Policy Routing natd+ipfw

Patrick Tracanelli eksffa at freebsdbrasil.com.br
Sat May 5 04:13:31 UTC 2007 

> How can I do policy routing with ipfw+natd?
>
> I started 2 natd processes, using natd.conf and natd2.conf
> respectively, but things dont work. My rules are:

Long time ago, PHK added an (undocumented, except for commit logs) feature
in natd(8), called "instances". To use it, you can start a config file
with the "instance" keyword followed with an identifier, and in a certain
moment use the "instance" keyword again, with a second identifier. Each
block will create different natd instances which can be used with
independent configurations. However they are run by the same proccess.

Here is an (production) example:

###########################

instance default

interface       vr0
dynamic         yes
use_sockets     yes
same_ports      yes
unregistered_only       yes
port 8668
log yes
log_denied      yes
log_ipfw_denied yes
#punch_fw       10:39
log_facility    security

redirect_port tcp 10.69.69.69:2234-2240 2234-2240

redirect_port tcp 10.69.69.39:80        3980
redirect_port tcp 10.69.69.39:6969      3969

redirect_port tcp 10.69.69.13:4662      4662
redirect_port udp 10.69.69.13:4672      4672

###############################

instance interna2

interface xl0
dynamic         yes
use_sockets     no
same_ports      no
unregistered_only       yes
port 8669
log yes
log_denied      yes
log_ipfw_denied yes
#punch_fw       10:39
reverse yes

>
> ext_ifi1="em0"
> ext_ifi2="em1"
>
> divert 8668 ip from $net1 to any out via $ext_if1
> divert 8669 ip from $net2 to any out via $ext_if2

Wrong concepts here. Since you mentioned the default gateway is on
ext_ifi1, packets will never reach ext_if2, so how can it be diverted?

According to Cisco's literature:

"Policy-based routing provides a tool for forwarding and routing data
packets based on policies defined by network administrators. In effect, it
is a way to have the policy override routing protocol decisions.
Policy-based routing includes a mechanism for selectively applying
policies based on access list, packet size or other criteria."

So, the above excerpt explains what you should do to DO policy routing:
override routing protocol decisions.

To do so in your enviroment, divert packets to the second link when they
reach the main outgoing interface (tradditional path the packet would
flow, according to routing table):

divert 8669 ip from $net2 to any out via $ext_if1

Yes, this WILL work. Packets will be diverted to second natd instance when
it reaches the main outgoing interface (as main, I want you to read: the
one used by default route).

So, here you are forgetting another mandatory flow control: you have to
send packets from your second-link IP address to your second-link gateway.
IPFW´s "fwd" action will do this like a charm =)

>
> divert 8668 ip from any to any via $ext_if1
> divert 8669 ip from any to any via $ext_if2
>
> My defaultrouter is the one on $ext_if1.
>
> It works for port 8668 but doesnt work for 8669 (the second xDSL link)
>
> --
> Jazzie Hills


-- 
Patrick Tracanelli
(31) 3281 9633
sip://313306@sip.freebsdbrasil.com.br

More information about the freebsd-ipfw mailing list