Client Load Balancing: LSNAT-router using IPFW and NATD on FreeBSD 6.0

To: freebsd-net@xxxxxxxxxxx, freebsd-ipfw@xxxxxxxxxxx
Subject: Client Load Balancing: LSNAT-router using IPFW and NATD on FreeBSD 6.0
From: Dennis Olvany <dennisolvany@xxxxxxxxx>
Date: Tue, 03 Jan 2006 17:41:58 -0600
Cc:
Delivered-to: freebsd-ipfw@xxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=m8MhyAvczHFltCQhUL/Uap0UTCUJFattafR0+AdZaxktzu4Mer5cm9l09kSt1hfw0BO34XVebb+BuvpqY6bYzstq/ajFDgHiSDEujDDfjZICHEy4duN6cdDOO0lWtG8UjxdBO7J1zEXJk2fIUPdMPusfU4sl9KOIFav48lYo2h8=
List-archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-post: <mailto:freebsd-ipfw@freebsd.org>
List-subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>, <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
List-unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>, <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
Openpgp: id=D71A85AB
User-agent: Mozilla Thunderbird 1.0.7 (X11/20051129)

Client Load Balancing: LSNAT-router using IPFW and NATD on FreeBSD 6.0

The Internet gateways must reside in different logical networks for this
configuration to work.


1. Compile Custom Kernel

options IPFIREWALL
options IPFIREWALL_FORWARD
options IPDIVERT
options IPFIREWALL_FORWARD_EXTENDED


2. Configure System (/etc/rc.conf)

firewall_enable="yes"
firewall_type="/etc/ipfw.rules"
ifconfig_ste0="195.16.87.38/29"
ifconfig_ste0_alias0="192.168.102.62/24"
ifconfig_fxp0="192.168.10.1/24"
defaultrouter="192.168.102.1"
gateway_enable="yes"
natd_enable="yes"
natd_flags="-f /etc/natd.conf"


3. Configure NATD (/etc/natd.conf)

instance default
alias_address 192.168.102.62

instance other
alias_address 195.16.87.38
port 8669

globalport 9000


4. Configure IPFW (/etc/ipfw.rules)

-f flush

add skipto 20000 ip from any to 192.168.102.62 in via ste0
add skipto 30000 ip from any to 195.16.87.38 in via ste0

add divert 9000 ip from any to any out via ste0
add skipto 40000 ip from { 192.168.102.62 or 195.16.87.38 } to any out
via ste0
add prob .5 skipto 20000 ip from any to any out via ste0
add skipto 30000 ip from any to any out via ste0

add skipto 40000 ip from any to any

add 20000 divert natd ip from any to any
add skipto 40000 ip from any to any

add 30000 divert 8669 ip from any to any
add skipto 40000 ip from any to any

add 40000 check-state
add deny ip from 192.168.10.0/24 to any via ste0
add allow ip from me to me via lo0 keep-state
add deny ip from me to any in

add allow ip from 195.16.87.38 to { me or 195.16.87.32/29 or
192.168.102.0/24 or 192.168.10.0/24 } keep-state
add forward 195.16.87.33 ip from 195.16.87.38 to any keep-state
add allow ip from me to any keep-state
add deny ip from me to any
add allow icmp from any to me icmptypes 3,4,8,11 keep-state
add deny ip from any to me

add allow ip from 192.168.10.0/24 to any keep-state
add deny ip from 192.168.10.0/24 to any
add allow icmp from any to 192.168.10.0/24 icmptypes 3,4,11 keep-state
add deny ip from any to 192.168.10.0/24

Prev by Date: Re: route selection and ipfw forwarding
Next by Date: Re: bin/91245: [patch] ipfw(8) sometimes treat ipv6 input as ipv4
Previous by thread: Need help for dummynet
Next by thread: Re: bin/91245: [patch] ipfw(8) sometimes treat ipv6 input as ipv4
Index(es):
- Date
- Thread