Date: Tue, 07 Aug 2007 09:59:19 -0700 From: Julian Elischer <julian@elischer.org> To: Narek Gharibyan <ngharibyan@mail.ru> Cc: freebsd-questions@freebsd.org Subject: Re: Policy - based Routing problem Need help Message-ID: <46B8A4E7.9080803@elischer.org> In-Reply-To: <001701c7d90d$304d8f20$180ca8c0@arm.synisys.com> References: <017001c7cf86$daa2ad10$180ca8c0@arm.synisys.com> <46AAED33.1070307@elischer.org> <005901c7d101$9ab0f7d0$180ca8c0@arm.synisys.com> <46AB8AEA.5030409@elischer.org> <006601c7d147$18087880$180ca8c0@arm.synisys.com> <46AB9D65.4020409@elischer.org> <006701c7d1b6$e49ee4a0$180ca8c0@arm.synisys.com> <46AC5471.2090209@elischer.org> <006801c7d1e5$4cefac00$180ca8c0@arm.synisys.com> <46AD0058.3020107@elischer.org> <001701c7d90d$304d8f20$180ca8c0@arm.synisys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Narek Gharibyan wrote:
> Thank you very much,
>
> Relaying on your help reach to success but rules differ from yours a little
> bit. My working rules listed below:
>
> ipfw add fwd A all from ${inet1}:${imask1} to any out recv ${iif1}
> ipfw add fwd B all from ${inet}:${imask} to any out recv ${iif}
the following two rules shouldnto be needed if your routes are correct.
> ipfw add fwd G all from any to ${inet1}:${imask1} out via ${iif1}
> ipfw add fwd H all from any to ${inet}:${imask} out via ${iif}
I don't know what onet is..
> ipfw add fwd A all from ${onet1}:${omask1} to any out
> ipfw add fwd B all from ${onet}:${omask} to any out
> ipfw add fwd A all from ${inet1}:${imask1} to any out
> ipfw add fwd B all from ${inet}:${imask} to any out
>
>
> The only problem last is when someone (from provider A) try to access ftp
> server via B it connects but didn't do "Get Directory" command. Ipfw doesn't
> matter I checked. I think it is specification of ftp- data 20 port
> (connection opening problem). Can you describe me how it take place via 20
> port or find the wrong line in ipfw fwd rules?
ftp is a problem as it negotiates new ports for data.
That is why people use Passive mode FTP. it doesn't do that.
>
> Best regards,
> Narek
>
>
> -----Original Message-----
> From: Julian Elischer [mailto:julian@elischer.org]
> Sent: Monday, July 30, 2007 2:02 AM
> To: Narek Gharibyan
> Subject: Re: Policy - based Routing problem Need help
>
> Narek Gharibyan wrote:
>> Yes your written rules are correct, You think exactly
>> I want to do ALSO
>>
>> 1. Packets coming from ISP-B (B network)into C SHOULD go out only via xx0
>> (as they came)
>
> # make sure WE can talk to the back nets
> # and ourself
> ipfw add 1 allow ip from any to any via lo0
>
> ipfw add 2 allow ip from me to G
> ipfw add 3 allow ip from me to H
> # the next 2 rules are not actually needed as any packets
> # going to G and H will go the right way anyhow.
> # ipfw add 4 fwd (G) ip from any to G out recv xx0
> # ipfw add 5 fwd (H) ip from any to H out recv xx1
>
> # The next rules ARE needed.
> ipfw add 6 fwd (A) ip from G to any out recv yy0
> ipfw add 7 fwd (B) ip from H to any out recv yy1
> ipfw add 8 fwd (A) ip from (C) to any out
> ipfw add 9 fwd (B) ip from (D) to any out
>
>
>> 2. Packets coming from ISP-A (A network) into D Should go out only via xx1
>> (as they came)
>>
>> Saying by another words packets should leave my network via interface they
>> came.
>>
>> 3. Packets coming from E should go out via xx0
>> 4. Packets coming from F should go out via xx1
>>
>> Also I try from inside to forward packets without default gateway using
> via
>> A or B with the commands
>>
>> Ipfw add fwd A all from G to any xmit (or via) xx0
>>
>> and it didn't work, I've compiled my kernel with IPFIREWALL,
>> IPFIREWALL_FORWARD, and set net.inet.ip.forwarding=1 in sysctl.conf.
> Surely
>> I will try your configuration on Monday, but it seems ipfw fwd nothing do
>> forwarding. So how to write for reaching the results (1.,2.,3.,4.)?
>>
>> Regards,
>> Narek
>>
>> -----Original Message-----
>> From: Julian Elischer [mailto:julian@elischer.org]
>> Sent: Sunday, July 29, 2007 1:49 PM
>> To: Narek Gharibyan
>> Subject: Re: Policy - based Routing problem Need help
>>
>> Narek Gharibyan wrote:
>>> The right drawing is that one below
>>>
>>> _______ ___________
>>> -[ISP-A](A)----(C)[xx0 yy0](E)--(G)[NAT ]
>>> [ FBSD ] [ Windows ](X)-----LAN
>>> -[ISP-B](B)----(D)[xx1 yy1](F)--(H)[NAT ]
>>> ~~~~~~~ ~~~~~~~~~~~
>>>
>>> We can't use only FreeBSD box, we need also use Windows box, due to our
>>> company's policy. So you suggestion is not an option. I think we need a
>>> different solution.
>> ok.
>>
>> now that we have established the exact layout,
>> what is it exactly that you want to do?
>>
>> I gather that you want packets that come into D to go out of F
>> and packets that come in through C should go out via E
>>
>> this is achieved by:
>> ipfw add 1 fwd (G) ip from any to G out recv xx0
>> ipfw add 2 fwd (H) ip from any to H out recv xx1
>>
>> what else do you wish it to do?
>>
>>> Regards,
>>> Narek
>>>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46B8A4E7.9080803>