Hello, [resolved]
Recompiling the kernel using IPFIREWALL_FORWARD_EXTENDED solved the problem. I thought this one in 6.0-p12 is deprecated... Oleg Tarasov <[EMAIL PROTECTED]> wrote: > Hello, > I've got a machine running FreeBSD 6.0. This problem occured on 6.0-p0 > and 6.0-p12. > Introduction > ============= > I've got two internet connections from two different providers. One > is the main and second for failover. Both interfaces have attached > natd using divert function of ipfw. Here are interface parameters: > ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1492 > inet xxx.xxx.xxx.xxx --> XXX.XXX.XXX.XXX netmask 0xffffffff > ng8: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1492 > inet yyy.yyy.yyy.yyy --> YYY.YYY.YYY.YYY netmask 0xffffffff > Here yyy.yyy.yyy.yyy is an IP address of main connection. > routing table looks like this: > ------------------------- > default YYY.YYY.YYY.YYY UGS 0 21878 ng8 > yyy.yyy.yyy.yyy lo0 UHS 0 51 lo0 > xxx.xxx.xxx.xxx lo0 UHS 0 0 lo0 > 127.0.0.1 127.0.0.1 UH 0 3810 lo0 > 192.168.82 link#1 UC 0 0 rl0 > 192.168.82.253 00:30:4f:27:ae:85 UHLW 1 74 lo0 > YYY.YYY.YYY.YYY yyy.yyy.yyy.yyy UH 3 0 ng8 > XXX.XXX.XXX.XXX xxx.xxx.xxx.xxx UH 3 0 ng0 > ------------------------- > My kernel is compiled using following options: > ------------------------- > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=300 > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_FORWARD > options IPDIVERT > options IPSTEALTH > options DUMMYNET > options HZ=1000 > ------------------------- > Both interfaces have real IPs and should simultaneously work supplying > DNS, mail and other services. > Usually this is implemented configuring ipfw fwd command for policy > routing so I've inserted two following lines into ipfw script: > ------------------------- > fwd XXX.XXX.XXX.XXX ip from xxx.xxx.xxx.xxx to any out xmit ng8 > fwd YYY.YYY.YYY.YYY ip from yyy.yyy.yyy.yyy to any out xmit ng0 > ------------------------- > This usually works and works on my second server. But for some reason > here I met strange behaviour. It just seems that fwd command does not > do anything at all. > When I ping xxx.xxx.xxx.xxx (which is failover one) icmp packets come > into ng0 but replies from xxx.xxx.xxx.xxx go through default route on > ng8. This should be normal if there were no fwd commands. But I see > counters on the rule increasing and logging these rules shows > following lines: > Oct 2 08:35:49 central kernel: ipfw: 20500 Forward to XXX.XXX.XXX.XXX > ICMP:0.0 xxx.xxx.xxx.xxx some.outer.ip.address out via ng8 > but packets still go out through ng8 using default route. > There can be two reasons as I see. First is that fwd command does not > work for some reason and the second is that system routing table > considered that default route is preferrable over direct route to > router. The second near impossible so I wonder... > Please tell me if possible how to locate the possible reason of this > problem! -- Best regards, Oleg Tarasov mailto:[EMAIL PROTECTED] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
