"Summary", somewhat.
Most of my problems reported last weekend boiled down to
rectifying and/or working around our asymmetric routing
with multi-provider setup. The firewall/NAT server works
with Solaris 10u7 (tested both i386-only and amd64 modes)
and IPF 4.1.33 release.
Our setup involves the Solaris firewall/NAT in question,
as well as an external Cisco 3750 for routing to several
internet providers, and a multitude of VLAN interfaces
as interconnect between these two devices and local LAN
VLANs. The default route from Solaris to Cisco leads to
a policy-based-router (Cisco PBR) interface used to
select a certain ISP's uplink based on packet's source
IP address. However, due to limitations of Cisco PBR on
c3750, outward and inward VLANs are (alas) different,
which causes a bunch of problems for IPF setup.
NAT problems were worked around by setting up the external
router (Cisco) in such a manner, that it routes the NAT
public IP address to the same VLAN as the outgoing packets
went from (the PBR VLAN). This way the NAT sessions work.
The PBR in IPF ("block out on ... to:...") did not help,
at least it is not sufficient alone. These rules are set
up however, because without them things also don't work.
So we ended up with several "hardcoded routing statements"
on various hardware. Not cool, but works.
NOTE: a test rule like the line below consistently panicked
the kernel. I'm not sure whether it should have worked, but
crashing the server was certainly unexpected:
pass out quick on bge126000 to nge125000:192.168.125.1
from 192.168.186.0/24 to any
Firewall (filtering) rules seem to break when "keep state"
is used - that is, packets don't pass when they are (seem)
allowed to. Probably this happens because of discrepancies
between actual "in" and "out" interfaces for packets.
Multi-headed groups of rules did not help; "states" seem
to associate with specific interfaces, period.
Finally, ICMP works (allowed from any to any, and I can
"ping" the server), but it is still missing from traceroute
outputs.
I wonder if it is possible (now or after some coding)
to enable NAT sessions and "keep state" rules spanning
several interfaces, different for incoming and outgoing
packets?
--
+============================================================+
| |
| Климов Евгений, Jim Klimov |
| технический директор CTO |
| ЗАО "ЦОС и ВТ" JSC COS&HT |
| |
| +7-903-7705859 (cellular) mailto:[email protected] |
| CC:[email protected],[email protected] |
+============================================================+
| () ascii ribbon campaign - against html mail |
| /\ - against microsoft attachments |
+============================================================+
