IPFW IPFW + NATD + Multiple FIBs

J

jeanbaptiste

Hello IPFWers,

I'm trying to use IPFW, with several natd instances and multiples FIBs.
Actually, I can make work IPFW with several natd instances, but only on the default FIB.

FIB 0:
Code: 
==== tun1 (10.69.0.0/24)
====FreeBSD router====
 ==== em0 (192.168.1.2/24)
 ==== tun0 (WAN IP_1) (default route via its gateway)
 ==== igb0 (192.31.3.253/22)
FIB 1:
Code: 
==== tun1 (10.70.0.0/24)
====FreeBSD router====
 ==== em0 (192.168.1.2/24)
 ==== tun0 (WAN IP_2) (another default route via its gateway)
 ==== igb0 (192.31.3.253/22)

So to resume, if traffic comes in via tun1, I wan to route the traffic via igb0 / em0 or tun0, depending network reached
If traffic comes in via tun2, I wan to route the traffic via igb0 / em0 or vlan3144, depending network reached

With only first FIB, ipfw, and nat are working good, but with two fib, ipfw configuration seems broken.

My ipfw rules:
Code: 
00010 divert 8668 log logamount 500 ip from 10.0.0.0/8,30.0.0.0/20 to any in via em0
00011 divert 8669 log logamount 500 ip from 172.31.0.0/21 to any in via igb0
00110 skipto 2000 log logamount 500 ip from 10.69.0.0/24 to 10.0.0.0/8,30.0.0.0/20 out via em0 fib 0
00111 skipto 2000 log logamount 500 ip from 10.70.0.0/24 to 10.0.0.0/8,30.0.0.0/20 out via em0 fib 1
00112 skipto 2200 log logamount 500 ip from 10.69.0.0/24 to 172.31.0.0/21 out via igb0
00112 skipto 2200 log logamount 500 ip from 10.70.0.0/24 to 172.31.0.0/21 out via igb0
01010 deny ip from table(1) to any dst-port 22 in
01011 allow log logamount 500 ip from any to any
02000 divert 8668 log logamount 500 ip from any to any out via em0
02001 allow log logamount 500 ip from any to 10.0.0.0/8,30.0.0.0/20
02200 divert 8669 log logamount 500 ip from any to any out via igb0
02201 allow log logamount 500 ip from any to 172.31.0.0/21
03000 deny log logamount 500 ip from any to any
65535 deny ip from any to any
Interesting rule is 00111 in my example. When packet come via from 10.70.0.0/24, I want to nat it (rule 2000) and use FIB 1.

For example, if I ping from 10.70.0.1 to 10.53.1.1, I only it the 1011 rule of ipfw:
Code: 
:~ # ipfw show
00010   624   72124 divert 8668 log logamount 500 ip from 10.0.0.0/8,80.247.224.0/20 to any in via em0
00011   375   31508 divert 8669 log logamount 500 ip from 172.31.0.0/21 to any in via igb0
00110     0       0 skipto 2000 log logamount 500 ip from 10.69.0.0/24 to 10.0.0.0/8,80.247.224.0/20 out via em0
00111     0       0 skipto 2000 log logamount 500 ip from 10.70.0.0/24 to 10.0.0.0/8,80.247.224.0/20 out via em0 fib 1
00112     0       0 skipto 2200 log logamount 500 ip from 10.69.0.0/24 to 172.31.0.0/21 out via igb0
00112     0       0 skipto 2200 log logamount 500 ip from 10.70.0.0/24 to 172.31.0.0/21 out via igb0
01010     0       0 deny ip from table(1) to any dst-port 22 in
01011 29089 5334945 allow log logamount 500 ip from any to any
02000     0       0 divert 8668 log logamount 500 ip from any to any out via em0
02001     0       0 allow log logamount 500 ip from any to 10.0.0.0/8,80.247.224.0/20
02200     0       0 divert 8669 log logamount 500 ip from any to any out via igb0
02201     0       0 allow log logamount 500 ip from any to 172.31.0.0/21
03000     0       0 deny log logamount 500 ip from any to any
65535  5909 1083557 deny ip from any to any
root@kimberley:~ #

FIB 0 and FIB 1 are the same except the default route (default route not use in my ping example)

Do I use correctly fib option on ipfw ? Where does I need to pass option fib ?

Thanks for all
 
You need to use setfib to tag a packet to use a particular routing table, so inbetween rule 2000 and 2001, I'd insert
setfib 1 ip from any to any
 
Hi,
thanks for fast answer,

I've just realize, I 've done misconfig for FIB routing.

tun0 and tun1 does not need to use special FIB.
But, WAN interface named tun0 and vlan154 need to use differents default gateway.


So I've done some test but, it seems not working:
$cmd 202 setfib 1 log ip from any to 80.247.239.81 $ks

80.247.239.81 is the IP for the vlan154 interface. This interface hoss an OpenVPN server, and I just want to use a specific gateway, when my client come to my server via 80.247.239.81 ..

Rule seem to match (security.log), but output interface is not the good one. It use the default route interface from FIB 0, and not FIB 1:
Sep 20 14:41:14 <security.info> kimberley kernel: ipfw: 1011 Accept UDP 82.224.153.141:43179 80.247.239.81:1194 in via vlan154
Sep 20 14:41:15 <security.info> kimberley kernel: ipfw: 1011 Accept UDP 80.247.239.81:1194 82.224.153.141:43179 out via tun0


Can you explain differences between:
-setfib X
-fib X

on a ipfw rulset.

Thanks,
 
You must log in or register to reply here.
Back
Top