IPFW/routing wishes
Ruslan Ermilov
ru at freebsd.org
Mon Sep 15 14:57:43 PDT 2003
On Mon, Sep 15, 2003 at 02:38:17PM +0200, Martin Bartelds wrote:
> What I do seriously mis in FreeBSD, is the possibilty to have NATD active
> on more then 1 network address/card and do packet routing based
> on packet information.
>
I have a config with two ISPs, each providing us with a small
block of IP addresses, and I have the solution that:
- does source-based routing with the help of "ipfw fwd",
- provides multi-NAT for internal hosts, destination-based.
The last part is done by allocating two distinct IP addresses,
one from each block, and "routing" the packets to a corresponding
natd(8) process, like this:
In /etc/rc.conf:
natd_enable="YES"
natd_interface="x.x.x.x"
natd2_enable="YES"
natd2_interface="y.y.y.y"
natd2_flags="-p natd2"
In /etc.rc.firewall:
# EXTERNAL INTERFACE RULESET
# Spoof protection.
[...]
# NAT.
${fwcmd} add divert natd2 ip from ${inet} to ${isp2_net} out
${fwcmd} add divert natd2 ip from any to y.y.y.y in
${fwcmd} add deny ip from any to y.y.y.y in
${fwcmd} add divert natd ip from ${inet} to any out
${fwcmd} add divert natd ip from any to x.x.x.x in
${fwcmd} add deny ip from any to x.x.x.x in
Cheers,
--
Ruslan Ermilov Sysadmin and DBA,
ru at sunbay.com Sunbay Software Ltd,
ru at FreeBSD.org FreeBSD committer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20030916/1bc14047/attachment.bin
More information about the freebsd-ipfw
mailing list