From owner-freebsd-questions@FreeBSD.ORG Tue Aug 7 17:10:17 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1AE516A421 for ; Tue, 7 Aug 2007 17:10:17 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outE.internet-mail-service.net (outE.internet-mail-service.net [216.240.47.228]) by mx1.freebsd.org (Postfix) with ESMTP id AD0A713C46B for ; Tue, 7 Aug 2007 17:10:17 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Tue, 07 Aug 2007 09:59:21 -0700 Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 79D17125CB4; Tue, 7 Aug 2007 09:59:20 -0700 (PDT) Message-ID: <46B8A4E7.9080803@elischer.org> Date: Tue, 07 Aug 2007 09:59:19 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Narek Gharibyan References: <017001c7cf86$daa2ad10$180ca8c0@arm.synisys.com> <46AAED33.1070307@elischer.org> <005901c7d101$9ab0f7d0$180ca8c0@arm.synisys.com> <46AB8AEA.5030409@elischer.org> <006601c7d147$18087880$180ca8c0@arm.synisys.com> <46AB9D65.4020409@elischer.org> <006701c7d1b6$e49ee4a0$180ca8c0@arm.synisys.com> <46AC5471.2090209@elischer.org> <006801c7d1e5$4cefac00$180ca8c0@arm.synisys.com> <46AD0058.3020107@elischer.org> <001701c7d90d$304d8f20$180ca8c0@arm.synisys.com> In-Reply-To: <001701c7d90d$304d8f20$180ca8c0@arm.synisys.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Policy - based Routing problem Need help X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2007 17:10:18 -0000 Narek Gharibyan wrote: > Thank you very much, > > Relaying on your help reach to success but rules differ from yours a little > bit. My working rules listed below: > > ipfw add fwd A all from ${inet1}:${imask1} to any out recv ${iif1} > ipfw add fwd B all from ${inet}:${imask} to any out recv ${iif} the following two rules shouldnto be needed if your routes are correct. > ipfw add fwd G all from any to ${inet1}:${imask1} out via ${iif1} > ipfw add fwd H all from any to ${inet}:${imask} out via ${iif} I don't know what onet is.. > ipfw add fwd A all from ${onet1}:${omask1} to any out > ipfw add fwd B all from ${onet}:${omask} to any out > ipfw add fwd A all from ${inet1}:${imask1} to any out > ipfw add fwd B all from ${inet}:${imask} to any out > > > The only problem last is when someone (from provider A) try to access ftp > server via B it connects but didn't do "Get Directory" command. Ipfw doesn't > matter I checked. I think it is specification of ftp- data 20 port > (connection opening problem). Can you describe me how it take place via 20 > port or find the wrong line in ipfw fwd rules? ftp is a problem as it negotiates new ports for data. That is why people use Passive mode FTP. it doesn't do that. > > Best regards, > Narek > > > -----Original Message----- > From: Julian Elischer [mailto:julian@elischer.org] > Sent: Monday, July 30, 2007 2:02 AM > To: Narek Gharibyan > Subject: Re: Policy - based Routing problem Need help > > Narek Gharibyan wrote: >> Yes your written rules are correct, You think exactly >> I want to do ALSO >> >> 1. Packets coming from ISP-B (B network)into C SHOULD go out only via xx0 >> (as they came) > > # make sure WE can talk to the back nets > # and ourself > ipfw add 1 allow ip from any to any via lo0 > > ipfw add 2 allow ip from me to G > ipfw add 3 allow ip from me to H > # the next 2 rules are not actually needed as any packets > # going to G and H will go the right way anyhow. > # ipfw add 4 fwd (G) ip from any to G out recv xx0 > # ipfw add 5 fwd (H) ip from any to H out recv xx1 > > # The next rules ARE needed. > ipfw add 6 fwd (A) ip from G to any out recv yy0 > ipfw add 7 fwd (B) ip from H to any out recv yy1 > ipfw add 8 fwd (A) ip from (C) to any out > ipfw add 9 fwd (B) ip from (D) to any out > > >> 2. Packets coming from ISP-A (A network) into D Should go out only via xx1 >> (as they came) >> >> Saying by another words packets should leave my network via interface they >> came. >> >> 3. Packets coming from E should go out via xx0 >> 4. Packets coming from F should go out via xx1 >> >> Also I try from inside to forward packets without default gateway using > via >> A or B with the commands >> >> Ipfw add fwd A all from G to any xmit (or via) xx0 >> >> and it didn't work, I've compiled my kernel with IPFIREWALL, >> IPFIREWALL_FORWARD, and set net.inet.ip.forwarding=1 in sysctl.conf. > Surely >> I will try your configuration on Monday, but it seems ipfw fwd nothing do >> forwarding. So how to write for reaching the results (1.,2.,3.,4.)? >> >> Regards, >> Narek >> >> -----Original Message----- >> From: Julian Elischer [mailto:julian@elischer.org] >> Sent: Sunday, July 29, 2007 1:49 PM >> To: Narek Gharibyan >> Subject: Re: Policy - based Routing problem Need help >> >> Narek Gharibyan wrote: >>> The right drawing is that one below >>> >>> _______ ___________ >>> -[ISP-A](A)----(C)[xx0 yy0](E)--(G)[NAT ] >>> [ FBSD ] [ Windows ](X)-----LAN >>> -[ISP-B](B)----(D)[xx1 yy1](F)--(H)[NAT ] >>> ~~~~~~~ ~~~~~~~~~~~ >>> >>> We can't use only FreeBSD box, we need also use Windows box, due to our >>> company's policy. So you suggestion is not an option. I think we need a >>> different solution. >> ok. >> >> now that we have established the exact layout, >> what is it exactly that you want to do? >> >> I gather that you want packets that come into D to go out of F >> and packets that come in through C should go out via E >> >> this is achieved by: >> ipfw add 1 fwd (G) ip from any to G out recv xx0 >> ipfw add 2 fwd (H) ip from any to H out recv xx1 >> >> what else do you wish it to do? >> >>> Regards, >>> Narek >>>