Понимаю что тема заезженная но всетаки
Есть шлюз в интернет на фре.
Есть два канала в инет, первый по кабелю - по умолчанию default route, второй через дсл рутер.
Пять локальных подсетей.
Как бы всетаки прикрутить еще дсл, т.е. выпускать в инет определенных пользолвателей или целую подсеть через него?
Вот конфиг фаервола.
Код: Выделить всё
#!/bin/sh
ipfw='/sbin/ipfw -q'
net22='172.16.22.0/24' # наша локальная сеть
net23='172.16.23.0/24'
net24='172.16.24.0/24'
net25='172.16.25.0/24'
net26='172.16.26.0/24'
net27='172.16.27.0/24'
net29='172.16.29.0/24'
net28='172.16.28.0/24'
net30='172.16.30.0/24'
net31='172.16.31.0/24'
net32='172.16.32.0/24'
net33='172.16.33.0/24'
net34='172.16.34.0/24' # наша локальная сеть
net35='172.16.35.0/24'
net36='172.16.36.0/24'
net37='172.16.37.0/24'
net38='172.16.38.0/24'
net39='172.16.39.0/24'
net40='172.16.40.0/24'
net41='172.16.41.0/24'
net42='172.16.42.0/24'
net43='172.16.43.0/24'
net44='172.16.44.0/24'
net45='172.16.45.0/24'
net46='172.16.46.0/24'
net47='172.16.47.0/24'
net48='172.16.48.0/24'
net49='172.16.49.0/24'
net50='172.16.50.0/24'
net100='172.16.100.0/24'
${ipfw} -f table 5 flush
${ipfw} table 5 add ${net22}
${ipfw} table 5 add ${net23}
${ipfw} table 5 add ${net24}
${ipfw} table 5 add ${net25}
${ipfw} table 5 add ${net26}
${ipfw} table 5 add ${net27}
${ipfw} table 5 add ${net28}
${ipfw} table 5 add ${net29}
${ipfw} table 5 add ${net30}
${ipfw} table 5 add ${net31}
${ipfw} table 5 add ${net32}
${ipfw} table 5 add ${net33}
${ipfw} table 5 add ${net34}
${ipfw} table 5 add ${net35}
${ipfw} table 5 add ${net36}
${ipfw} table 5 add ${net37}
${ipfw} table 5 add ${net38}
${ipfw} table 5 add ${net39}
${ipfw} table 5 add ${net40}
${ipfw} table 5 add ${net41}
${ipfw} table 5 add ${net42}
${ipfw} table 5 add ${net43}
${ipfw} table 5 add ${net44}
${ipfw} table 5 add ${net45}
${ipfw} table 5 add ${net46}
${ipfw} table 5 add ${net47}
${ipfw} table 5 add ${net48}
${ipfw} table 5 add ${net49}
${ipfw} table 5 add ${net50}
${ipfw} table 5 add ${net100}
ifout='dc0' # интерфейс смотрящий в инт
iflocal23='vlan23' # интерфейс смотрящий в ЛС
iflocal26='vlan26'
iflocal22='vlan22'
iflocal24='vlan11'
iflocal25='vlan25'
iflocal27='vlan27'
iflocal28='vlan28'
iflocal29='vlan29'
iflocal30='vlan30'
iflocal31='vlan31'
iflocal32='vlan32'
iflocal33='vlan33'
iflocal34='vlan34'
iflocal35='vlan35'
iflocal36='vlan36'
iflocal37='vlan37'
iflocal38='vlan38'
iflocal39='vlan39'
iflocal40='vlan40'
iflocal41='vlan41'
iflocal42='vlan42'
iflocal43='vlan43'
iflocal44='vlan44'
iflocal45='vlan45'
iflocal46='vlan46'
iflocal47='vlan47'
iflocal48='vlan48'
iflocal49='vlan49'
iflocal50='vlan50'
iflocal100='vlan100'
${ipfw} -f flush
${ipfw} -f pipe flush
#########
${ipfw} pipe 1 config bw 3Mbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 2 config bw 3Mbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 3 config bw 3Mbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 4 config bw 3Mbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 5 config bw 3Mbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 6 config bw 3Mbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 7 config bw 3Mbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 8 config bw 3Mbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 9 config bw 7Mbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 10 config bw 7Mbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 11 config bw 3Mbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 12 config bw 3Mbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 13 config bw 64Kbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 14 config bw 64Kbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 15 config bw 128Kbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 16 config bw 64Kbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 17 config bw 256Kbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 18 config bw 256Kbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 19 config bw 3000Kbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 20 config bw 3000Kbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 21 config bw 512Kbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 22 config bw 256Kbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 23 config bw 7Mbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 24 config bw 7Mbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 25 config bw 7Mbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 26 config bw 7Mbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 27 config bw 7Mbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 28 config bw 7Mbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 29 config bw 7Mbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 30 config bw 7Mbit/s mask src-ip 0XFFFFFFFF
${ipfw} pipe 31 config bw 3Mbit/s mask dst-ip 0XFFFFFFFF
${ipfw} pipe 32 config bw 3Mbit/s mask src-ip 0XFFFFFFFF
${ipfw} add 20 check-state #+
${ipfw} add 25 allow ip from any to any via lo0 #+
${ipfw} add 30 allow ip from me to any keep-state #+
#${ipfw} add 5 deny all from any to any 8167
${ipfw} add 35 allow all from any to any 2350
${ipfw} add 40 allow ip from "table(5)" to "table(5)"
#${ipfw} add 11 deny ip from any to me 80 via ${ifout}
${ipfw} add 50 allow ip from any to me 6666,6667,6668,6669,6670
#${ipfw} add 20 count all from any to any via $ifout in
#${ipfw} add 21 count all from any to any via $ifout out
${ipfw} add 200 deny ip from "table(5)" to any 25,110,143
${ipfw} add 220 deny ip from not ${net22} to any via ${iflocal22} in #+
${ipfw} add 220 deny ip from not ${net23} to any via ${iflocal23} in #+
${ipfw} add 220 deny ip from not ${net24} to any via ${iflocal24} in #+
${ipfw} add 220 deny ip from not ${net25} to any via ${iflocal25} in #+
${ipfw} add 220 deny ip from not ${net26} to any via ${iflocal26} in #+
${ipfw} add 220 deny ip from not ${net27} to any via ${iflocal27} in #+
${ipfw} add 220 deny ip from not ${net28} to any via ${iflocal28} in #+
${ipfw} add 220 deny ip from not ${net29} to any via ${iflocal29} in #+
${ipfw} add 220 deny ip from not ${net30} to any via ${iflocal30} in #+
${ipfw} add 220 deny ip from not ${net31} to any via ${iflocal31} in #+
${ipfw} add 220 deny ip from not ${net32} to any via ${iflocal32} in #+
${ipfw} add 220 deny ip from not ${net33} to any via ${iflocal33} in #+
${ipfw} add 220 deny ip from not ${net34} to any via ${iflocal34} in #+
${ipfw} add 220 deny ip from not ${net35} to any via ${iflocal35} in #+
${ipfw} add 220 deny ip from not ${net36} to any via ${iflocal36} in #+
${ipfw} add 220 deny ip from not ${net37} to any via ${iflocal37} in #+
${ipfw} add 220 deny ip from not ${net38} to any via ${iflocal38} in #+
${ipfw} add 220 deny ip from not ${net39} to any via ${iflocal39} in #+
${ipfw} add 220 deny ip from not ${net40} to any via ${iflocal40} in #+
${ipfw} add 220 deny ip from not ${net41} to any via ${iflocal41} in #+
${ipfw} add 220 deny ip from not ${net42} to any via ${iflocal42} in #+
${ipfw} add 220 deny ip from not ${net43} to any via ${iflocal43} in #+
${ipfw} add 220 deny ip from not ${net44} to any via ${iflocal44} in #+
${ipfw} add 220 deny ip from not ${net45} to any via ${iflocal45} in #+
${ipfw} add 220 deny ip from not ${net46} to any via ${iflocal46} in #+
${ipfw} add 220 deny ip from not ${net47} to any via ${iflocal47} in #+
${ipfw} add 220 deny ip from not ${net48} to any via ${iflocal48} in #+
${ipfw} add 220 deny ip from not ${net49} to any via ${iflocal49} in #+
${ipfw} add 220 deny ip from not ${net50} to any via ${iflocal50} in #+
${ipfw} add 220 deny ip from not ${net100} to any via ${iflocal100} in #+
${ipfw} add 240 deny ip from any to not me via ${ifout} in #+
${ipfw} add allow tcp from any to me ssh
# NAT
#${ipfw} add 250 divert 8778 ip from 172.16.26.3 to any
#${ipfw} add 251 fwd 192.168.101.101 ip from 172.16.26.3 to any out
#${ipfw} add 252 divert 8778 ip from any to 172.16.26.3
${ipfw} add 260 divert natd all from any to not "table(5)" via ${ifout}
${ipfw} add 270 allow ip from any to not "table(5)" via ${ifout} out
${ipfw} add 310 allow tcp from any to me 80
${ipfw} add 310 allow tcp from any to me 3128
${ipfw} add 310 allow tcp from any to me 81
${ipfw} add 310 allow tcp from any to me 443
${ipfw} add 330 allow icmp from any to me
${ipfw} add 340 allow udp from any to me 53 via ${iflocal23}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal23}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal22}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal22}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal24}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal24}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal25}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal25}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal26}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal26}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal27}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal27}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal28}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal28}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal29}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal29}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal30}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal30}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal31}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal31}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal32}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal32}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal33}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal33}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal34}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal34}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal35}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal35}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal36}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal36}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal37}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal37}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal38}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal38}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal39}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal39}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal40}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal40}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal41}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal41}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal42}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal42}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal43}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal43}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal44}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal44}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal45}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal45}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal46}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal46}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal47}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal47}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal48}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal48}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal49}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal49}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal50}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal50}
${ipfw} add 340 allow udp from any to me 53 via ${iflocal100}
${ipfw} add 340 allow tcp from any to me 53 via ${iflocal100}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal22}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal23}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal24}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal25}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal26}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal27}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal28}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal29}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal30}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal31}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal32}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal33}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal34}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal35}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal36}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal37}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal38}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal39}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal40}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal41}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal42}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal43}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal44}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal45}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal46}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal47}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal48}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal49}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal50}
${ipfw} add 350 allow udp from any to me 7723 via ${iflocal100}
${ipfw} add 400 deny ip from any to me
${ipfw} add 450 allow ip from any to any via ${ifout}
${ipfw} add 500 fwd 127.0.0.1,3128 tcp from 172.16.22.0/24 to any 80 via ${iflocal22}
${ipfw} add 500 fwd 127.0.0.1,3128 tcp from 172.16.23.0/24 to any 80 via ${iflocal23}
${ipfw} add 500 fwd 127.0.0.1,3128 tcp from 172.16.24.0/24 to any 80 via ${iflocal24}
${ipfw} add 500 fwd 127.0.0.1,3128 tcp from 172.16.25.0/24 to any 80 via ${iflocal25}
${ipfw} add 500 fwd 127.0.0.1,3128 tcp from 172.16.26.0/24 to any 80 via ${iflocal26}
${ipfw} add 500 fwd 127.0.0.1,3128 tcp from 172.16.31.0/24 to any 80 via ${iflocal31}
${ipfw} add 500 fwd 127.0.0.1,3128 tcp from 172.16.32.0/24 to any 80 via ${iflocal32}
${ipfw} add 500 fwd 127.0.0.1,3128 tcp from 172.16.100.0/24 to any 80 via ${iflocal100}
${ipfw} add 65400 deny all from any to any