Date: Tue, 06 Aug 2002 12:21:37 -0400 From: "Matt Abraham" <mailing@novaconnect.net> To: freebsd-ipfw@freebsd.org Subject: Re: "ipfw fwd" not working without static route? Message-ID: <web-47114@novaconnect.net> In-Reply-To: <20020804012214.B1711@rfc-networks.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
> Crist did suggest an alternative with a ``dummy'' route.
> Perhaps
> more details (including interfaces, IP addresses, network
> addresses,
> subnets etc.) would allow us to look at the actual design
> of the
> network (which is where I feel the flaw is).
>
> --
No problem. Here's a bit of the layout:
A----------C----------D----------E
| |
B----------| |----------F
Description/IP Addresses:
A:PC - 172.17.1.2
B:PC - 172.17.1.5
C:Cisco Router - 192.168.200.250,172.17.1.250
D:PC (running ipfw) - 192.168.200.240,192.168.215.240
E:Gateway - 192.168.215.10, X.X.X.X (public address)
F:Gateway - 192.168.215.15, Y.Y.Y.Y (public address)
Machine D, the FreeBSD box, has interfaces rl0
(192.168.200.240) and vr0 (192.168.215.240).
Ultimately, I'd like traffic coming from machine A to be
routed to gateway E and traffic from machine B to be routed
to gateway F. I have policy-based routing configured on the
Cisco router that sends traffic from both of these machines
(A,B) to machine D. Right now, I've been focusing on getting
machine B to work, so all the configuration I'll list for
ipfw pertains predominantly to that machine. Here's what
I've got in ipfw:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00620 fwd 192.168.215.10 ip from 172.17.2.10 to any in recv
rl0
00625 fwd 192.168.215.10 ip from 172.17.2.10 to any out xmit
vr0
00645 count ip from any to any in recv rl0
00650 fwd 192.168.215.15 log logamount 10000 ip from
172.17.1.5 to any in recv rl0
00652 allow log logamount 10000 ip from any to
192.168.215.15 out xmit vr0
00654 count ip from any to any out xmit rl0
00655 count ip from any to any out xmit vr0
00656 count ip from any to any in recv vr0
00725 deny ip from any to 255.255.255.255
10000 allow log logamount 10000 ip from any to any
65535 allow ip from any to any
There's currently two "fwd" directives...that's me trying
anything to make this work :) The "count" directives were a
way for me to track where traffic was going. Often, I'd see
this in the logs:
/kernel: ipfw: 650 Forward to 192.168.215.15 TCP
172.17.1.5:1057 216.136.204.21:80 in via rl0
But the count on packets leaving vr0 wouldn't increase.
I've included a default route on machine D:
Destination Gateway Flags Refs Use
Netif Expire
default link#1 UCSc 1 0
vr0
Hopefully, this will be enough information to allow someone
to see what needs to be changed...
Matt Abraham
mailing@novaconnect.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?web-47114>