Задача, разные подсети из локалки выпускать на разные провайдеры одновременно. Для реализации использую ipfw kernel nat, в самих правилах использую fwd... вот рабочий код (если кому-то поможет то я только буду рад):
Замечу, что в rc.conf defaultroute 192.168.1.1
Код:
Код: Выделить всё
#!/bin/sh -
# /bin/sh /etc/rc.fw && ipfw zero && ipfw resetlog
fwcmd="/sbin/ipfw -q"
ext_ip="192.168.1.103"
ext_if="vr0"
ext_ip1="10.10.100.9"
ext_if1="vr1"
ext_gw1="192.168.1.1"
ext_gw2="10.10.100.1"
int_if="rl0"
int_net1="192.168.10.0/25"
int_net2="192.168.5.0/27"
int_net3="192.168.6.0/27"
int_net4="192.168.7.1/26"
int_net5="192.168.31.0/29"
int_net6="192.168.32.0/29"
int_net7="192.168.33.0/29"
int_net8="192.168.34.0/29"
int_net9="192.168.35.0/29"
int_net10="192.168.36.0/29"
int_net11="192.168.37.0/29"
int_net12="192.168.38.0/29"
###############################################
${fwcmd} -f flush
# NAT table flush
${fwcmd} -f table 1 flush
###############################################
# NAT tables
###############################################
# table №1 full nat
${fwcmd} table 1 add 192.168.10.110 1
${fwcmd} table 1 add 192.168.10.54 2
###############################################
тут я пропустил стандартные правила
##############################################
# Firewall (only) to INTERNET
${fwcmd} add allow tcp from ${ext_ip} to any 25 out via ${ext_if} setup keep-state
${fwcmd} add allow tcp from ${ext_ip} to any 25 out via ${ext_if1} setup keep-state
${fwcmd} add allow udp from ${ext_ip} to any 123 out via ${ext_if} keep-state
${fwcmd} add allow udp from ${ext_ip} to any 123 out via ${ext_if1} keep-state
${fwcmd} add allow udp from ${ext_ip} to any 53 out via ${ext_if} keep-state
${fwcmd} add allow udp from ${ext_ip1} to any 53 out via ${ext_if1} keep-state
${fwcmd} add allow tcp from ${ext_ip} to any 80 out via ${ext_if} setup keep-state
${fwcmd} add allow tcp from ${ext_ip1} to any 80 out via ${ext_if1} setup keep-state
${fwcmd} add allow tcp from ${ext_ip} to any 443 out via ${ext_if} setup keep-state
${fwcmd} add allow tcp from ${ext_ip1} to any 443 out via ${ext_if1} setup keep-state
${fwcmd} add allow tcp from ${ext_ip} to any 21,1025-65535 out via ${ext_if} setup keep-state
${fwcmd} add allow tcp from ${ext_ip1} to any 21,1025-65535 out via ${ext_if1} setup keep-state
# deny firewall (only) to ANY
${fwcmd} add deny log tcp from ${ext_ip} to any
${fwcmd} add deny log udp from ${ext_ip} to any
${fwcmd} add deny log tcp from ${ext_ip1} to any
${fwcmd} add deny log udp from ${ext_ip1} to any
###############################################
# NAT config
${fwcmd} nat 1 config log ip ${ext_ip}
${fwcmd} nat 2 config log ip ${ext_ip1}
${fwcmd} add nat tablearg ip4 from "table(1)" to not me out
# nat full
${fwcmd} add fwd ${ext_gw1} ip4 from ${ext_ip} to any out
${fwcmd} add fwd ${ext_gw2} ip4 from ${ext_ip1} to any out
# NAT BACK IN
${fwcmd} add nat 1 ip4 from any to ${ext_ip} in via ${ext_if}
${fwcmd} add nat 2 ip4 from any to ${ext_ip1} in via ${ext_if1}
###############################################
# NAT TO INTERNET
${fwcmd} add pass tcp from ${ext_ip} to any out via ${ext_if}
${fwcmd} add pass udp from ${ext_ip} to any out via ${ext_if}
${fwcmd} add pass tcp from ${ext_ip1} to any out via ${ext_if1}
${fwcmd} add pass udp from ${ext_ip1} to any out via ${ext_if1}
###############################################
# INTERNET TO LOCAL (return after nat)
${fwcmd} add pass all from any to ${int_net1} in via ${ext_if}
${fwcmd} add pass all from any to ${int_net2} in via ${ext_if}
${fwcmd} add pass all from any to ${int_net3} in via ${ext_if}
${fwcmd} add pass all from any to ${int_net4} in via ${ext_if}
${fwcmd} add pass all from any to ${int_net5} in via ${ext_if}
${fwcmd} add pass all from any to ${int_net6} in via ${ext_if}
${fwcmd} add pass all from any to ${int_net7} in via ${ext_if}
${fwcmd} add pass all from any to ${int_net8} in via ${ext_if}
${fwcmd} add pass all from any to ${int_net9} in via ${ext_if}
${fwcmd} add pass all from any to ${int_net10} in via ${ext_if}
${fwcmd} add pass all from any to ${int_net11} in via ${ext_if}
${fwcmd} add pass all from any to ${int_net12} in via ${ext_if}
${fwcmd} add pass all from any to ${int_net1} in via ${ext_if1}
${fwcmd} add pass all from any to ${int_net2} in via ${ext_if1}
${fwcmd} add pass all from any to ${int_net3} in via ${ext_if1}
${fwcmd} add pass all from any to ${int_net4} in via ${ext_if1}
${fwcmd} add pass all from any to ${int_net5} in via ${ext_if1}
${fwcmd} add pass all from any to ${int_net6} in via ${ext_if1}
${fwcmd} add pass all from any to ${int_net7} in via ${ext_if1}
${fwcmd} add pass all from any to ${int_net8} in via ${ext_if1}
${fwcmd} add pass all from any to ${int_net9} in via ${ext_if1}
${fwcmd} add pass all from any to ${int_net10} in via ${ext_if1}
${fwcmd} add pass all from any to ${int_net11} in via ${ext_if1}
${fwcmd} add pass all from any to ${int_net12} in via ${ext_if1}
###############################################
# DENY ALL
#${fwcmd} add deny log logamount 10000 all from any to any
Если же tablearg присваивается 2, то пакет также чудесно приходит в ipfw, маскируется и уходит на другой шлюз, все отлично, НО ответы на эти пакеты почему-то приходят не туда. Вот ipfw show:
Код: Выделить всё
05900 9 924 nat tablearg ip4 from table(1) to not me out
06000 0 0 fwd 192.168.1.1 ip4 from 192.168.1.103 to any out
06100 9 924 fwd 10.10.100.1 ip4 from 10.10.100.9 to any out
06200 3 783 nat 1 ip4 from any to 192.168.1.103 in via vr0
06300 0 0 nat 2 ip4 from any to 10.10.100.9 in via vr1
06400 0 0 allow icmp from any to any icmptypes 0,3,4,8,11,12
06500 0 0 allow tcp from 192.168.1.103 to any out via vr0
06600 0 0 allow udp from 192.168.1.103 to any out via vr0
06700 0 0 allow tcp from 10.10.100.9 to any out via vr1
06800 0 0 allow udp from 10.10.100.9 to any out via vr1
06900 3 783 allow ip from any to 192.168.10.0/25 in via vr0
07000 0 0 allow ip from any to 192.168.5.0/27 in via vr0
07100 0 0 allow ip from any to 192.168.6.0/27 in via vr0
07200 0 0 allow ip from any to 192.168.7.0/26 in via vr0
07300 0 0 allow ip from any to 192.168.31.0/29 in via vr0
07400 0 0 allow ip from any to 192.168.32.0/29 in via vr0
07500 0 0 allow ip from any to 192.168.33.0/29 in via vr0
07600 0 0 allow ip from any to 192.168.34.0/29 in via vr0
07700 0 0 allow ip from any to 192.168.35.0/29 in via vr0
07800 0 0 allow ip from any to 192.168.36.0/29 in via vr0
07900 0 0 allow ip from any to 192.168.37.0/29 in via vr0
08000 0 0 allow ip from any to 192.168.38.0/29 in via vr0
08100 0 0 allow ip from any to 192.168.10.0/25 in via vr1
08200 0 0 allow ip from any to 192.168.5.0/27 in via vr1
08300 0 0 allow ip from any to 192.168.6.0/27 in via vr1
08400 0 0 allow ip from any to 192.168.7.0/26 in via vr1
Т.е. возвращение в nat происходит почему-то по vr0, а должно по идее приходить через vr1/ Не могу понять почему так происходит. Помогите.