On 8/13/13 8:34 PM, Olivier Nicole wrote:
Artem,
Um.. i was planning to use the included natd
But i think it has only one external address to use
I think there is a couple of rules to add to ipfw to enable NAT, that
maybe where you divert to here or there:
ipfw add divert natd all from 192.169.x.y to any via ISPB
ipfw add divert natd all from any to any via ISPA
That's the direction I would look at.
Ok here are some thoughts..
you want existing sessions from the offending client to continue to
run through the original interface, or their session will immediately
die. so you need to use dynamic session based routing.
one way to so this is using the
keep-state and check state rules in ipfw.
if you do a rule like
check-state
fwd ISP2 ip from table(1) to any in recv $LAN keep-state
fwd ISP1 ip from any to any in recv $LAN keep-state
then that session will continue to do that even if the contents of
table(1) change.
then you can use NAT rules on each $ISP interface to ensure that
packets get translated correctly
it's up to you to arrange the contents of the table..
I can't remember off hand whether a firewall pass terminates on a fwd
rule match or not..
you may want to check that.
I think you should divide your rules up into rules for each interface
and direction using skipto,
and then in each section have specialist rules for just that traffic.
so with 3 interfaces you would have 6 sets of rules, (say 1000, 2000,
3000, 4000, 5000 and 6000)
and the very first rules would be:
skipto 1000 ip from any to any in recv $LAN
skipto 2000 ip from any to any out xmit $LAN
skipto 3000 ip from any to any in recv $ISP1
skipto 4000 ip from any to any out xmit $ISP1
skipto 5000 ip from any to any in recv $ISP2
skipto 6000 ip from any to any out xmit $ISP2
[handle loopback packets here]
at 1000 you have the rules above.
at 3000 , 4000, 5000 and 6000 you have NAT rules (with different NAT
instances for each interface.
you can use whatever method you like (e.g. dummynet accounting?) to
work out how much traffic is going, and add and remove entries in the
table.
remember though to make sure exisiting sessions don't get switched!
Julian
Best regards,
Olivier
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
