Subject: routing by source address using srt and ipf
To: None <tech-net@netbsd.org>
From: Eric Haszlakiewicz <erh@jodi.nimenees.com>
List: tech-net
Date: 01/19/2005 01:41:13 
	I've been trying to set up my router to route packets based on the
source address.  I've managed to get it to work in the simple case, but
not in a more complex case.  My first shot at it was using ipf's 
fastroute ability, but that ran into problems due to ipf and ipnat
interaction.

Details:

My router has three network interfaces:
	An old internet interface  (outside)
	A new internet interface   (newdsl)
	An internal network interface  (inside)

            oaddr1,               inthost_addr1,
   ogw     (oaddr2)  int_addr     inthost_addr2 (nat'd bimap oaddr2, naddr2)
onet ----------router-------------- internal host
             naddr1,|
   ngw      (naddr2)|
nnet ----------------

The default route is pointing to ogw.

What I want to have happen is for traffic to/from IP addresses oaddr1
and oaddr2 to go out the old inet interface, but traffic to/from naddr1
and naddr2 to go out the new inet interface.
And, all traffic to oaddr2/naddr2 ends up at the internal host.

In ipf.conf I have these lines:
pass out quick on outside to newdsl from naddr1/32 to any 
pass out quick on outside to newdsl from naddr2/32 to any 

That managed to get traffic from the non-nat'd naddr1 to work.

However, I have oaddr2 nat'd to inthost_addr1 using these rules in ipnat.conf:
bimap outside inthost_addr1/32 -> oaddr2/32
bimap inside inthost_addr2/32 -> oaddr2/32

I tried the same for naddr2:
bimap newdsl inthost_addr2/32 -> naddr2/32
bimap inside inthost_addr2/32 -> naddr2/32

but it didn't work.  I think the reason it didn't work is because
the outgoing nat occurs after the outgoing ipf.  After the nat happens
it seems like the packet gets routed normally using the routing table,
which hits the default route and heads out the old interface.

I couldn't think of a way to do this using normal NetBSD routing capabilities,
then I found derMouse's srt interface, which sounds like it's about what
I need.  I ported it to NetBSD 2.0 (the verion on his ftp site seems to
be from sometime before 1.5N), got it somewhat working, but then couldn't
figure out how to configure it to do what I wanted.  It would end up changing
the source address of packets to the local address of the srt interface.
	I'm not sure whether this is a bug in srt, a bug in porting it to
2.0, or a misunderstanding on my part as to how it is supposed to work.

Suggestions, anyone?

eric