Появился второй канал, необходимо раскидать пользователей. Копаю в сторону setfib. С такими правилами все работает:
Код: Выделить всё
#!/bin/sh
FwCMD="/sbin/ipfw"
LanOut="re0" # Prov1
LanOut2="re2" # Prov2
LanIn="re1" # Int
IpOut="1.2.3.4" # IP Prov1
IpOut2="5.6.7.8" # IP Prov2
IpIn="192.168.0.254" # Int IP
NetIn="192.168.0.0/24" # IntNet
NAT1="192.168.0.24, 192.168.0.3, 192.168.0.75, 192.168.0.9, 192.168.0.36, 192.168.0.23"
NAT2="192.168.0.30, 192.168.0.44"
${FwCMD} -f flush
${FwCMD} -f pipe flush
${FwCMD} -f queue flush
${FwCMD} add check-state
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
#Setfib
${FwCMD} add setfib 1 ip from ${NAT2} to any in recv re1 keep-state
#NAT_config
${FwCMD} nat 1 config log if re0 same_ports reset unreg_only
${FwCMD} nat 2 config log if re2 same_ports reset unreg_only
#NAT1
${FwCMD} add nat 1 ip from ${NAT1} to any out via re0
${FwCMD} add nat 1 ip from any to any in via re0
#NAT2
${FwCMD} add nat 2 ip from ${NAT2} to any out via re2
${FwCMD} add nat 2 ip from any to any in via re2
${FwCMD} add allow ip from any to any
Код: Выделить всё
FwCMD="/sbin/ipfw"
LanOut="re0" # Prov1
LanOut2="re2" # Prov2
LanIn="re1" # Int
IpOut="1.2.3.4" # IP адрес Mega-NN
IpOut2="5.6.7.8" # IP адрес Er-Telecom
IpIn="192.168.0.254" # Int IP
NetIn="192.168.0.0/24" # IntNet
NAT1="192.168.0.24, 192.168.0.3, 192.168.0.75, 192.168.0.9, 192.168.0.36, 192.168.0.23"
NAT2="192.168.0.30, 192.168.0.44"
${FwCMD} -f flush
${FwCMD} -f pipe flush
${FwCMD} -f queue flush
${FwCMD} add check-state
${FwCMD} add allow ip from any to any via lo0
${FwCMD} add deny ip from any to 127.0.0.0/8
${FwCMD} add deny ip from 127.0.0.0/8 to any
#Setfib
${FwCMD} add setfib 1 ip from ${NAT2} to any in recv re1 keep-state
#NAT_config
${FwCMD} nat 1 config log if re0 same_ports reset unreg_only
${FwCMD} nat 2 config log if re2 same_ports reset unreg_only
#NAT1
${FwCMD} add nat 1 ip from ${NAT1} to any out via re0
${FwCMD} add nat 1 ip from any to any in via re0
#NAT2
${FwCMD} add nat 2 ip from ${NAT2} to any out via re2
${FwCMD} add nat 2 ip from any to any in via re2
${FwCMD} add allow tcp from any to any established
${FwCMD} add allow ip from ${IpOut} to any out xmit ${LanOut}
#DNS
${FwCMD} add allow udp from any to any 53
${FwCMD} add allow udp from any 53 to any
#ICMP
${FwCMD} add allow icmp from any to any icmptypes 0,8,11
#RDP
${FwCMD} add allow tcp from any to 192.168.0.3 dst-port 3389 in via ${LanOut}
${FwCMD} add allow tcp from any to 192.168.0.23 dst-port 3389 in via ${LanOut}
${FwCMD} add allow tcp from any to 192.168.0.30 dst-port 3389 in via ${LanOut}
#uTorrent
${FwCMD} add allow tcp from any to 192.168.0.23 44044 via ${LanOut}
${FwCMD} add allow udp from any to 192.168.0.23 44044 via ${LanOut}
${FwCMD} add allow tcp from any to 192.168.0.30 44043 via ${LanOut}
${FwCMD} add allow udp from any to 192.168.0.30 44043 via ${LanOut}
${FwCMD} add allow tcp from any to ${IpOut} 51413 via ${LanOut}
${FwCMD} add allow udp from any to ${IpOut} 51413 via ${LanOut}
#NTP
${FwCMD} add allow udp from ${IpOut} to any 123 keep-state
#FTP
${FwCMD} add allow tcp from any to ${IpOut} 21 via ${LanOut}
#OpenVPN
${FwCMD} add allow udp from 4.3.2.1 to ${IpOut} 2000 via {LanOut}
#SSH
${FwCMD} add allow tcp from any to ${IpOut} 22 via ${LanOut}
#Transmission WEB
${FwCMD} add allow tcp from any to ${IpOut} 9091 via ${LanOut}
#VPN
${FwCMD} add allow tcp from any to me 1723
${FwCMD} add allow tcp from me 1723 to any established
${FwCMD} add allow gre from any to any
${FwCMD} add allow ip from any to any via ng0
${FwCMD} add allow tcp from any to any via tun0
${FwCMD} add allow udp from any to any via tun0
${FwCMD} add allow icmp from any to any via tun0
${FwCMD} add allow tcp from any to any via ${LanIn}
${FwCMD} add allow udp from any to any via ${LanIn}
${FwCMD} add allow icmp from any to any via ${LanIn}
${FwCMD} add deny log tcp from any to ${IpOut} in via ${LanOut} setup
${FwCMD} add deny ip from any to any
Код: Выделить всё
uname -a
FreeBSD proxy.local 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Sat Nov 17 16:28:31 MSK 2012 admin@proxy.local:/usr/obj/usr/src/sys/PROXY amd64
Код: Выделить всё
cat /etc/rc.conf
#---Console---
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
keymap="ru.koi8-r"
scrnmap="koi8-r2cp866"
#---Network---
hostname="proxy.local"
defaultrouter="1.2.3.5"
gateway_enable="YES"
ifconfig_re0="inet 1.2.3.4 netmask 255.255.255.252"
ifconfig_re1="inet 192.168.0.254 netmask 255.255.255.0"
ifconfig_re2="inet 5.6.7.8 netmask 255.255.255.0"
setfib1_enable="YES"
setfib1_defaultroute="5.6.7.9"
#---OpenVPN---
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_dir="/usr/local/etc/openvpn"
#---Services---
sendmail_enable="NONE"
sshd_enable="YES"
named_enable="YES"
firewall_enable="YES"
dummynet_enable="YES"
firewall_type="/etc/rc.firewall"
proftpd_enable="YES"
samba_enable="YES"
apache22_enable="YES"
squid_enable="YES"
mysql_enable="YES"
sams_enable="YES"
ntpd_enable="YES"
dhcpd_enable="YES"
dhcpd_ifaces="re1"
apcupsd_enable="YES"
#linux_enable="YES"
mpd_enable="YES"
mpd_flags="-b"
transmission_enable="YES"
transmission_conf_dir="/usr/local/etc/transmission/"
transmission_download_dir="/usr/downloads"
transmission_user="transmission"
transmission_flags=""
dumpdev="NO"
noip_enable="YES"
