Problem solved. I was trying to divert the packet too late. The
rerouting/diversion of the packet needed to occur on the "pass in" from
ste3 (the internal interface) as the packet was already routed by the
time I was trying to move it on the way out ste4.
Ross Barker wrote:
Hi,
I am using IP Filter: v4.1.13 on FreeBSD 6.2 and have an issue I can't
seem to resolve with the help of google or the ipf documentation I have
found. Perhaps someone can assist. I am no expert with IP Filter but I
have an okay grasp of it and have been using it for quite some time
successfully for basic firewalling functions.
If there is a better list to ask such questions on please point me to it.
I also might be going about this entirely the wrong way, but I don't
know of any better way.
Basically what I am trying to achieve is dual Internet connection to a
single internal NAT'ed email server for receiving mail in a redundant
fashion. However I can't get the return packets to go back out the
interface which is the non-default route on the gateway. The packets
come in fine and on the way back out the gateway I catch them with IP
Filters "to interface:ip" syntax and try to push them back out that way.
This technique is called fast route I think. The rule catches the
packets going back out, and changes the IP correctly to the one
specified in the rule however it does not re-route the packet into the
specified outgoing interface.
Here is my setup
* Hosts/Connections
Gateway:
FreeBSD 6.2 - IP Filter: v4.1.13
3 network interfaces of interest
- primary internet connection: ste4
static IP: 1.2.3.4
- secondary internet connection: tun0 (pppoe)
static IP: 5.6.7.8
Simple ppp setup via /etc/ppp/ppp.conf
- Internal LAN : ste3 (ethernet) 192.168.1.1
Then we have on the LAN:
Internal Linux host running SMTP with IPs 192.168.1.15 and 192.168.1.16
* Inbound NAT config
The primary Internet connections NAT is done by a router beyond ste4, it
does translation of 1.2.3.4:25 -> 192.168.1.15:25
The secondary Internet connection uses ipnat configured on the gateway
to redirect traffic
rdr tun0 5.6.7.8/32 port 25 -> 192.168.1.16 port 25 tcp
The default route on the gateway points out ste4 to the primary Internet
connection.
Inbound SMTP connections to 1.2.3.4:25 work fine as it uses the default
outbound route on the gateway.
For the secondary connection I have a rule in the ipf.rules like this to
catch the returning server -> client packets as they exit the default
outbound route interface of the gateway (ste4).
pass out log quick on ste4 to tun0:5.6.7.8 proto tcp from 192.168.1.16
port = 25 to any
I know this rule is catching the packets and logging them, but its not
changing the outbound interface to tun0. The IP does change to 5.6.7.8
as I can see them with tcpdump sailing out the ste4 interface.
I have successfully used the fast route syntax in other places in my
ruleset to affect the route of outgoing connections so I figure I have
the syntax right.
Appologies if this is bastardry of ipfilter, but it seems in theory that
it should work.
Any help is appreciated.
Regards,
Ross
