IPFW2 script with natd and loadsharing
René Vestergaard
rve at techno-matic.dk
Tue Feb 26 14:37:23 UTC 2008
I am trying to have both
natd (divert) and loadsharing (pipe/queue)
in the same IPFW2 firewall script.
It works partly. That is, something is wrong because,
pipe-bandwidth does not at all match the measured
and
by using the log-facility I found that
the following package enter the script at rule 11:
"TCP 207.46.211.119:80 192.168.12.150:1574 out via em0"
but it looks like i had just been translated by rule number 400
The NIC with IP 192.168.10.248 is connected to WAN and
the NIC with IP 192.168.12.10 is connected to LAN
Here it my script:
------------------
# Firewall script (Kernel compilation: default-rule was set to allow)
ipfw -f -q flush
ipfw -q add 60000 allow all from any to any
# Log-facility (for debuging)
ipfw add 11 skipto 12 log all from any to any // Start
ipfw pipe 1 config bw 80KByte/s # upload limit
ipfw pipe 2 config bw 800KByte/s # download limit
# Package going in the download-direction are translated by NATD
# to get the destination .12-subnet IP address
# (change destination ip address)
ipfw add 100 divert natd ip from any to 192.168.10.248 // Download
ipfw add 200 queue 1 ip from 192.168.12.0/24 to not 192.168.12.0/24 //
Upload
ipfw queue 1 config weight 10 pipe 1 mask src-ip 0x000000ff
ipfw add 300 queue 2 ip from any to 192.168.12.0/24 // Download
ipfw queue 2 config weight 10 pipe 2 mask dst-ip 0x000000ff
# Package going in the upload-direction are translated by NATD
# to get the source IP address of the WAN NIC (and the port number is also
changed)
ipfw add 400 divert natd ip from 192.168.12.0/24 to any // Upload
------------------
What is wrong?
More information about the freebsd-questions
mailing list