ipfw policy routing esp

Julian Elischer julian at elischer.org
Mon Dec 8 13:53:59 PST 2008 

Eric W. Bates wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> We have a bewildering problem attempting to policy route esp traffic.
> 
> We have 2 up steam internet sources: a routable T1 and a cable modem.
> The cable modem provides better bandwidth so while we default to the T1,
> we use policy routing to send some of our traffic out the cable modem.
> 
> In particular we use the cable modem for all the port 80 traffic via
> squid. squid's source IP is the one belonging to the cable network and
> we have the following ipfw rule for the policy route:
> 
> ${fwcmd} add 64902 fwd ${cable_gw} ip from ${net_wan3_local} to any
> 
> cable_gw is the cable company's router.
> net_wan3_local is the cable company's IP on our external interface.
> 
> This works great for all port 80 tcp traffic.
> 
> To this we added some IPSec. Racoon is hanging off the same
> ${net_wan3_local} and the udp port 500 traffic passes in and out thru
> the cable interface as we hoped.
> 
> The bewildering part is that while the esp traffic can demonstrably be
> seen to be hitting the policy route rule, those packets continue to pass
> out the default route to the T1 rather than being forwarded to the cable
> router as we want.
> 
> Any thoughts?
> Is this a known problem.

There are definitely some oddnesses with IPSEC encapsulation
and routes etc.

If you are using 7.1-PRERELEASE  or 8 you might consider using setfib
to assign a separate routing table to the tcp traffic.


> 
> Thank you for your time.
> 
> - --
> Eric W. Bates
> ericx at vineyard.net
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFJPYo/D1roJTQ4LlERAp//AJ9C5VFQWk0Q5iwKVD6elTItny8pLgCbB5Tn
> 9a3/ut3rswi7nPs10nCkk9s=
> =wW3o
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list