Hi Arnaud,
Arnaud Feix <[EMAIL PROTECTED]> wrote:
>
> In the NAT section what are : $ext dev and $cable if
I tried to make the rules a bit more readable, but I forgot one. the cable
devicewas former called ext_dev. where I onle had one ISP. I exchanged the rule
base below, now it is correct.
>
>
> Sebastian Reitenbach a écrit :
> > Hi,
> >
> > forgot the subject last time.
> >
> > I have some trouble to get my Internet connection working with two ISP's.
> > I am fiddling around with that since a week and do not get it to work.
> > I have one DSL Connection with a dynamic IP and one Cable connection with
> > a static IP. I want to configure the Internet connection this way:
> > 1. I want to have everything from the internal LAN going out via the faster
> > DSL line, despite some exceptions
> > 2. the exceptions that need a static IP as source IP, have to go out via
> > the Cable network
> > 3. traffic from the DMZ to the Internet shall leave the Firewall via the
> > static Cable Interface
> > 4. traffic to services in the DMZ will arrive at the static cable IP, shall
> > be redirected into the DMZ
> > replies shall go out via the cable interface
> >
> > The configuration:
> > a) The DSL Modem is configured to make the whole DSL handshaking and is
> > configured to make NAT for us
> > b) The default route of the firewall via the DSL Line, points to the DSL
> > Modem
> > c) Static routes are defined for point 2. in the routing table to have the
> > next hop at 200.200.200.1
> > d) there are generally two firewalls working together with CARP, but for
> > the tests, the slave was
> > shut down to eleminate possible interferences
> >
> >
> >
> > GateCable:200.200.200.1 GateDSL: 192.168.255.1
> > |Cable Static IP |DSL Dynamic IP
> > |200.200.200.2 |192.168.255.2
> > |em0 |em1
> > GateCable:200.200.200.1 GateDSL: 192.168.255.1
> > |Cable Static IP |DSL Dynamic IP
> > |200.200.200.2 |192.168.255.2
> > |em0 |em1
> > ________________________________
> > | |DMZ 10.0.0.1
> > | Firewall |------------
> > |------------------------------|em2
> > |em3
> > |Internal LAN=20
> > |10.1.1.1=20
> > |
> >
> >
> > things that work:
> > Point 1. and 2. are working, internal users surf via the DSL line, only
> > specially treated
> > IP's where the special route is defined leave the network via the cable IP
> > address
> >
> > things that not (yet) work:
> > obviously point 3. and 4.
> >
> > to test point 3, I have the following test pf ruleset:
> >
# the physical interfaces of the carp devices
cable_dev="em0"
dsl_dev="em1"
dmz_dev="em2"
int_dev="em3"
pfsync_dev="bge0"
cable_if="carp0"
dsl_if="carp1"
dmz_if="carp2"
int_if="carp3"
# the DMZ network
dmz_net="10.10.10.0/24"
# the gateways for the Internet upstreams
dsl_gate="192.168.255.1"
cable_gate="200.200.200.1"
set skip on { lo }
set loginterface $dsl_dev
set block-policy return
scrub in all
# the NAT rule for the hosts in the DMZ, default rule at the firewall goes out
via the $dsl_dev
nat pass on $cable_dev from $dmz_net -> ($cable_if:0)
block in log all
pass out log all
# allow carp and pfsync flow
pass quick on $pfsync_dev proto pfsync
pass quick on { $cable_dev $dsl_dev $dmz_dev $int_dev } proto carp keep state
pass in log on $dmz dev route-to ( $cable_dev $cable_gate ) from $dmz_net to
any keep state
> >
> > this is the tcpdump on the em0(the external cable interface):
> >
> > 08:36:41.464966 200.200.200.2.56669 > 195.37.1.35.80: S [tcp sum ok]
> > 890573453:890573453(0) win 5840 <mss 1460,sackOK,timestamp 3315468867
> > 0,nop,wscale 2> (DF) [tos 0x10] (ttl 64, id 6350, len 60)
> > 08:36:44.464174 200.200.200.2.56669 > 195.37.1.35.80: S [tcp sum ok]
> > 890573453:890573453(0) win 5840 <mss 1460,sackOK,timestamp 3315471867
> > 0,nop,wscale 2> (DF) [tos 0x10] (ttl 64, id 6351, len 60)
> > 08:36:50.461358 200.200.200.2.56669 > 195.37.1.35.80: S [tcp sum ok]
> > 890573453:890573453(0) win 5840 <mss 1460,sackOK,timestamp 3315477867
> > 0,nop,wscale 2> (DF) [tos 0x10] (ttl 64, id 6352, len 60)
> > 08:37:02.455739 200.200.200.2.56669 > 195.37.1.35.80: S [tcp sum ok]
> > 890573453:890573453(0) win 5840 <mss 1460,sackOK,timestamp 3315489867
> > 0,nop,wscale 2> (DF) [tos 0x10] (ttl 64, id 6353, len 60)
> >
> > for me it seems correct, the right interface, the right source (NAT seems
> > to work) and destination address, but I do
> > not see any answers.
> >
> > testing point 4. resulted in more or less the same, I see incoming syn
> > packets on em0, also SYN answers, but
> > thats it, but the connection is not establishing. but I think this might
> > have the same cause as point 3.
> >
> > so any idea why I do not see any replies to the outgoing syn packets?
> > If the information provided is not enough, please let me know, I'd like to
> > provide anything that will help
> > to resolve that issue.
> >
_____________________________________________________________________
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
