Re: Fastroute / to

Dave,
We are using Fastroute. We have a regular address space and a
private (RFC1918) address space on our LAN. We "route" between
the two with our firewall and transparently pass traffic through the
firewall to the router. We are running ipf 3.3.18 under OpenBSD 2.8
and it works fairly well. The biggest problem we have seen is that
users who repeatedly establish a session between these two address
ranges will sometimes loose their connection. This is most clearly
seen when someone tries to print from a machine in our main address
range to a printer in the private address range. It is as if we are running
out of some resource. The rules we use are:

#
# Routing Between Private Address Space And Normal Address Space Rules
#
pass in quick from 172.24.0.0/16 to 172.24.0.1 group 100 # Private
Address Space to its Gateway
block in quick on fxp0 to fxp0 from 172.24.0.0/16 to <normal range> group
100 # Private Address Space to Normal Addresses
block in quick from 172.24.0.0/16 to 172.24.0.0/16 group 100 # Ignore
Broadcasts and Internal Traffic
block in quick on fxp0 to fxp0 from <normal range> to 172.24.0.0/16 group
100 # Normal Addresses to Private Address Space

As can be seen we have set up an alias IP address on fxp0
(172.24.0.1) as the gateway for the private address range.
You would probably not have to do this as you are using the
router as the gateway. What would probably work for you is:

block in quick on <internal interface> to <internal interface> from <subnet
1> to <subnet 2>
block in quick on <internal interface> to <internal interface> from <subnet
2> to <subnet 1>

Notice that you need to use "block in" and not "pass in" as the fastroute
command will by-pass the network stack and put the packet directly
on the interface. If you "pass in" you will end up with two copies of
the packet and probably cause a kernel panic (see the FAQ on this).
--
James A. Robbins
Network Engineer
The Ohio State University
Chemistry Department

----- Original Message -----
From: "Dave Raven" <dave@raven.za.net>
To: <ipfilter@coombs.anu.edu.au>
Sent: Wednesday, November 02, 2005 5:55 AM
Subject: Fastroute / to


> Hi all,
> I have a rather specific problem, where I am bridging traffic
> between a router and two subnets behind me. Both of those subnets are
> pointing to the router as their default gateway. I want to forward the
> traffic transparently, out of my LAN facing interface as though I was
> their
> default gateway, so that the traffic never reaches the router in front of
> me.
>
> How would I go about doing that if I have an address on both of those
> networks on the LAN facing card? And when was fastroute/to implemented
> properly - in my manual page I have fastroute (ipf 3.4.31) but it doesn't
> load properly. If I mistype it I get a syntax error, but when I have it
> typed right (with 'to') it just waits and never finishes loading the
> rules...
>
> Thanks
> Dave
>