From owner-freebsd-questions@FreeBSD.ORG Tue Aug 7 16:08:29 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B16F16A418 for ; Tue, 7 Aug 2007 16:08:29 +0000 (UTC) (envelope-from ngharibyan@mail.ru) Received: from mx27.mail.ru (mx27.mail.ru [194.67.23.64]) by mx1.freebsd.org (Postfix) with ESMTP id 946A213C458 for ; Tue, 7 Aug 2007 16:08:28 +0000 (UTC) (envelope-from ngharibyan@mail.ru) Received: from [91.103.27.104] (port=50174 helo=sis2w001) by mx27.mail.ru with asmtp id 1IIRbe-000PLL-00; Tue, 07 Aug 2007 20:08:26 +0400 From: "Narek Gharibyan" To: "'Julian Elischer'" References: <017001c7cf86$daa2ad10$180ca8c0@arm.synisys.com> <46AAED33.1070307@elischer.org> <005901c7d101$9ab0f7d0$180ca8c0@arm.synisys.com> <46AB8AEA.5030409@elischer.org> <006601c7d147$18087880$180ca8c0@arm.synisys.com> <46AB9D65.4020409@elischer.org> <006701c7d1b6$e49ee4a0$180ca8c0@arm.synisys.com> <46AC5471.2090209@elischer.org> <006801c7d1e5$4cefac00$180ca8c0@arm.synisys.com> <46AD0058.3020107@elischer.org> Date: Tue, 7 Aug 2007 21:08:23 +0500 Message-ID: <001701c7d90d$304d8f20$180ca8c0@arm.synisys.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 thread-index: AcfSI7Gtx41dbnIOQDeQMJ68jvt+VgG5840g In-Reply-To: <46AD0058.3020107@elischer.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 Cc: freebsd-questions@freebsd.org Subject: RE: Policy - based Routing problem Need help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2007 16:08:29 -0000 Thank you very much, Relaying on your help reach to success but rules differ from yours a little bit. My working rules listed below: ipfw add fwd A all from ${inet1}:${imask1} to any out recv ${iif1} ipfw add fwd B all from ${inet}:${imask} to any out recv ${iif} ipfw add fwd G all from any to ${inet1}:${imask1} out via ${iif1} ipfw add fwd H all from any to ${inet}:${imask} out via ${iif} ipfw add fwd A all from ${onet1}:${omask1} to any out ipfw add fwd B all from ${onet}:${omask} to any out ipfw add fwd A all from ${inet1}:${imask1} to any out ipfw add fwd B all from ${inet}:${imask} to any out The only problem last is when someone (from provider A) try to access ftp server via B it connects but didn't do "Get Directory" command. Ipfw doesn't matter I checked. I think it is specification of ftp- data 20 port (connection opening problem). Can you describe me how it take place via 20 port or find the wrong line in ipfw fwd rules? Best regards, Narek -----Original Message----- From: Julian Elischer [mailto:julian@elischer.org] Sent: Monday, July 30, 2007 2:02 AM To: Narek Gharibyan Subject: Re: Policy - based Routing problem Need help Narek Gharibyan wrote: > Yes your written rules are correct, You think exactly > I want to do ALSO > > 1. Packets coming from ISP-B (B network)into C SHOULD go out only via xx0 > (as they came) # make sure WE can talk to the back nets # and ourself ipfw add 1 allow ip from any to any via lo0 ipfw add 2 allow ip from me to G ipfw add 3 allow ip from me to H # the next 2 rules are not actually needed as any packets # going to G and H will go the right way anyhow. # ipfw add 4 fwd (G) ip from any to G out recv xx0 # ipfw add 5 fwd (H) ip from any to H out recv xx1 # The next rules ARE needed. ipfw add 6 fwd (A) ip from G to any out recv yy0 ipfw add 7 fwd (B) ip from H to any out recv yy1 ipfw add 8 fwd (A) ip from (C) to any out ipfw add 9 fwd (B) ip from (D) to any out > 2. Packets coming from ISP-A (A network) into D Should go out only via xx1 > (as they came) > > Saying by another words packets should leave my network via interface they > came. > > 3. Packets coming from E should go out via xx0 > 4. Packets coming from F should go out via xx1 > > Also I try from inside to forward packets without default gateway using via > A or B with the commands > > Ipfw add fwd A all from G to any xmit (or via) xx0 > > and it didn't work, I've compiled my kernel with IPFIREWALL, > IPFIREWALL_FORWARD, and set net.inet.ip.forwarding=1 in sysctl.conf. Surely > I will try your configuration on Monday, but it seems ipfw fwd nothing do > forwarding. So how to write for reaching the results (1.,2.,3.,4.)? > > Regards, > Narek > > -----Original Message----- > From: Julian Elischer [mailto:julian@elischer.org] > Sent: Sunday, July 29, 2007 1:49 PM > To: Narek Gharibyan > Subject: Re: Policy - based Routing problem Need help > > Narek Gharibyan wrote: >> The right drawing is that one below >> >> _______ ___________ >> -[ISP-A](A)----(C)[xx0 yy0](E)--(G)[NAT ] >> [ FBSD ] [ Windows ](X)-----LAN >> -[ISP-B](B)----(D)[xx1 yy1](F)--(H)[NAT ] >> ~~~~~~~ ~~~~~~~~~~~ >> >> We can't use only FreeBSD box, we need also use Windows box, due to our >> company's policy. So you suggestion is not an option. I think we need a >> different solution. > > ok. > > now that we have established the exact layout, > what is it exactly that you want to do? > > I gather that you want packets that come into D to go out of F > and packets that come in through C should go out via E > > this is achieved by: > ipfw add 1 fwd (G) ip from any to G out recv xx0 > ipfw add 2 fwd (H) ip from any to H out recv xx1 > > what else do you wish it to do? > >> Regards, >> Narek >>