From owner-freebsd-questions@FreeBSD.ORG Mon Dec 15 07:57:49 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 727F116A4CE for ; Mon, 15 Dec 2003 07:57:49 -0800 (PST) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id D979C43D33 for ; Mon, 15 Dec 2003 07:57:45 -0800 (PST) (envelope-from tillman@seekingfire.com) Received: by mail.seekingfire.com (Postfix, from userid 500) id 05DC61B6; Mon, 15 Dec 2003 09:57:44 -0600 (CST) Date: Mon, 15 Dec 2003 09:57:44 -0600 From: Tillman Hodgson To: freebsd-questions@freebsd.org Message-ID: <20031215155744.GW64340@seekingfire.com> References: <20031214233809.GS64340@seekingfire.com> <20031215004603.GT64340@seekingfire.com> <198144994821.20031215072521@vkt.lt> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <198144994821.20031215072521@vkt.lt> X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . X-GPG-Key-ID: 828AFC7B X-GPG-Fingerprint: 5584 14BA C9EB 1524 0E68 F543 0F0A 7FBC 828A FC7B X-GPG-Key: http://www.seekingfire.com/gpg_key.asc X-Urban-Legend: There is lots of hidden information in headers User-Agent: Mutt/1.5.5.1i Subject: Re: ipnat+ipfw + 3 gateways X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Dec 2003 15:57:49 -0000 On Mon, Dec 15, 2003 at 07:25:21AM -0800, hugle wrote: > now about this script. Let's reduce this this to pseudo code to simplify the discussion: map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 (some ports) -> (gw2) map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 (other ports) -> (gw1) map rl1 from 192.168.0.0/16 ! to 192.168.0.0/16 -> (gw3) > in MY opinion these rules should WORK. but as it seems, they don't I assume that vlan0, fxp0 and rl1 are your *external* NICs? I'll show what I have set up for comparison. I have two Internet gateways and I do some source-routing by destination (not by port, as you are trying to do). I'll leave out the IPFW traffic shaping for simplicity. My ruleset is getting fairly complex these days ;-) A bit of background: I bring in a /25 subnet across an OpenVPN tunnel (where I run zebra/quagga OSPF routing ... some details at http://www.rospa.ca/projects/). In order for me to use these additional IPs on my internal network, I need to ensure that my gateway source-routes them ('fwd' in IPFW parlance) to my tunnel-peer as my regular default gateway would packet filter them out (a surprisingly sane policy for an ISP *grin*). Key for the lines that follow: * rl1 is my external NIC for the primary Internet gateway * rl2 is my external NIC for the secondary Internet gateway * tun6 is the tunnel that I bring a source-routed /25 in on Here's the relevant part of my /etc/ipnat.rules. Note that I've obscured external IPs by replacing them with a descriptive tag in ()'s: ### TCP/UDP # Note that maps to rl2 only work because I have static routes that # would route traffic for those particular destinations to the # secondary gateway in any case ... the mapping just forces the correct # source IP address to be used. # ... specific destination #1 map rl2 from 192.168.23.0/24 to (net destination #1)/24 -> rl2/32 # ... specific destination #2 map rl2 from 192.168.23.0/24 to (net destination #2)/24 -> rl2/32 # ... specific destination #3 map rl2 from 192.168.23.0/24 to (host destination #3)/32 -> rl2/32 # Map all regular traffic out the primary Internet connection map rl1 192.168.23.0/24 -> rl1/32 portmap tcp/udp 48000:50000 ### ICMP and other (on the primary internet connection) map rl1 192.168.23.0/24 -> rl1/32 I set the static routes via rc.conf, a simplified version of which is: ### Routes defaultrouter="(primary gateway)" static_routes="destination1 destination2 destination3" route_destination1="(net destination #1)/24 (secondary gateway)" route_destination2="(net destination #2)/24 (secondary gateway)" route_destination3="(host destination #3)/32 (secondary gateway)" And here's the relevant part of my /etc/ipf.rules: # Respond to traffic sent to the /25 via tun6 # Note that the "on 'interface'" has to be the one with my default route # Note that I use a !/16 instead of a /24 as I have more than one # internal class C (the meta-network) pass out quick on rl1 to tun6 from (obscured)/25 to !192.168.0.0/16 # Respond to traffic sent to my secondary connection via the same IP pass out quick on rl1 to rl2 from (obscured)/32 to any -T -- To imagine a human world without ethics, but in which life goes well, it is necessary to suppose a golden age: a world without competition, or causes of strife, or clashing desires, or envy or malice. - Simon Blackburn (Ruling Passions)