Date: Fri, 12 Apr 2002 16:40:08 +0300 From: "Artyom V. Viklenko" <artem@mipk-kspu.kharkov.ua> To: freebsd-ipfw@freebsd.org Subject: policy-driven routing with ipfw Message-ID: <3CB6E3B8.F26ECFDB@mipk-kspu.kharkov.ua>
next in thread | raw e-mail | index | archive | help
Hi! Help me, please.
I have FreeBSD 4.5-STABE box with 3 NICs (NE2000-clones).
First - ed0 - connected to internal network with address, say,
192.168.1.1. Second - ed1 - connected to ISP #1 with ip 10.0.1.1.
Third - ed2 - to ISP #2 with ip 10.0.2.1.
The default route is through ed1.
Clients with ips 192.168.1.1-192.168.1.127 should get access to
outside world via ed1, and rest client - via ed2.
I have set up 'ipfw fwd' rules to point out ISPs' router addresses,
say 10.0.1.254 and 10.0.2.254 respectively:
# ipfw add 1000 fwd 10.0.1.254 ip from 192.168.1.0/25 to not
192.168.1.0/24 in recv ed0
# ipfw add 2000 fwd 10.0.2.254 ip from 192.168.1.128/25 to not
192.168.1.0/24 in recv ed0
All ok at this point.
The last wish is to use NAT on both outside interfaces to hide internal
network.
And I have set up two divert rules and natd daemons:
# natd -p 2000 -interface ed1
# natd -p 2001 -interface ed2
# ipfw add 3000 divert 2000 ip from any to any via ed1
# ipfw add 4000 divert 2001 ip from any to any via ed2
But packets never pass to these rules. :(
ipfw(8) man page says that search terminates on matching fwd rule. But
as I remember,
ip packet passes ipfw rules twice. First pass, IMHO, will change next
hop at entering
stack via ed0. And at second pass when packet leawing machine via ed1(2)
packet should
be diverted.
Where is my mistake? What I'm doing wrong?
Kernel variable net.inet.ip.fw.one_pass does not affect this situation.
This is only
for pipes, isn't it?
--
Sincerely yours,
Artyom V. Viklenko.
======================================================
System Administrator artem@mipk-kspu.kharkov.ua
------------------------------------------------------
IIAT NTU "KhPI" 21, Frunze Str., Kharkov Ukraine 61002
Phone: +380 (572) 400026 Fax: +380 (572) 474062
======================================================
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CB6E3B8.F26ECFDB>