pebkac routing problem

Martin P. Hellwig mhellwig at
Fri Oct 7 13:19:53 PDT 2005

Martin P. Hellwig wrote:
<cut problem>
Thanks to hints from Matt I solved my routing problem concerning 
multiple gateways on non routing uplinks using IPFW, I scribbled my 
progress down and like to share that with you guys.

Here you go:

The limitation of a single default gateway in combination with a multi 
homed computer on non routing networks will prevent the other connection 
from working correctly.

The problem is that when a IP traffic is initiated from an outside 
source via the other route, the reply is still done over the default 
All correctly configured gateways on a non routing network will filter 
these packages out because the gateway has no knowledge that these 
originating IP addresses are not spoofed.

The solution is to use the gateway related to the IP address/network 
where your packages is coming from.
There are different ways to achieve this most of them rely on a package 
filter/manager, others on multiple routing tables.

On my DragonFlyBSD system IPFW is suitable to do this task, for FreeBSD 
it should be the same.

First I need to configure my system to use IPFW:

% echo 'firewall_enable="YES"'>> /etc/rc.conf
% echo 'firewall_script="/etc/rc.firewall"' >> /etc/rc.conf
% echo 'firewall_type="OPEN"' >> /etc/rc.conf
The last line prevents me from logging myself out permantly and lets the 
machine behave as if there is no firewall. In /etc/rc.firewall "Open" is 
define with a couple of (indirect) rule sets.
Although the machine is within immidialty physical reach (as it should 
if you're doing network adaption) I administrate it over a secure remote 

If you have a machine doing NAT you probably have a recompiled kernel 
with built in IPFW and "options IPDIVERT", thus IPFW is already present 
on your system and you don't need to configure the above part. If you 
have other firewall/nat configuration, this explanation might do you 
more harm then good.

starting IPFW if it's not already started:
% /etc/rc.d/ipfw start
At this point all network connections are dropped and I have to relogon.
Let's see what the current "Open" IPFW rules are:
% ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to
00300 deny ip from to any
65000 allow ip from any to any
65535 deny ip from any to any
Now I have to add a rule that when my 'other' IP address sends a package 
back that it does that over the 'other' gateway except when it's a 
address on the local bus. But first I need to configure my second IP 
address and get some info from my existing configuration.

My configuration for my default (and first) network:
IP and netmask with gateway
The other network I like to add: with gateway
Both networks are directly reachable from one network card (fxp0) i.e. 
the same physical network, so I added a alias:
% ifconfig fxp0 alias
At this moment all machines can reach my machine over the added IP 
address and only machines on receive my reply 
originating from the added alias.
If you have your second network on a separate physical network, 
configure your NIC as usual.

With this information the rules I created and executed are:
% ipfw add 110 fwd ip from to not
% ipfw add 120 fwd ip from to not

Strictly speaking the last rule is not (yet) necessary because thats the 
behavior of the default gateway however in my case, my default gateway 
will change so I included the rule already now.
Do notice that this is an unnecessary system burden although probably 
not too much!

At this moment my machine does exactly what I want, however if I reboot 
it, all configurations are lost, to make it permantly:
echo 'ifconfig_fxp0_alias0="inet"' >> /etc/rc.conf

Then open /etc/rc.conf in a editor and searched for the definition of 
I found it at:
case ${firewall_type} in

I added the below rules under "allow_rest":
${fwcmd} add 110 fwd ip from to not
${fwcmd} add 120 fwd ip from to not

So that the configuration is now:
case ${firewall_type} in
        ${fwcmd} add 110 fwd ip from to not
        ${fwcmd} add 120 fwd ip from to 


More information about the Users mailing list