From owner-freebsd-ipfw@FreeBSD.ORG  Tue Apr  8 15:03:17 2008
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B502110656D2
	for <freebsd-ipfw@freebsd.org>; Tue,  8 Apr 2008 15:03:17 +0000 (UTC)
	(envelope-from jmok@attglobal.net)
Received: from eoemailadmin.pacific.net.hk (eoemailadmin.pacific.net.hk
	[202.14.67.94]) by mx1.freebsd.org (Postfix) with ESMTP id 4C3CA8FC13
	for <freebsd-ipfw@freebsd.org>; Tue,  8 Apr 2008 15:03:17 +0000 (UTC)
	(envelope-from jmok@attglobal.net)
Received: from hanghau.pacific.net.hk (hanghau.pacific.net.hk [202.64.33.147])
	by eoemailadmin.pacific.net.hk with ESMTP
	id m38ETDkp018303 for <freebsd-ipfw@freebsd.org>;
	Tue, 8 Apr 2008 22:29:14 +0800
Received: from [192.168.16.50] ([210.17.159.154])
	by hanghau.pacific.net.hk with ESMTP
	id m38ETBRL018345 for <freebsd-ipfw@freebsd.org>;
	Tue, 8 Apr 2008 22:29:11 +0800
Message-ID: <47FB8135.1040300@attglobal.net>
Date: Tue, 08 Apr 2008 22:29:09 +0800
From: John Mok <jmok@attglobal.net>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: freebsd-ipfw@freebsd.org
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Multihome policy routing
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2008 15:03:17 -0000

Hi,

I tried to setup a FTP server running on FreeBSD 4.11 as follows :-

     (DMZ subnet)
           61.1.1.1/27
---------------- Firewall ---------- Internet
|                    |10.144.1.1/24
|                    |(Intranet)
|                    |
|61.1.1.3/27 em1     | 10.144.1.254
FTP server -----------------router
       10.144.1.10/24 em0

The following routing and ipfw rules are added on the FTP server :-

#route add default 61.1.1.1
#ipfw add 101 fwd 10.144.1.254 ip from 10.144.1.10 to any
#ipfw add 201 fwd 61.1.1.1 ip from 61.1.1.3 to any

When I tried to connect from a host (e.g. 10.144.1.10) to the DMZ 
interface 61.1.1.3 of the FTP server via the gateway 10.144.1.1, it 
failed. However, I shut down the interface 10.144.1.10, then it 
succeeded. The routing was NOT symmetric.

My question is when FreeBSD can setup two routing tables and do 
something like Linux as follows :-

ip route add default nexthop via 61.1.1.1 dev em1 table T1
ip route add default nexthop via 10.144.1.254 dev em0 table T2

ip route add 0/0 dev em1 table T1
ip route add 0/0 dev em0 table T2

Thus, the symmetric routing is maintained, when a host (e.g. 
10.144.1.10) connects to 61.1.1.3 via 10.144.1.1.


Thanks a lot.

John Mok