An Update,
Last night I tried adding an em0 to the system. It yeilded no results. I
put the internal lans on em0 and ISP-B on bge0. I know the rules is
getting hits as the counters are moving up, but the redirection simply
refuses to happen. Anyone with any thoughts?
Relevant Kernel Options:
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_FORWARD_EXTENDED
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPDIVERT
options IPSTEALTH # Tried with sysctl set to on and off.
options FAST_IPSEC
device crypto
Help!!!! Thanks, -Jon
Jonathan Feally wrote:
Hello,
I have setup a new firewall and I'm having trouble with it. Perhaps
the bge is to blame, perhaps its something else.
I'll explain my setup, problem and the workaround to get it going.
Box connects to 2 Internal Lans and 2 External Wans.
Vlans are mixed untagged and tagged on a single bge0
Vlan Network Desc
1 10.255.1.0/24 Admin Lan - No Vlan Tagging
2 10.255.2.0/24 VoIP Lan
900 67.xxx.xxx.128/27 Internet A - Default Route - Going to be
pure VoIP only - thus 10.255.2 boxes get 1:1 NAT to 67.xxx.xxx
902 208.xxx.xxx.48/28 Internet B - Web Services
1st problem I ran into was pings from vlan 2 through natd to vlan 900
were not coming back. I could see the packet enter vlan2 - leave and
return on vlan900 - but go nowhere. I tried a tcpdump on bge0 and the
pings started coming back. Leading me to putting promisc on my
ifconfig bge0
Now I'm trying to setup up a simple web server on an IP from vlan 902
in combination with fwd rule # 999 to route packets from a vlan902
address back to the router on that internet connection. I try to ping
from the outside and can see the icmp echo request. But the replies
keep getting sent out vlan900 to the other internet router.
Hopefully somebody can point me in the right direction. If its the
bge, then I can replace it with some em. If its an issue with mixing
native vlan and tagged, I can tag everything, If its not me, then who
can help getting the code fixed?
I have put my ifconfig, ipfw rules and natd.conf's below.
Thanks -Jon
---------------------------------------------------------
[EMAIL PROTECTED] ~]# ifconfig -a
bge0:
flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC>
mtu 1500
options=18<VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::215:f2ff:fed0:d898%bge0 prefixlen 64 scopeid 0x1
inet 10.255.1.254 netmask 0xffffff00 broadcast 10.255.1.255
ether 00:15:f2:d0:d8:98
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
bge1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
ether 00:15:f2:40:d8:35
media: Ethernet autoselect (none)
status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::215:f2ff:fed0:d898%vlan2 prefixlen 64 scopeid 0x5
inet 10.255.2.1 netmask 0xffffff00 broadcast 10.255.2.255
ether 00:15:f2:d0:d8:98
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 2 parent interface: bge0
vlan900: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::215:f2ff:fed0:d898%vlan900 prefixlen 64 scopeid 0x6
inet 67.xxx.xxx.158 netmask 0xffffffe0 broadcast 67.xxx.xxx.159
inet 67.xxx.xxx.130 netmask 0xffffffff broadcast 67.xxx.xxx.130
inet 67.xxx.xxx.131 netmask 0xffffffff broadcast 67.xxx.xxx.131
inet 67.xxx.xxx.132 netmask 0xffffffff broadcast 67.xxx.xxx.132
inet 67.xxx.xxx.133 netmask 0xffffffff broadcast 67.xxx.xxx.133
inet 67.xxx.xxx.134 netmask 0xffffffff broadcast 67.xxx.xxx.134
inet 67.xxx.xxx.135 netmask 0xffffffff broadcast 67.xxx.xxx.135
inet 67.xxx.xxx.136 netmask 0xffffffff broadcast 67.xxx.xxx.136
inet 67.xxx.xxx.137 netmask 0xffffffff broadcast 67.xxx.xxx.137
inet 67.xxx.xxx.138 netmask 0xffffffff broadcast 67.xxx.xxx.138
inet 67.xxx.xxx.139 netmask 0xffffffff broadcast 67.xxx.xxx.139
inet 67.xxx.xxx.140 netmask 0xffffffff broadcast 67.xxx.xxx.140
inet 67.xxx.xxx.141 netmask 0xffffffff broadcast 67.xxx.xxx.141
inet 67.xxx.xxx.142 netmask 0xffffffff broadcast 67.xxx.xxx.142
inet 67.xxx.xxx.143 netmask 0xffffffff broadcast 67.xxx.xxx.143
inet 67.xxx.xxx.144 netmask 0xffffffff broadcast 67.xxx.xxx.144
inet 67.xxx.xxx.145 netmask 0xffffffff broadcast 67.xxx.xxx.145
inet 67.xxx.xxx.146 netmask 0xffffffff broadcast 67.xxx.xxx.146
inet 67.xxx.xxx.147 netmask 0xffffffff broadcast 67.xxx.xxx.147
inet 67.xxx.xxx.148 netmask 0xffffffff broadcast 67.xxx.xxx.148
inet 67.xxx.xxx.149 netmask 0xffffffff broadcast 67.xxx.xxx.149
inet 67.xxx.xxx.150 netmask 0xffffffff broadcast 67.xxx.xxx.150
inet 67.xxx.xxx.151 netmask 0xffffffff broadcast 67.xxx.xxx.151
inet 67.xxx.xxx.152 netmask 0xffffffff broadcast 67.xxx.xxx.152
inet 67.xxx.xxx.153 netmask 0xffffffff broadcast 67.xxx.xxx.153
inet 67.xxx.xxx.154 netmask 0xffffffff broadcast 67.xxx.xxx.154
inet 67.xxx.xxx.155 netmask 0xffffffff broadcast 67.xxx.xxx.155
inet 67.xxx.xxx.156 netmask 0xffffffff broadcast 67.xxx.xxx.156
inet 67.xxx.xxx.157 netmask 0xffffffff broadcast 67.xxx.xxx.157
ether 00:15:f2:d0:d8:98
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 900 parent interface: bge0
vlan902: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::215:f2ff:fed0:d898%vlan902 prefixlen 64 scopeid 0x7
inet 208.xxx.xxx.48 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.49 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.50 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.51 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.52 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.53 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.54 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.55 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.56 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.57 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.58 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.59 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.60 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.61 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.62 netmask 0xffffff00 broadcast 208.xxx.xxx.255
inet 208.xxx.xxx.63 netmask 0xffffff00 broadcast 208.xxx.xxx.255
ether 00:15:f2:d0:d8:98
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 902 parent interface: bge0
[EMAIL PROTECTED] ~]# ipfw show
00100 612 297138 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00401 507 46266 allow ip from 63.197.17.60 to any
00402 434 71914 allow ip from any to 63.197.17.60
00999 1256 75280 fwd 208.xxx.xxx.1 ip from 208.xxx.xxx.48/28
to any
01000 51349830 10346449386 divert 8668 ip from any to any via vlan900
01100 25290 6692181 divert 8669 ip from any to any via vlan902
01999 0 0 check-state
02999 5393 444962 allow icmp from any to any
03000 5290 847646 allow tcp from 10.255.2.0/24 to any keep-state
03001 0 0 allow udp from any to 10.255.2.100 dst-port
4569 keep-state
03001 26469 3267888 allow tcp from any to 10.255.2.100 dst-port
22 keep-state
03002 0 0 allow udp from any to 10.255.2.200 dst-port
4569 keep-state
03002 22003 2652985 allow tcp from any to 10.255.2.200 dst-port
22 keep-state
03300 10313 1223322 allow ip from 10.255.1.0/24 to
10.255.1.0/24 keep-state
03999 0 0 allow ip from 208.xxx.xxx.48/28 to any
keep-state
04000 25701603 5174357258 allow ip from 67.xxx.xxx.128/27 to any
keep-state
04001 0 0 allow tcp from any to 67.xxx.xxx.130
dst-port 22 keep-state
04002 0 0 allow tcp from any to 67.xxx.xxx.140
dst-port 22 keep-state
04058 32848 4351775 allow tcp from any to 67.xxx.xxx.158
dst-port 22 keep-state
04080 4596 3101277 allow tcp from any to 67.xxx.xxx.158
dst-port 80 keep-state
04080 4349 2856224 allow tcp from any to 208.xxx.xxx.48
dst-port 80 keep-state
10011 0 0 allow ip from 208.201.244.72/29 to
67.xxx.xxx.128/27 keep-state
10012 120462 68409347 allow ip from 208.201.244.72/29 to
10.255.2.0/24 keep-state
10013 0 0 allow ip from 67.xxx.xxx.128/27 to
208.201.244.72/29 keep-state
10014 223046 54830393 allow ip from 10.255.2.0/24 to
208.201.244.72/29 keep-state
11111 13137 6722265 allow ip from 10.255.2.0/24 to
207.174.202.2 keep-state
11112 0 0 allow ip from 67.xxx.xxx.128/27 to
207.174.202.2 keep-state
11113 0 0 allow ip from 207.174.202.2 to
67.xxx.xxx.128/27 keep-state
11114 22806 11460460 allow ip from 207.174.202.2 to
10.255.2.0/24 keep-state
11201 39017 19450498 allow ip from 10.255.2.0/24 to
207.174.202.3 keep-state
11202 0 0 allow ip from 67.xxx.xxx.128/27 to
207.174.202.3 keep-state
11203 0 0 allow ip from 207.174.202.3 to
67.xxx.xxx.128/27 keep-state
11204 17986 9036892 allow ip from 207.174.202.3 to
10.255.2.0/24 keep-state
11301 72141 10621231 allow ip from 10.255.2.0/24 to
207.174.202.4 keep-state
11302 0 0 allow ip from 67.xxx.xxx.128/27 to
207.174.202.4 keep-state
11303 0 0 allow ip from 207.174.202.4 to
67.xxx.xxx.128/27 keep-state
11304 22625 11368053 allow ip from 207.174.202.4 to
10.255.2.0/24 keep-state
11401 43193817 8659831738 allow ip from 10.255.2.0/24 to
216.241.188.54 keep-state
11402 0 0 allow ip from 67.xxx.xxx.128/27 to
216.241.188.54 keep-state
11403 0 0 allow ip from 216.241.188.54 to
67.xxx.xxx.128/27 keep-state
11404 611137 131292121 allow ip from 216.241.188.54 to
10.255.2.0/24 keep-state
12101 31804010 6372136314 allow ip from 10.255.2.0/24 to
207.174.111.12 keep-state
12102 0 0 allow ip from 67.xxx.xxx.128/27 to
207.174.111.12 keep-state
12103 0 0 allow ip from 207.174.111.12 to
67.xxx.xxx.128/27 keep-state
12104 441864 96541650 allow ip from 207.174.111.12 to
10.255.2.0/24 keep-state
13101 98120 11157261 allow ip from 10.255.2.0/24 to
66.246.246.52 keep-state
13102 0 0 allow ip from 67.xxx.xxx.128/27 to
66.246.246.52 keep-state
13103 0 0 allow ip from 66.246.246.52 to
67.xxx.xxx.128/27 keep-state
13104 0 0 allow ip from 66.246.246.52 to
10.255.2.0/24 keep-state
64000 49199 5396398 allow udp from 10.255.2.0/24 to any
dst-port 53 keep-state
65000 213362 84312193 deny ip from any to any
65535 1 72 allow ip from any to any
[EMAIL PROTECTED] ~]# cat /etc/natd900.conf
log_facility security
use_sockets
same_ports
port natd
interface vlan900
unregistered_only
redirect_address 10.255.2.100 67.xxx.xxx.130
redirect_address 10.255.2.101 67.xxx.xxx.131
redirect_address 10.255.2.102 67.xxx.xxx.132
redirect_address 10.255.2.103 67.xxx.xxx.133
redirect_address 10.255.2.104 67.xxx.xxx.134
redirect_address 10.255.2.105 67.xxx.xxx.135
redirect_address 10.255.2.106 67.xxx.xxx.136
redirect_address 10.255.2.107 67.xxx.xxx.137
redirect_address 10.255.2.108 67.xxx.xxx.138
redirect_address 10.255.2.109 67.xxx.xxx.139
redirect_address 10.255.2.200 67.xxx.xxx.140
[EMAIL PROTECTED] ~]# cat /etc/natd902.conf
log_facility security
use_sockets
same_ports
port natd2
alias_address 208.xxx.xxx.48
unregistered_only
redirect_address 10.255.2.100 208.xxx.xxx.50
redirect_address 10.255.2.101 208.xxx.xxx.51
redirect_address 10.255.2.102 208.xxx.xxx.52
redirect_address 10.255.2.103 208.xxx.xxx.53
redirect_address 10.255.2.104 208.xxx.xxx.54
redirect_address 10.255.2.105 208.xxx.xxx.55
redirect_address 10.255.2.106 208.xxx.xxx.56
redirect_address 10.255.2.107 208.xxx.xxx.57
redirect_address 10.255.2.108 208.xxx.xxx.58
redirect_address 10.255.2.109 208.xxx.xxx.59
redirect_address 10.255.2.200 208.xxx.xxx.60
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
