From owner-freebsd-ipfw Tue Aug 6 9:24: 6 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBBBF37B400 for ; Tue, 6 Aug 2002 09:24:02 -0700 (PDT) Received: from novaconnect.net (ns.novaconnect.net [205.150.191.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFC0043E6E for ; Tue, 6 Aug 2002 09:24:01 -0700 (PDT) (envelope-from mailing@novaconnect.net) Received: from [192.168.100.21] (account ) by novaconnect.net (CommuniGate Pro WebUser 3.5b5) with HTTP id 47114 for ; Tue, 06 Aug 2002 12:21:37 -0400 From: "Matt Abraham" Subject: Re: "ipfw fwd" not working without static route? To: freebsd-ipfw@freebsd.org X-Mailer: CommuniGate Pro Web Mailer v.3.5b5 Date: Tue, 06 Aug 2002 12:21:37 -0400 Message-ID: In-Reply-To: <20020804012214.B1711@rfc-networks.ie> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Crist did suggest an alternative with a ``dummy'' route. > Perhaps > more details (including interfaces, IP addresses, network > addresses, > subnets etc.) would allow us to look at the actual design > of the > network (which is where I feel the flaw is). > > -- No problem. Here's a bit of the layout: A----------C----------D----------E | | B----------| |----------F Description/IP Addresses: A:PC - 172.17.1.2 B:PC - 172.17.1.5 C:Cisco Router - 192.168.200.250,172.17.1.250 D:PC (running ipfw) - 192.168.200.240,192.168.215.240 E:Gateway - 192.168.215.10, X.X.X.X (public address) F:Gateway - 192.168.215.15, Y.Y.Y.Y (public address) Machine D, the FreeBSD box, has interfaces rl0 (192.168.200.240) and vr0 (192.168.215.240). Ultimately, I'd like traffic coming from machine A to be routed to gateway E and traffic from machine B to be routed to gateway F. I have policy-based routing configured on the Cisco router that sends traffic from both of these machines (A,B) to machine D. Right now, I've been focusing on getting machine B to work, so all the configuration I'll list for ipfw pertains predominantly to that machine. Here's what I've got in ipfw: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00620 fwd 192.168.215.10 ip from 172.17.2.10 to any in recv rl0 00625 fwd 192.168.215.10 ip from 172.17.2.10 to any out xmit vr0 00645 count ip from any to any in recv rl0 00650 fwd 192.168.215.15 log logamount 10000 ip from 172.17.1.5 to any in recv rl0 00652 allow log logamount 10000 ip from any to 192.168.215.15 out xmit vr0 00654 count ip from any to any out xmit rl0 00655 count ip from any to any out xmit vr0 00656 count ip from any to any in recv vr0 00725 deny ip from any to 255.255.255.255 10000 allow log logamount 10000 ip from any to any 65535 allow ip from any to any There's currently two "fwd" directives...that's me trying anything to make this work :) The "count" directives were a way for me to track where traffic was going. Often, I'd see this in the logs: /kernel: ipfw: 650 Forward to 192.168.215.15 TCP 172.17.1.5:1057 216.136.204.21:80 in via rl0 But the count on packets leaving vr0 wouldn't increase. I've included a default route on machine D: Destination Gateway Flags Refs Use Netif Expire default link#1 UCSc 1 0 vr0 Hopefully, this will be enough information to allow someone to see what needs to be changed... Matt Abraham mailing@novaconnect.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message