Help me, please.

Tue, 05 Jul 2005 01:54:58 -0700 

Good day!

I need help.

I have 2 ISP connected to my FreeBSD router-firewall with pf.

I need that my local net can connect http through router and squid to ISP-A.
But all other pakets (POP3, SMTP, DNS, NTP, ...) would go through ISP-B.

My default gateway is through ISP-A.

There is my rc.conf:
----------------------------------
gateway_enable="YES"
hostname="ardis3.ardis.local"
ifconfig_em0="inet 192.168.0.9  netmask 255.255.255.0"
ifconfig_fxp0="inet 194.84.120.88 netmask 255.255.255.240"
ifconfig_rl0="inet 80.237.98.9  netmask 255.255.255.192"
defaultrouter="80.237.98.1"
defaultrouter="194.84.120.81"
linux_enable="YES"
moused_enable="YES"
named_enable="YES"
ntpdate_enable="YES"
ntpdate_flags="ntp.psn.ru"
saver="logo"
usbd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
-----------------------

I try next to route tcp-udp packets port 53 through ISP-B. 


equ="fxp0"      # if of ISP-A
stl="rl0"               #if of ISP-B
loc="em0"       #if of Local network
net="{" $equ $stl "}"
sgw="80.237.98.1"               #gateway of ISP-B
egw="194.84.120.81"     #gateway of ISP-A
sns="{80.237.98.2, 212.16.204.7}"       #NS of ISP-B
ens="{194.84.252.189, 193.232.88.17}"   #NS of ISP-A

table <ard> {192.168.0.0/24}
table <snt> {80.237.98.1/26}
table <ent> {194.84.120.80/28}

nat on $equ from <ard> to any -> 194.84.120.88/32
nat on $stl from <ard> -> 80.237.98.9/32
nat on $stl from 194.84.120.88 ->80.237.98.9/32

rdr on $equ proto tcp from any to <ard> port 80 -> 127.0.0.1 port 3128


pass in log all
pass out log all


pass out on $equ route-to ($stl $sgw) from 194.84.120.88 to $sns
---------------

I see logs that dns queries to ns of ISP-B routed to if of ISP-B from default 
if of ISP-A and pass out.
But I have no ansver from ns.

Next I try with another rule:

pass in on $loc route-to ($stl $sgw) from <ard> to $sns

but this rule call Syntax error with comand:

# pfctl -f /etc/pf.conf

Say me, please, what is wrong?
Or may you can give an example of paket routing among some interfaces?
-- 
All the best from Vladivostok.
Eugene Novikov.

Reply via email to