Re: ipnat+ipfw + 3 gateways

From: Tillman Hodgson (tillman_at_seekingfire.com)
Date: 12/15/03

  • Next message: Darryl Hoar: "RE: Samba tutorial" 
    Date: Mon, 15 Dec 2003 09:57:44 -0600
To: freebsd-questions@freebsd.org

    On Mon, Dec 15, 2003 at 07:25:21AM -0800, hugle wrote:
    > now about this script.

    Let's reduce this this to pseudo code to simplify the discussion:

    map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 (some ports) -> (gw2)

    map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 (other ports) -> (gw1)

    map rl1 from 192.168.0.0/16 ! to 192.168.0.0/16 -> (gw3)

    > in MY opinion these rules should WORK. but as it seems, they don't

    I assume that vlan0, fxp0 and rl1 are your *external* NICs?

    I'll show what I have set up for comparison. I have two Internet
    gateways and I do some source-routing by destination (not by port, as
    you are trying to do). I'll leave out the IPFW traffic shaping for
    simplicity. My ruleset is getting fairly complex these days ;-)

    A bit of background: I bring in a /25 subnet across an OpenVPN tunnel
    (where I run zebra/quagga OSPF routing ... some details at
    http://www.rospa.ca/projects/). In order for me to use these additional
    IPs on my internal network, I need to ensure that my gateway
    source-routes them ('fwd' in IPFW parlance) to my tunnel-peer as my
    regular default gateway would packet filter them out (a surprisingly
    sane policy for an ISP *grin*).

    Key for the lines that follow:
    * rl1 is my external NIC for the primary Internet gateway
    * rl2 is my external NIC for the secondary Internet gateway
    * tun6 is the tunnel that I bring a source-routed /25 in on

    Here's the relevant part of my /etc/ipnat.rules. Note that I've obscured
    external IPs by replacing them with a descriptive tag in ()'s:

     ### TCP/UDP
     # Note that maps to rl2 only work because I have static routes that
     # would route traffic for those particular destinations to the
     # secondary gateway in any case ... the mapping just forces the correct
     # source IP address to be used.
     # ... specific destination #1
     map rl2 from 192.168.23.0/24 to (net destination #1)/24 -> rl2/32
     # ... specific destination #2
     map rl2 from 192.168.23.0/24 to (net destination #2)/24 -> rl2/32
     # ... specific destination #3
     map rl2 from 192.168.23.0/24 to (host destination #3)/32 -> rl2/32
     # Map all regular traffic out the primary Internet connection
     map rl1 192.168.23.0/24 -> rl1/32 portmap tcp/udp 48000:50000
     ### ICMP and other (on the primary internet connection)
     map rl1 192.168.23.0/24 -> rl1/32

    I set the static routes via rc.conf, a simplified version of which is:

     ### Routes
     defaultrouter="(primary gateway)"
     static_routes="destination1 destination2 destination3"
     route_destination1="(net destination #1)/24 (secondary gateway)"
     route_destination2="(net destination #2)/24 (secondary gateway)"
     route_destination3="(host destination #3)/32 (secondary gateway)"

    And here's the relevant part of my /etc/ipf.rules:

     # Respond to traffic sent to the /25 via tun6
     # Note that the "on 'interface'" has to be the one with my default route
     # Note that I use a !/16 instead of a /24 as I have more than one
     # internal class C (the meta-network)
     pass out quick on rl1 to tun6 from (obscured)/25 to !192.168.0.0/16
     # Respond to traffic sent to my secondary connection via the same IP
     pass out quick on rl1 to rl2 from (obscured)/32 to any

    -T 

    -- 
To imagine a human world without ethics, but in which life goes well, it
is necessary to suppose a golden age: a world without competition, or
causes of strife, or clashing desires, or envy or malice.
	- Simon Blackburn (Ruling Passions)
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
  • Next message: Darryl Hoar: "RE: Samba tutorial"

    Relevant Pages

    • Re: Routing problems
      ... default gateway, not an interface). ... accessible from the Internet. ... routes programmed into it, making it essentially a usable default gateway ... not even touching the Linux firewall. ...
      (comp.os.linux.networking)
    • Re: Default Gateway on different Subnet
      ... The default gateway is where traffic goes if it does not ... You cannot set specific routes for Internet traffic because you don't ... >> - At the ISA Server the default gateway is the Internet ...
      (microsoft.public.win2000.ras_routing)
    • Re: ICS - No internet Access
      ... The default gateway address isn't ... >>>contact the Internet. ... >> Persistent Routes: ... the top one is the Client PC and the bottom one is the ICS PC. ...
      (microsoft.public.windowsxp.network_web)
    • Re: eth0/1
      ... Destination 0.0.0.0 indicates the default gateway. ... that has an interface on the Internet as well. ... router. ...
      (Fedora)
    • Re: Another routing question
      ... Murray wrote: ... you cannot use more than one default gateway. ... >> static routes won't help you either in this case. ... >>> The connections are being made from the internet using a public IP ...
      (microsoft.public.windows.server.networking)
    Loading