Re: Dual connection fast route problems

Problem solved. I was trying to divert the packet too late. The
rerouting/diversion of the packet needed to occur on the "pass in" from
ste3 (the internal interface) as the packet was already routed by the
time I was trying to move it on the way out ste4.

Ross Barker wrote:
> Hi,
>
> I am using IP Filter: v4.1.13 on FreeBSD 6.2 and have an issue I can't
> seem to resolve with the help of google or the ipf documentation I have
> found. Perhaps someone can assist. I am no expert with IP Filter but I
> have an okay grasp of it and have been using it for quite some time
> successfully for basic firewalling functions.
>
> If there is a better list to ask such questions on please point me to it.
>
> I also might be going about this entirely the wrong way, but I don't
> know of any better way.
>
> Basically what I am trying to achieve is dual Internet connection to a
> single internal NAT'ed email server for receiving mail in a redundant
> fashion. However I can't get the return packets to go back out the
> interface which is the non-default route on the gateway. The packets
> come in fine and on the way back out the gateway I catch them with IP
> Filters "to interface:ip" syntax and try to push them back out that way.
> This technique is called fast route I think. The rule catches the
> packets going back out, and changes the IP correctly to the one
> specified in the rule however it does not re-route the packet into the
> specified outgoing interface.
>
> Here is my setup
>
> * Hosts/Connections
>
> Gateway:
> FreeBSD 6.2 - IP Filter: v4.1.13
> 3 network interfaces of interest
>
> - primary internet connection: ste4
> static IP: 1.2.3.4
>
> - secondary internet connection: tun0 (pppoe)
> static IP: 5.6.7.8
> Simple ppp setup via /etc/ppp/ppp.conf
>
> - Internal LAN : ste3 (ethernet) 192.168.1.1
>
> Then we have on the LAN:
>
> Internal Linux host running SMTP with IPs 192.168.1.15 and 192.168.1.16
>
>
> * Inbound NAT config
> The primary Internet connections NAT is done by a router beyond ste4, it
> does translation of 1.2.3.4:25 -> 192.168.1.15:25
>
> The secondary Internet connection uses ipnat configured on the gateway
> to redirect traffic
> rdr tun0 5.6.7.8/32 port 25 -> 192.168.1.16 port 25 tcp
>
> The default route on the gateway points out ste4 to the primary Internet
> connection.
>
> Inbound SMTP connections to 1.2.3.4:25 work fine as it uses the default
> outbound route on the gateway.
>
> For the secondary connection I have a rule in the ipf.rules like this to
> catch the returning server -> client packets as they exit the default
> outbound route interface of the gateway (ste4).
>
> pass out log quick on ste4 to tun0:5.6.7.8 proto tcp from 192.168.1.16
> port = 25 to any
>
> I know this rule is catching the packets and logging them, but its not
> changing the outbound interface to tun0. The IP does change to 5.6.7.8
> as I can see them with tcpdump sailing out the ste4 interface.
>
> I have successfully used the fast route syntax in other places in my
> ruleset to affect the route of outgoing connections so I figure I have
> the syntax right.
>
> Appologies if this is bastardry of ipfilter, but it seems in theory that
> it should work.
>
> Any help is appreciated.
>
> Regards,
> Ross