > But packets never pass to these rules. :( What version are you running? It used to be that fwd only worked on outbound connections. There was talk on the list that this behavious has changed. There are several workarounds, one of which is a firewall like so: # Catch packets leaving ed1 (default gateway), send them to # ed2 gateway 100 fwd 10.0.2.254 ip from 192.168.1.128/25 to any out via ed1 # Normal default traffic natd 200 divert natd ip from any to any via ed1 # Natd for second interface 300 divert natd ip from any to any via ed2 # Allow for now 400 allow ip from any to any > > ipfw(8) man page says that search terminates on matching fwd rule. But > as I remember, ip packet passes ipfw rules twice. First pass, IMHO, > will change next hop at entering stack via ed0. And at second pass > when packet leawing machine via ed1(2) packet should be diverted. > > Where is my mistake? What I'm doing wrong? > > Kernel variable net.inet.ip.fw.one_pass does not affect this > situation. This is only for pipes, isn't it? Yes. Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message