From owner-freebsd-net@FreeBSD.ORG Mon Dec 8 21:15:13 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BF36F106564A for ; Mon, 8 Dec 2008 21:15:13 +0000 (UTC) (envelope-from ericx@vineyard.net) Received: from vineyard.net (k1.vineyard.net [204.17.195.90]) by mx1.freebsd.org (Postfix) with ESMTP id 89C5B8FC13 for ; Mon, 8 Dec 2008 21:15:13 +0000 (UTC) (envelope-from ericx@vineyard.net) Received: from localhost (loopback [127.0.0.1]) by vineyard.net (Postfix) with ESMTP id E2EC591521; Mon, 8 Dec 2008 15:57:41 -0500 (EST) X-Virus-Scanned: by AMaViS-king1 at Vineyard.NET Received: from vineyard.net ([127.0.0.1]) by localhost (king1.vineyard.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id lAlpwY1Ro+Ck; Mon, 8 Dec 2008 15:57:41 -0500 (EST) Received: from [204.17.195.104] (fortiva.vineyard.net [204.17.195.104]) by vineyard.net (Postfix) with ESMTP id 9D15091504; Mon, 8 Dec 2008 15:57:41 -0500 (EST) Message-ID: <493D8A3F.6040502@vineyard.net> Date: Mon, 08 Dec 2008 15:57:35 -0500 From: "Eric W. Bates" User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) MIME-Version: 1.0 To: freebsd-net@freebsd.org X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw policy routing esp X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2008 21:15:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have a bewildering problem attempting to policy route esp traffic. We have 2 up steam internet sources: a routable T1 and a cable modem. The cable modem provides better bandwidth so while we default to the T1, we use policy routing to send some of our traffic out the cable modem. In particular we use the cable modem for all the port 80 traffic via squid. squid's source IP is the one belonging to the cable network and we have the following ipfw rule for the policy route: ${fwcmd} add 64902 fwd ${cable_gw} ip from ${net_wan3_local} to any cable_gw is the cable company's router. net_wan3_local is the cable company's IP on our external interface. This works great for all port 80 tcp traffic. To this we added some IPSec. Racoon is hanging off the same ${net_wan3_local} and the udp port 500 traffic passes in and out thru the cable interface as we hoped. The bewildering part is that while the esp traffic can demonstrably be seen to be hitting the policy route rule, those packets continue to pass out the default route to the T1 rather than being forwarded to the cable router as we want. Any thoughts? Is this a known problem? Thank you for your time. - -- Eric W. Bates ericx@vineyard.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJPYo/D1roJTQ4LlERAp//AJ9C5VFQWk0Q5iwKVD6elTItny8pLgCbB5Tn 9a3/ut3rswi7nPs10nCkk9s= =wW3o -----END PGP SIGNATURE-----