your rules don't forward ping to isp2, only port 80 ...

try


00400 divert 8869 ip from any to any in via bge1
00450 divert 8868 ip from any to any in via em0
00500 check-state

#Check for internal_system port 80 traffic
0600 skipto 900 from $internal_system to $remote_system 80 keep-state



#Send Most Traffic out via bge1
00700 divert 8869 ip from $local_net to any in keep-state
00750 divert 8869 ip from $local_net to any out keep-state



#Send "special" traffic out via em0
00900 divert 8868 ip from $local_net to any in
00950 divert 8868 ip from $local_net to any out


#policy route to get traffic to the correct ISP
02000 fwd $isp2_gw ip from $isp2_ip to any
02500 fwd $isp1_gw ip from $isp1_ip to any

65000 allow ip from any to any

---

the key to this config is line 600, what ever it matches will go to line 700
and get the isp address, then get routed to isp 2.  With this config a ping
won't match, only a port 80 or http request ...

.Andrew

On 5/16/06, PFS IT <[EMAIL PROTECTED]> wrote:

I am attempting to use IPFW (and either IPNAT or natd) to do the
following:

I have two connections to the outside world coming in to my firewall.
em0 has a static ip and is going to a bridged DSL connection, then
bge1 has a static ip and is going to a a few bonded DS1s. bge0 goes to
my internal network. I am attempting to have NAT on both external
interfaces, and have most outbound traffic move across bge1, while
traffic from/to a particular internal system (We'll call it
internal_system for purposes of this message) to/from a particular
remote  system (This we'll call remote_system) port 80 moves across
the DSL line on em0.

Here is an attempt at a pretty ascii picture


         ISP 1
    [192.168.2.254]
           |
           |
[bge1:192.168.2.1]
           FIREWALL[bge0:10.0.0.1]-------[10.0.0.2]internal_system
  [em0:192.168.1.1]
           |
           |
    [192.168.1.254]
         ISP 2

Here are the rules I've tried using in congunction with natd:

#Send incoming traffic to natd
00400 divert 8869 ip from any to any in via bge1
00450 divert 8868 ip from any to any in via em0
00500 check-state

#Check for internal_system port 80 traffic
0600 skipto 900 from $internal_system to $remote_system 80

#Send Most Traffic out via bge1
00700 divert 8869 ip from $local_net to any in
00750 divert 8869 ip from $local_net to any out

#Send "special" traffic out via em0
00900 divert 8868 ip from $internal_system to $remote_system 80 in
00950 divert 8868 ip from $remote_system to $remote_system 80 out

#policy route to get traffic to the correct ISP
02000 fwd $isp2_gw ip from $isp2_ip to any
02500 fwd $isp1_gw ip from $isp1_ip to any


Two instances of natd are running, one on port 8868 with an alias
address of $isp1_ip, the other is on port 8869 with an alias address
of $isp2_ip

With the above ipfw rules in place, a

$ping -S $isp2_ip google.com

Should result in a ping across em0 to google, however it acts as
though it cannot even reach the $isp2_gw.

I have been able to get everything to work exactly as I want it to
using pf on FreeBSD, but I've been told that ipfw is preferred within
the organization.


Any suggestions would be greatly appreciated.


Jared Baldridge
Systems Administrator
PFS
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to