How to use IPFW to filter routing
Rakor
freebsd at rakor-net.de
Sat Jan 28 13:04:46 UTC 2017
Hi there,
I have a router from my ISP giving me a connection to the internet ans SIP. Behind I have a FreeBSD-Box which should route and seperate my VLANS.
The setup is like this:
+------------+ +------------+ +------------+ VLAN1 10.10.10.0/24
| ISP-Router | 192.168.2.0/24 | BSD-Router | Trunk | L2-SWITCH |-----------
Internet---| |------------------| |----------| VLANS | VLAN2 10.10.20.0/24
| | igb2 | IPFW | igb0 | |-----------
+------------+ +------------+ +------------+ VLAN3 10.10.30.0/24
-----------
I can route my VLANs to the Internet and I can route traffic from one VLAN to another VLAN, all without using IPFW. But I don't know how to setup my IPFW. Lets say VLAN1 is allowed to communicate with VLAN2 and with the internet. VLAN3 is allowed to communicate only with the internet.
As far as I know a packet is once scanned by IPFW an then first hit wins. So, if I set the following a packet coming from VLAN3 for port 80 is permitted to travel all way it wants, even to VLAN2. Putting an other rule behind just allowing to travel out using igb2 is not checked, because the search terminated after first hit.
ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state
If I try the follwing the packets are all rejected. I think the inspection is done before the routing, so IPFW does not know it should be forwarded using igb2.
ipfw add allow tcp 10.10.30.0/24 to any 80 out via igb2 setup keep-state
So I don’t know how to filter packets that should be routed in a exact manner. Can you help me?
Thanks
Rakor
More information about the freebsd-ipfw
mailing list