On Fri, 25 Jan 2008 16:28:42 +0700, Henning Brauer <[EMAIL PROTECTED]>
wrote:
* Insan Praja SW <[EMAIL PROTECTED]> [2008-01-24 18:43]:
Hi Misc@,
I'm currently setup bgp router using openbgp. Routes learned from
openbgpd
are stored in routing table 1. So, I got this client from NET2, coming
from
the same interface that my ibgp peer coming from, and I want to pass
client
from NET2 going to regional exchange to QUAGGA router. I got no luck
with:
"pass on $ext_if from $NET2 to any modulate state rtable 1", NET2 always
use the default route via $ext_if when going to regional exchange
I appreciate any input and suggestion regarding this.
assigning an rtable decision on the outbond interface is too late,
since the routang decision has already been taken then. yu have to do
it in the inbound direction. that is true for the reverse path too.
Hi Henning and Misc@,
I figured out that my pf.conf on "pass on $ext_if from $NET2 to any
modulate state rtable 1" is wrong after carefully trying to understand pf.
So, I change it to #pass in on $int_if from $NET2 to any modulate state
rtable 1". It doesn't change anything, NET2 always going to the default
gateway.
Thanks,
Insan
ext_if = "vlan2"
ext_if0 = "vlan111"
ext_if1 = "vlan4"
ext_if2 = "vlan22"
int_if = "em0"
int_if0 = "rl0"
int_priv = "{$int_if $int_if0}"
port_proxy = "3128"
mail_server = "202.149.93.14"
icmp_types = "{ echoreq, unreach }"
3d_net = "{202.149.93.8 202.149.93.32/28}"
3d_local_net = "{202.149.93.32/27}"
eazy_net = "{210.23.64.0/24, 210.23.66.0/24, 210.23.68.0/24,
210.23.79.0/24}"
simaya_net = "{202.149.93.6 202.149.93.16/28}"
simaya_local_net = "{202.149.93.80/28}"
gl_net = "{10.10.10.0/24 192.168.0.0/24}
eazy_port = "15001:20000"
simaya_port = "20001:25000"
gl_port = "25001:30000"
tigadport = "30001:35000"
ejiport = "35001:40000"
serport = "40001:45001"
#TABLE
table <eazy_net> const {210.23.64.0/24, 210.23.66.0/24, 210.23.68.0/24,
210.23.79.0/24}
table <simaya_net> const {202.149.93.6, 202.149.93.16/28}
table <3d_net> const {202.149.93.8, 202.149.93.32/27}
table <server_ip> const {202.149.93.242, 202.149.93.243, 202.149.93.244,
202.149.93.245, 202.149.93.246} # Active IP on vlan4
table <gl_net> const {192.168.0.0/24, 10.10.10.0/24} # internal network
and management network
table <rfc1918> const { 0.0.0.0/32, 1.0.0.0/8, 2.0.0.0/8,
5.0.0.0/8,7.0.0.0/8, 10.0.0.0/8, 23.0.0.0/8, 27.0.0.0/8, 31.0.0.0/8,
36.0.0.0/8, 37.0.0.0/8, 39.0.0.0/8, 42.0.0.0/8, 49.0.0.0/8, 50.0.0.0/8,
100.0.0.0/8, 101.0.0.0/8, 102.0.0.0/8, 103.0.0.0/8, 1
04.0.0.0/8, 105.0.0.0/8, 106.0.0.0/8, 107.0.0.0/8, 108.0.0.0/8,
109.0.0.0/8, 110.0.0.0/8, 111.0.0.0/8, 112.0.0.0/8, 113.0.0.0/
8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 173.0.0.0/8, 175.0.0.0/8,
176.0.0.0/8, 177.0.0.0/8, 178.0.0.0/8, 179.0.0.0/8, 1
80.0.0.0/8, 181.0.0.0/8, 182.0.0.0/8, 183.0.0.0/8, 184.0.0.0/8,
185.0.0.0/8, 192.0.2.0/24, 192.168.0.0/16, 197.0.0.0/8, 174.0.
0.0/8, 223.0.0.0/8 } # martians of the internet
set ruleset-optimization basic
set optimization aggressive
set block-policy drop
scrub in all
#QUEUE
altq on $ext_if2 bandwidth 6Mb hfsc(linkshare 5Mb upperlimit 5Mb) queue
{office, eazy, simaya, 3d, server}
queue office bandwidth 256Kb priority 7 qlimit 500 hfsc (realtime 50%
default ecn)
queue eazy bandwidth 1024Kb priority 6 qlimit 500 hfsc (upperlimit
1024Kb ecn)
queue simaya bandwidth 2564Kb priority 6 qlimit 500 hfsc (upperlimit
2564Kb ecn)
queue 3d bandwidth 1024Kb priority 6 qlimit 500 hfsc (upperlimit
1024Kb ecn)
queue server bandwidth 128Kb priority 6 qlimit 500 hfsc (upperlimit 512Kb
ecn)
altq on $ext_if bandwidth 8Mb hfsc(linkshare 5Mb upperlimit 5Mb) queue
{dn_office, dn_eazy, dn_simaya, dn_3d, up_server}
queue dn_office bandwidth 512Kb priority 7 qlimit 500 hfsc (realtime 50%
default ecn)
queue dn_eazy bandwidth 1024Kb priority 6 qlimit 500 hfsc (upperlimit
1024Kb ecn)
queue dn_simaya bandwidth 2564Kb priority 6 qlimit 500 hfsc (upperlimit
2564Kb ecn)
queue dn_3d bandwidth 1024Kb priority 6 qlimit 500 hfsc (upperlimit 1024Kb
ecn)
queue up_server bandwidth 512Kb priority 6 qlimit 500 hfsc (upperlimit
1024Kb ecn)
altq on $ext_if1 bandwidth 2Mb hfsc(linkshare 2Mb upperlimit 2Mb) queue
{dn_trg, dn_nas, dn_ejigem, dn_matabumi, dn_crot}
queue dn_trg bandwidth 25% priority 6 qlimit 500 hfsc (realtime 50%
default ecn)
queue dn_nas bandwidth 25% priority 5 qlimit 500 hfsc (upperlimit 25% ecn)
queue dn_matabumi bandwidth 25% priority 6 qlimit 500 hfsc (upperlimit 25%
ecn)
queue dn_crot bandwidth 15% priority 6 qlimit 500 hfsc (upperlimit 25% ecn)
queue dn_ejigem bandwidth 10% priority 6 qlimit 500 hfsc (upperlimit 10%
ecn)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
no nat on $ext_if inet from <3d_net> to any
nat pass on $ext_if inet from <gl_net> to any -> $ext_if
nat pass on $ext_if1 inet from <gl_net> to any -> $ext_if1
nat pass on $ext_if2 inet from $eazy_net to any -> $ext_if2 port $ejiport
source-hash
nat pass on $ext_if2 inet from $3d_net to any -> $ext_if2 port $tigadport
source-hash
nat pass on $ext_if2 inet from $simaya_net to any -> $ext_if2 port
$simaya_port source-hash
nat pass on $ext_if2 inet from <gl_net> to any -> ($ext_if2) port $gl_port
nat pass on $ext_if2 inet from <server_ip> to any -> ($ext_if2) port
$serport
#rdr on $int_if proto tcp from any to !<gl_net> port www -> $int_if port
$port_proxy
rdr on $ext_if2 proto { tcp udp } from any to ($ext_if2) port $tigadport
-> $3d_net
rdr on $ext_if2 proto { tcp udp } from any to ($ext_if2) port $ejiport ->
$eazy_net
rdr on $ext_if2 proto { tcp udp } from any to ($ext_if2) port $simaya_port
-> $simaya_net
rdr on $ext_if2 proto { tcp udp } from any to ($ext_if2) port $gl_port ->
<gl_net>
rdr on $ext_if2 proto { tcp udp } from any to ($ext_if2) port $serport ->
<server_ip>
rdr pass on $int_if proto tcp from any to !<gl_net> port ftp -> 127.0.0.1 \
port 8021
rdr pass on $ext_if from <rfc1918> to any -> 127.0.0.1
anchor "ftp-proxy/*"
antispoof for {$ext_if $ext_if0 $ext_if1 $ext_if2}
block log all
pass quick on lo0 all
pass quick on {$int_if0 $int_if $ext_if0} from <gl_net> to any keep state
#rtable 1
pass in on $ext_if proto tcp from any to 202.149.93.2 port {domain, http,
https, ftp, ssh, bgp} keep state
pass in on $ext_if proto udp from any to 202.149.93.2 port domain
pass in on $ext_if from $3d_local_net to !<gl_net> modulate state #rtable 1
pass in on $ext_if from any to <server_ip> keep state
anchor "ftp-proxy/*"
pass inet proto icmp from any to !<gl_net>
pass in on $ext_if from <eazy_net> to any no state tag UP_EAZY
pass in on $ext_if from <simaya_net> to any no state tag UP_SIMAYA
pass in on $ext_if from <3d_net> to any no state tag UP_3D
pass in on $ext_if from <gl_net> to any no state tag UP_OFFICE
pass in on $ext_if from any to {202.149.93.2, <server_ip>, <3d_net>} flags
S/SA
pass in on $ext_if1 from <server_ip> to any no state tag UP_SERVER
pass in on $ext_if1 from <server_ip> to !<gl_net> keep state
pass in on $ext_if2 inet proto { tcp udp } from any to port \
{$simaya_port $tigadport $ejiport $gl_port $serport}
pass out on $ext_if2 tagged UP_EAZY queue eazy
pass out on $ext_if2 tagged UP_SIMAYA queue simaya
pass out on $ext_if2 tagged UP_3D queue 3d
pass out on $ext_if2 tagged UP_OFFICE queue office
pass out on $ext_if2 tagged UP_SERVER queue server
#pass out on $ext_if no state queue(dn_office dn_eazy dn_simaya dn_3d)
pass out on $ext_if from any to <eazy_net> no state queue dn_eazy
pass out on $ext_if from any to <simaya_net> no state queue dn_simaya
pass out on $ext_if from any to <3d_net> no state queue dn_3d
pass out on $ext_if from <server_ip> to any no state queue up_server
pass out on $ext_if from <gl_net> to any keep state
pass out on $ext_if from {202.149.93.2, <3d_net>} to any flags S/SA
pass out on $ext_if1 from any to 202.149.93.242 no state queue dn_ejigem
pass out on $ext_if1 from any to 202.149.93.243 no state queue dn_trg
pass out on $ext_if1 from any to 202.149.93.244 no state queue dn_nas
pass out on $ext_if1 from any to 202.149.93.245 no state queue dn_matabumi
pass out on $ext_if1 from any to 202.149.93.246 no state queue dn_crot
pass out on {$ext_if, $ext_if1, $ext_if2} inet proto udp from any to any
port 33433 >< 33626 keep state
pass out on $ext_if1 from any to <server_ip> keep state
pass out on $ext_if2 from any to any keep state
pass out on $ext_if0 from {202.149.93.2, <gl_net>} to $ext_if0:network
keep state
#bgpd.conf
#macros
peer1="202.149.93.1"
# global configuration
AS 65021
router-id 202.149.93.226
listen on 202.149.93.2
# holdtime 180
# holdtime min 3
# listen on 127.0.0.1
# listen on ::1
fib-update yes
nexthop qualify via bgp
rtable 1
log updates
neighbor $peer1 {
remote-as 65021
descr upstream
multihop 2
local-address 202.149.93.225
holdtime 180
holdtime min 3
announce none
}
# filter out prefixes longer than 24 or shorter than 8 bits
#deny from any
#allow from any inet prefixlen 8 - 24
# do not accept a default route
match from any AS {65021} set rtlabel localink
deny from any prefix 0.0.0.0/0
# filter bogus networks
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
