ipfw skipto question

V

victor2k

Hello,

I've got a FreeBSD 7.0 as a router. I have MAC filtering enable as well as forwarding:

sysctl net.link.ether.ipfw=1

Have the following rules:

Code: 
00014 skipto 20 tcp from any to any dst-port 80 MAC any 78:2b:cb:19:3f:65
.....
00017 skipto 20 tcp from 192.168.0.252 to any dst-port 80 via vlan1571
00018 fwd 192.168.0.252,80 tcp from 192.168.0.126 to any dst-port 80 via vlan1571
00020 divert 8670 ip from any to any via vlan1571

192.168.0.252 MAC = 78:2b:cb:19:3f:65
192.168.0.252 is a proxy (ironport)

192.168.0.126 is a user
192.168.0.126 MAC is c8:2a:14:26:39:72

User 192.168.0.126 is going to a certain page, it has as gateway this FreeBSD server. User's traffic on port 80 is forwarded to the proxy (ironport) on the same segement with IP 192.168.0.252.

Up to here everything is good

Problem:

User goes to XXXX.xxx -> then to proxy -> proxy has a bypass rule for XXXX.xxx, then traffic goes to this FreeBSD box as follows:
Code: 
17:15:40.294448 c8:2a:14:26:39:72 > 00:0b:db:91:4c:a3, ethertype IPv4 (0x0800), length 78:
 192.168.0.126.54807 > 209.123.109.175.80: S 219273808:219273808(0) win 65535 <mss 1460,nop,wscale
 3,nop,nop,timestamp 455131498 0,sackOK,eol>
17:15:40.294551 78:2b:cb:19:3f:65 > 00:0b:db:91:4c:a3, ethertype IPv4 (0x0800), length 78:
 192.168.0.126.54807 > 209.123.109.175.80: S 219273808:219273808(0) win 65535 <mss 1460,nop,wscale
 3,nop,nop,timestamp 455131498 0,sackOK,eol>
7:15:40.294622 78:2b:cb:19:3f:65 > 00:0b:db:91:4c:a3, ethertype IPv4 (0x0800), length 78:
 192.168.0.126.54807 > 209.123.109.175.80: S 219273808:219273808(0) win 65535 <mss 1460,nop,wscale
 3,nop,nop,timestamp 455131498 0,sackOK,eol>
17:15:40.294692 78:2b:cb:19:3f:65 > 00:0b:db:91:4c:a3, ethertype IPv4 (0x0800), length 78:
 192.168.0.126.54807 > 209.123.109.175.80: S 219273808:219273808(0) win 65535 <mss 1460,nop,wscale
 3,nop,nop,timestamp 455131498 0,sackOK,eol>
17:15:40.294761 78:2b:cb:19:3f:65 > 00:0b:db:91:4c:a3, ethertype IPv4 (0x0800), length 78:
 192.168.0.126.54807 > 209.123.109.175.80: S 219273808:219273808(0) win 65535 <mss 1460,nop,wscale
 3,nop,nop,timestamp 455131498 0,sackOK,eol>
17:15:40.294846 78:2b:cb:19:3f:65 > 00:0b:db:91:4c:a3, ethertype IPv4 (0x0800), length 78:
 192.168.0.126.54807 > 209.123.109.175.80: S 219273808:219273808(0) win 65535 <mss 1460,nop,wscale
 3,nop,nop,timestamp 455131498 0,sackOK,eol>
17:15:40.294915 78:2b:cb:19:3f:65 > 00:0b:db:91:4c:a3, ethertype IPv4 (0x0800), length 78:
 192.168.0.126.54807 > 209.123.109.175.80: S 219273808:219273808(0) win 65535 <mss 1460,nop,wscale
 3,nop,nop,timestamp 455131498 0,sackOK,eol>

Endlessly.

I want, when traffic is returned from the proxy (without being tempered from proxy) to this FreeBSD box to be NAT'ed when going to external (vlan1571).

Hint: my matching on rule 14 works, I see counters growing.

Any help is appreciated.
 
Code: 
00020 divert 8670 ip from any to any via vlan1571
This rule would actually match any traffic which is already on vlan1571, it won't be there until yon actually NAT it.
Code: 
#outbound nat
/sbin/ipfw add 20 divert 8670 ip from 192.168.0.252 to any in
# or this for all subnet
/sbin/ipfw add 20 divert 8670 ip from 192.168.0.0/24 to any in
#inbound nat you need this to get the packets back to the machine that requested them
/sbin/ipfw add %YOURRULENUMBER% divert 8670 ip from any to %YOUREXTERNALIPONVLAN1571% in

That's how I do it (no proxy in my LANs, just multiple NATs on several ISPs external IPs):

Code: 
${fwcmd} add 160 divert 8900 all from 192.168.0.0/16 to not 192.168.0.0/16 in
${fwcmd} add 200 divert 8900 all from any to %ONEOFMYEXTERNALIPS% in
 
What happens is that the packet goes to the gateway, then to the proxy, then the proxy returns the same packet to the gateway.
 
You must log in or register to reply here.
Back
Top