Date: Fri, 21 Nov 2003 19:09:13 -0500 (EST) From: Mathieu Vaillancourt <math@degaspe.orco.ca> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: problem with fwd rule Message-ID: <Pine.BSF.4.21.0311211831280.15074-100000@degaspe.orco.ca>
next in thread | raw e-mail | index | archive | help
i finally solved my problem, thanks to all who wrote me. i though i could write back what i did because i saw, there where others trying to do policy routing based on the source of the traffic. to share two different isps. first i compiled ipfw whith the forwarding options and i created aliases for most of my public ips in rc.conf the default route is set to ISP1 (the main isp) i created two different /etc/natd.conf one for the main isp: /etc/natd.conf.ISP1 ---------------------------------------- port 8668 interface rl0 ... redirect_address internal_ip_a public_ip_a redirect_address .... ---------------------------------------- one for the second isp: /etc/natd.conf.ISP2 ---------------------------------------- in_port 8669 out_port 8670 interface rl1 ... redirect_address internal_ip_b public_ip_b redirect_address .... ---------------------------------------- i created a custom rc.firewall file: ---------------------------------------- #start natd /sbin/natd -f /etc/natd.conf.ISP1 /sbin/natd -f /etc/natd.conf.ISP2 #local loopback ... #basic security ... #allow internal traffic pass all from internal_subnet to internal_subnet via internal_interface #allow external services pass all from any to public_ip_service via external_ispx_interface ... #external redirections divert 8670 all from me to any via ips2_interface divert 8669 all from any to me via ips2_interface divert 8668 all from any to any via ips1_interface #internal redirections divert 8670 all from internal_ip_x to any in recv internal_interface #internal redirections to ISP1 (main isp pass all from not internal_ip_x to any in recv internal_interface #internal redirections to ISP2 fwd isp2_gateway all from any to any in recv internal_interface #for testing pass all from any to any ------------------------------------ the trick was to catch in the divert the packet before the fwd rule happens and to use the in_port and out_port option of natd, so when natd receive a packet on internal interface it believes that it is going out instead of in ther is probably other solution and better ones, if you have sugestion to improve this, ill be happy to hear thanks math
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0311211831280.15074-100000>