ipnat+ipfw + 3 gateways
Tillman Hodgson
tillman at seekingfire.com
Mon Dec 15 07:57:49 PST 2003
On Mon, Dec 15, 2003 at 07:25:21AM -0800, hugle wrote:
> now about this script.
Let's reduce this this to pseudo code to simplify the discussion:
map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 (some ports) -> (gw2)
map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 (other ports) -> (gw1)
map rl1 from 192.168.0.0/16 ! to 192.168.0.0/16 -> (gw3)
> in MY opinion these rules should WORK. but as it seems, they don't
I assume that vlan0, fxp0 and rl1 are your *external* NICs?
I'll show what I have set up for comparison. I have two Internet
gateways and I do some source-routing by destination (not by port, as
you are trying to do). I'll leave out the IPFW traffic shaping for
simplicity. My ruleset is getting fairly complex these days ;-)
A bit of background: I bring in a /25 subnet across an OpenVPN tunnel
(where I run zebra/quagga OSPF routing ... some details at
http://www.rospa.ca/projects/). In order for me to use these additional
IPs on my internal network, I need to ensure that my gateway
source-routes them ('fwd' in IPFW parlance) to my tunnel-peer as my
regular default gateway would packet filter them out (a surprisingly
sane policy for an ISP *grin*).
Key for the lines that follow:
* rl1 is my external NIC for the primary Internet gateway
* rl2 is my external NIC for the secondary Internet gateway
* tun6 is the tunnel that I bring a source-routed /25 in on
Here's the relevant part of my /etc/ipnat.rules. Note that I've obscured
external IPs by replacing them with a descriptive tag in ()'s:
### TCP/UDP
# Note that maps to rl2 only work because I have static routes that
# would route traffic for those particular destinations to the
# secondary gateway in any case ... the mapping just forces the correct
# source IP address to be used.
# ... specific destination #1
map rl2 from 192.168.23.0/24 to (net destination #1)/24 -> rl2/32
# ... specific destination #2
map rl2 from 192.168.23.0/24 to (net destination #2)/24 -> rl2/32
# ... specific destination #3
map rl2 from 192.168.23.0/24 to (host destination #3)/32 -> rl2/32
# Map all regular traffic out the primary Internet connection
map rl1 192.168.23.0/24 -> rl1/32 portmap tcp/udp 48000:50000
### ICMP and other (on the primary internet connection)
map rl1 192.168.23.0/24 -> rl1/32
I set the static routes via rc.conf, a simplified version of which is:
### Routes
defaultrouter="(primary gateway)"
static_routes="destination1 destination2 destination3"
route_destination1="(net destination #1)/24 (secondary gateway)"
route_destination2="(net destination #2)/24 (secondary gateway)"
route_destination3="(host destination #3)/32 (secondary gateway)"
And here's the relevant part of my /etc/ipf.rules:
# Respond to traffic sent to the /25 via tun6
# Note that the "on 'interface'" has to be the one with my default route
# Note that I use a !/16 instead of a /24 as I have more than one
# internal class C (the meta-network)
pass out quick on rl1 to tun6 from (obscured)/25 to !192.168.0.0/16
# Respond to traffic sent to my secondary connection via the same IP
pass out quick on rl1 to rl2 from (obscured)/32 to any
-T
--
To imagine a human world without ethics, but in which life goes well, it
is necessary to suppose a golden age: a world without competition, or
causes of strife, or clashing desires, or envy or malice.
- Simon Blackburn (Ruling Passions)
More information about the freebsd-questions
mailing list