On 5/5/07, Patrick Tracanelli <[EMAIL PROTECTED]> wrote:
> How can I do policy routing with ipfw+natd?
>
> I started 2 natd processes, using natd.conf and natd2.conf
> respectively, but things dont work. My rules are:
Long time ago, PHK added an (undocumented, except for commit logs) feature
in natd(8), called "instances". To use it, you can start a config file
with the "instance" keyword followed with an identifier, and in a certain
moment use the "instance" keyword again, with a second identifier. Each
block will create different natd instances which can be used with
independent configurations. However they are run by the same proccess.
Here is an (production) example:
Very good, it worked fine. I am happy I can stop running 2 natds. It was ugly.
To do so in your enviroment, divert packets to the second link when they
reach the main outgoing interface (tradditional path the packet would
flow, according to routing table):
divert 8669 ip from $net2 to any out via $ext_if1
Yes, this WILL work. Packets will be diverted to second natd instance when
it reaches the main outgoing interface (as main, I want you to read: the
one used by default route).
It sounds like it worked. Packets hit the rule correctly, but I dont
go to Internet.
So, here you are forgetting another mandatory flow control: you have to
send packets from your second-link IP address to your second-link gateway.
IPFW´s "fwd" action will do this like a charm =)
I believe this is why I dont get to internet. I didnt understand this
ipfw fwd thing you mentioned. Could you give some example?
>
> divert 8668 ip from any to any via $ext_if1
> divert 8669 ip from any to any via $ext_if2
>
> My defaultrouter is the one on $ext_if1.
>
> It works for port 8668 but doesnt work for 8669 (the second xDSL link)
>
> --
> Jazzie Hills
--
Patrick Tracanelli
(31) 3281 9633
sip://[EMAIL PROTECTED]
--
Jazzie Hills
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
