IPFW - Two External Interfaces

Tue, 16 May 2006 14:57:59 -0700 

I am attempting to use IPFW (and either IPNAT or natd) to do the following:

I have two connections to the outside world coming in to my firewall.
em0 has a static ip and is going to a bridged DSL connection, then
bge1 has a static ip and is going to a a few bonded DS1s. bge0 goes to
my internal network. I am attempting to have NAT on both external
interfaces, and have most outbound traffic move across bge1, while
traffic from/to a particular internal system (We'll call it
internal_system for purposes of this message) to/from a particular
remote  system (This we'll call remote_system) port 80 moves across
the DSL line on em0.

Here is an attempt at a pretty ascii picture


        ISP 1
   [192.168.2.254]
          |
          |
[bge1:192.168.2.1]
          FIREWALL[bge0:10.0.0.1]-------[10.0.0.2]internal_system
 [em0:192.168.1.1]
          |
          |
   [192.168.1.254]
        ISP 2

Here are the rules I've tried using in congunction with natd:

#Send incoming traffic to natd
00400 divert 8869 ip from any to any in via bge1
00450 divert 8868 ip from any to any in via em0
00500 check-state

#Check for internal_system port 80 traffic
0600 skipto 900 from $internal_system to $remote_system 80

#Send Most Traffic out via bge1
00700 divert 8869 ip from $local_net to any in
00750 divert 8869 ip from $local_net to any out

#Send "special" traffic out via em0
00900 divert 8868 ip from $internal_system to $remote_system 80 in
00950 divert 8868 ip from $remote_system to $remote_system 80 out

#policy route to get traffic to the correct ISP
02000 fwd $isp2_gw ip from $isp2_ip to any
02500 fwd $isp1_gw ip from $isp1_ip to any


Two instances of natd are running, one on port 8868 with an alias
address of $isp1_ip, the other is on port 8869 with an alias address
of $isp2_ip

With the above ipfw rules in place, a

$ping -S $isp2_ip google.com

Should result in a ping across em0 to google, however it acts as
though it cannot even reach the $isp2_gw.

I have been able to get everything to work exactly as I want it to
using pf on FreeBSD, but I've been told that ipfw is preferred within
the organization.


Any suggestions would be greatly appreciated.


Jared Baldridge
Systems Administrator
PFS
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to