Untitled Document

GVA SUPPORT

Відповідь на запитання № 1419766244
Text:	ФІО = FreeBSD PF 2 канала Запитання:http://habrahabr.ru/post/66851/ ==================================== ANSWER ==================================== http://www.ussr.kiev.ua/ru/PF_Squid END of ANSWER ==================================== ANSWER ==================================== http://habrahabr.ru/post/124447/ END of ANSWER ==================================== ANSWER ==================================== https://forums.freebsd.org/threads/ipfw-one-isp-two-xdsl-internet-channels-load-balancing.36205/ END of ANSWER ==================================== ANSWER ==================================== http://wiki.mesouug.com/index.php/FreeBSD_/_One_ISP_/_Two_and_more_xDSL/internet_channels_/_Load_balancing END of ANSWER ==================================== ANSWER ==================================== #!/bin/sh DELAY=`/usr/bin/jot -r 1 0 9` # Delay echo "${DELAY} seconds delay..." sleep ${DELAY} PIDS=`pgrep -f "/bin/sh /etc/firewall" \| wc -l` #Check if copy of process is already running: if [ ${PIDS} -gt 1 ]; then echo "Another copy is already running." exit 1 fi #Flush out list before we begin. ipfw -q -f flush ipfw -q -f nat flush ipfw -q pipe flush ipfw -q queue flush ################################################################################ #Set rules command prefix cmd="ipfw -q" pif0="adsl1" pif0ip=`ifconfig $pif0 inet \| grep inet \| awk '{print $2}'` pif0gw=`ifconfig $pif0 inet \| grep inet \| awk '{print $4}'` pif1="adsl2" pif1ip=`ifconfig $pif1 inet \| grep inet \| awk '{print $2}'` pif1gw=`ifconfig $pif1 inet \| grep inet \| awk '{print $4}'` pif2="vlan200" pif2ip="10.61.168.231" pif2gw="10.61.168.1" if [ ! -z "$pif0ip" ]; then pif0status="UP" else pif0status="DOWN" fi if [ ! -z "$pif1ip" ]; then pif1status="UP" else pif1status="DOWN" fi if [ -f /vlan200.status ]; then pif2status=`cat /vlan200.status` else pif2status="DOWN" fi # Override #pif0status="DOWN" #pif1status="DOWN" #pif2status="DOWN" ################################################################################ $cmd add 100 allow ip from any to any via lo0 $cmd add deny ip from any to 127.0.0.0/8 $cmd add deny ip from 127.0.0.0/8 to any $cmd add 1100 skipto 2040 ip from any to any out xmit $lif tagged 101 keep-state $cmd add skipto 2080 ip from any to any out xmit $lif tagged 102 keep-state $cmd add skipto 2100 ip from any to any out xmit $lif tagged 120 keep-state $cmd add 1500 deny gre from 192.168.1.XXX to any // This rule will drop first GRE packet from PPTP SERVER when VPN initiates # Next few IF's will keep firewall rules consistent in cases if ISP connections will go down if [ $pif0status == "UP" ] && [ $pif1status == "UP" ]; then $cmd add 2000 skipto 2040 ip from table\(101\) to any in recv $lif // Smart Load balancing using arpalert $cmd add skipto 2080 ip from table\(102\) to any in recv $lif // Smart Load balancing using arpalert fi if [ $pif2status == "UP" ]; then $cmd add skipto 2100 ip from table\(120\) to any in recv $lif // Smart Load balancing using arpalert fi if [ $pif0status == "UP" ]; then $cmd add 2040 setfib 0 ip from any to any via $lif keep-state $cmd add 2050 allow tag 101 ip from any to any via $lif fi if [ $pif1status == "UP" ]; then $cmd add 2080 setfib 1 ip from any to any via $lif keep-state $cmd add 2090 allow tag 102 ip from any to any via $lif fi if [ $pif2status == "UP" ]; then $cmd add 2100 setfib 2 ip from any to any via $lif keep-state $cmd add 2110 allow tag 120 ip from any to any via $lif fi ################################################################################ $cmd add 3050 deny ip from any to 192.168.0.0/16 in recv $pifs $cmd add deny ip from 192.168.0.0/16 to any in recv $pifs $cmd add deny ip from any to 172.16.0.0/12 in recv $pifs $cmd add deny ip from 172.16.0.0/12 to any in recv $pifs $cmd add deny ip from any to 10.0.0.0/8 in recv $pifs $cmd add deny ip from 10.0.0.0/8 to any in recv $pifs $cmd add deny ip from any to 169.254.0.0/16 in recv $pifs $cmd add deny ip from 169.254.0.0/16 to any in recv $pifs ################################################################################ if [ $pif1status == "UP" ]; then $cmd add 11000 fwd $pif1gw all from $pif1ip to any via $pif0 // Send reply to necessary interface fi if [ $pif2status == "UP" ]; then $cmd add 11100 fwd $pif2gw all from $pif2ip to any via $pif0 // Send reply to necessary interface fi ################################################################################ $cmd add 13000 skipto 31000 log ip from any to $pif0ip 22 in recv $pif0 // sshd $cmd add skipto 31000 log ip from any to $pif1ip 22 in recv $pif1 // sshd $cmd add skipto 31000 log ip from any to $pif2ip 22 in recv $pif2 // sshd $cmd add skipto 31000 log ip from any to $pif0ip 1723 in recv $pif0 // PPTP server $cmd add skipto 31000 log ip from any to $pif1ip 1723 in recv $pif1 // PPTP server $cmd add skipto 31000 log ip from any to $pif2ip 1723 in recv $pif2 // PPTP server $cmd add skipto 31000 gre from any to $pif0ip in recv $pif0 // PPTP server $cmd add skipto 31000 gre from any to $pif1ip in recv $pif1 // PPTP server $cmd add skipto 31000 gre from any to $pif2ip in recv $pif2 // PPTP server ################################################################################ if [ $pif0status == "UP" ]; then $cmd add 20000 deny log ip from any to any in via $pif0 setup // Reject and Log all setup of incoming connections from the outside $cmd add deny log ip from any to any in via $pif1 setup // Reject and Log all setup of incoming connections from the outside $cmd add deny log ip from any to any in via $pif2 setup // Reject and Log all setup of incoming connections from the outside fi ################################################################################ if [ $pif0status == "UP" ]; then $cmd nat 101 config if $pif0 same_ports reset \ redirect_port tcp 192.168.1.XXX:1723 $pif0ip:1723 \ redirect_proto gre 192.168.1.XXX $pif0ip fi if [ $pif1status == "UP" ]; then $cmd nat 102 config if $pif1 same_ports reset \ redirect_port tcp 192.168.1.XXX:1723 $pif1ip:1723 \ redirect_proto gre 192.168.1.XXX $pif1ip fi if [ $pif2status == "UP" ]; then $cmd nat 120 config if $pif2 same_ports reset \ redirect_port tcp 192.168.1.XXX:1723 $pif2ip:1723 \ redirect_proto gre 192.168.1.XXX $pif2ip fi ################################################################################ # NAT if [ $pif0status == "UP" ]; then $cmd add 31000 nat 101 ip from any to any via $pif0 // $pif0 nat $cmd add skipto 35000 tag 101 ip from any to any in recv $pif0 fi if [ $pif1status == "UP" ]; then $cmd add 31500 nat 102 ip from any to any via $pif1 // $pif1 nat $cmd add skipto 35000 tag 102 ip from any to any in recv $pif1 fi if [ $pif2status == "UP" ]; then $cmd add 32500 nat 120 ip from any to any via $pif2 // $pif2 nat $cmd add skipto 35000 tag 120 ip from any to any in recv $pif2 fi ################################################################################ $cmd add 35000 allow tcp from any to any established // Allow TCP through if setup succeeded $cmd add 50000 allow all from any to any $cmd add 65534 deny all from any to any ################################################################################ exit 0 END of ANSWER ==================================== ANSWER ==================================== http://skeletor.org.ua/?p=1279 END of ANSWER ==================================== ANSWER ==================================== http://birdofluck.livejournal.com/8778.html END of ANSWER ==================================== ANSWER ==================================== Well, let's suppose that your ISP interfaces have respectively $ispN_ip and $ispN_router as interface IP and ISP router IP. And that $natN is the divert port corresponding to the NAT for the given ISP. Then you get something like # This treats incoming trafic ipfw add 1310 divert $nat1 ip from any to any in via $if1 ipfw add 1320 divert $nat2 ip from any to any in via $if2 ... ipfw add 13N0 divert $natN ip from any to any in via $ifN # Check states ipfw add 3000 check-state # Load balance outgoing trafic # Note: change 1/N, 1/(N-1), etc by actual values for your N ipfw add 10100 prob 1/N skipto 20100 ip from $internal to any keep-state ipfw add 10200 prob 1/(N-1) skipto 20200 ip from $internal to any keep-state ... ipfw add 10N00 skipto 20N00 ip from $internal to any keep-state # Do outgoing NAT ipfw add 20100 divert $nat1 from $internal to any out ipfw add 20110 fwd $isp1_router ip from $isp1_ip ipfw add 20200 divert $nat2 from $internal to any out ipfw add 20210 fwd $isp2_router ip from $isp2_ip ... ipfw add 20N00 divert $natN from $internal to any out ipfw add 20N10 fwd $ispN_router ip from $ispN_ip And here is what the natd.conf would look like ### ISP 1 ### port 8868 dynamic yes interface re1 ### ISP 2 ### instance dsl2 port 8869 dynamic yes interface re2 ### ISP N ### instance dsl3 port 8870 dynamic yes interface re END of ANSWER ==================================== ANSWER ==================================== http://www.linux.org.ru/forum/admin/10011112 END of ANSWER ==================================== ANSWER ==================================== #!/bin/sh - fwcmd="/sbin/ipfw -q" ips1="em0" ips2="em1" ${fwcmd} -f flush # allow ssh on all interface ${fwcmd} add allow tcp from any to me 2211 in via ${ips1} ${fwcmd} add allow tcp from any to me 2211 in via ${ips2} # network address translation ${fwcmd} add fwd 195.111.111.111 ip from 195.151.111.112 to any ${fwcmd} add fwd 62.117.222.222 ip from 62.117.222.223 to any ${fwcmd} nat 1 config if ${ips1} reset deny_in same_ports unreg_only redirect_port tcp 192.168.ххх.ххх:2900 2900 ${fwcmd} nat 2 config if ${ips2} reset deny_in same_ports unreg_only redirect_port tcp 192.168.ххх.ххх:2900 2900 ${fwcmd} add nat 1 all from any to any ${fwcmd} add nat 2 all from any to any # Deny all ${fwcmd} add deny all from any to any END of ANSWER ==================================== ANSWER ==================================== http://www.lissyara.su/articles/freebsd/tuning/ipfw_nat/ END of ANSWER ==================================== ANSWER ==================================== ${FwCMD} add nat 100 all from ${User1} to any out via ${LanOut1} ${FwCMD} add nat 100 all from any to ${IpOut} in via ${LanOut1} ${FwCMD} add nat 200 all from ${User2} to any out via ${LanOut2} ${FwCMD} add nat 200 all from any to ${IpOut} in via ${LanOut2} END of ANSWER ==================================== ANSWER ==================================== http://www.hilik.org.ua/freebsd-организовываем-резервный-канал/ END of ANSWER ==================================== ANSWER ==================================== http://technotrance.su/index.php/moi-zametki/24-autoswitching-internet END of ANSWER ==================================== ANSWER ==================================== http://habrahabr.ru/post/66851/ END of ANSWER ==================================== ANSWER ==================================== Проблему перенаправлением порта 3389 решил. в etc/natd.conf написано - port 8668 redirect_port tcp 192.168.10.1:3389 212.119.109.58:3389 redirect_port tcp 192.168.10.5:110 212.119.109.58:110 firewall.conf - fwcmd="/sbin/ipfw -q" lanout="fxp0" lanin="fxp1" ipout="212.212.212.121" ipin="192.168.10.254" netmask="24" netin="192.168.10.0" ${fwcmd} -f flush ${fwcmd} add check-state ${fwcmd} add allow ip from any to any via lo0 ${fwcmd} add divert 8668 tcp from any to 212.212.212.121 3389 via fxp0 ${fwcmd} add divert 8668 tcp from 192.168.10.1 3389 to any via fxp0 ${fwcmd} add allow tcp from any to 192.168.10.1 3389 via any ${fwcmd} add divert 8668 tcp from any to 212.212.212.121 110 via fxp0 ${fwcmd} add divert 8668 tcp from 192.168.10.5 110 to any via fxp0 ${fwcmd} add allow tcp from any to 192.168.10.5 110 via any ${fwcmd} add divert natd ip from ${netin}/${netmask} to any out via ${lanout} ${fwcmd} add divert natd ip from any to ${ipout} in via ${lanout} ${fwcmd} add allow tcp from any to any established ${fwcmd} add allow ip from ${ipout} to any out xmit ${lanout} ${fwcmd} add allow udp from any 53 to any via ${lanout} ${fwcmd} add allow tcp from any to ${ipout} 49152-65535 via ${lanout} ${fwcmd} add allow icmp from any to any icmptypes 0,8,11 ${fwcmd} add allow tcp from any to ${ipout} 25 via ${lanout} ${fwcmd} add allow tcp from any to ${ipout} 110 via ${lanout} ${fwcmd} add allow tcp from any to any via ${lanin} ${fwcmd} add allow udp from any to any via ${lanin} ${fwcmd} add allow icmp from any to any via ${lanin} ${fwcmd} add deny log tcp from any to any В таком виде редирект порта 3389 работает, а вот почта так и не перенаправляется на 192.168.10.5 END of ANSWER ==================================== ANSWER ==================================== http://forum.lissyara.su/viewtopic.php?f=8&t=19448 END of ANSWER ==================================== ANSWER ==================================== http://www.opennet.ru/base/net/2link_balance2.txt.html END of ANSWER ==================================== ANSWER ==================================== http://sysadmins.ru/topic320039.html END of ANSWER ====================================
Ваша відповідь	Ваша відповідь...

Відповідь на запитання № 1419766244

Text:

	ФІО = FreeBSD PF 2 канала

 Запитання:http://habrahabr.ru/post/66851/

====================================


 ANSWER ====================================

http://www.ussr.kiev.ua/ru/PF_Squid


 END of ANSWER ====================================



 ANSWER ====================================

http://habrahabr.ru/post/124447/


 END of ANSWER ====================================



 ANSWER ====================================

https://forums.freebsd.org/threads/ipfw-one-isp-two-xdsl-internet-channels-load-balancing.36205/


 END of ANSWER ====================================



 ANSWER ====================================

http://wiki.mesouug.com/index.php/FreeBSD_/_One_ISP_/_Two_and_more_xDSL/internet_channels_/_Load_balancing


 END of ANSWER ====================================



 ANSWER ====================================

#!/bin/sh

DELAY=`/usr/bin/jot -r 1 0 9`

# Delay
echo "${DELAY} seconds delay..."
sleep ${DELAY} 

PIDS=`pgrep -f "/bin/sh /etc/firewall" | wc -l`

#Check if copy of process is already running:
if [ ${PIDS} -gt 1 ]; then
  echo "Another copy is already running."
  exit 1
fi

#Flush out list before we begin.
ipfw -q -f flush
ipfw -q -f nat flush
ipfw -q pipe flush
ipfw -q queue flush

################################################################################

#Set rules command prefix
cmd="ipfw -q"

pif0="adsl1"
pif0ip=`ifconfig $pif0 inet | grep inet | awk '{print $2}'`
pif0gw=`ifconfig $pif0 inet | grep inet | awk '{print $4}'`

pif1="adsl2"
pif1ip=`ifconfig $pif1 inet | grep inet | awk '{print $2}'`
pif1gw=`ifconfig $pif1 inet | grep inet | awk '{print $4}'`

pif2="vlan200"
pif2ip="10.61.168.231"
pif2gw="10.61.168.1"


if [ ! -z "$pif0ip" ]; then
  pif0status="UP"
  else
    pif0status="DOWN"
fi

if [ ! -z "$pif1ip" ]; then
  pif1status="UP"
  else
    pif1status="DOWN"
fi

if [ -f /vlan200.status ]; then
  pif2status=`cat /vlan200.status`
else
  pif2status="DOWN"
fi

# Override
#pif0status="DOWN"
#pif1status="DOWN"
#pif2status="DOWN"

################################################################################

$cmd add 100 allow ip from any to any via lo0
$cmd add     deny ip from any to 127.0.0.0/8
$cmd add     deny ip from 127.0.0.0/8 to any

$cmd add 1100 skipto 2040 ip from any to any out xmit $lif tagged 101 keep-state
$cmd add      skipto 2080 ip from any to any out xmit $lif tagged 102 keep-state
$cmd add      skipto 2100 ip from any to any out xmit $lif tagged 120 keep-state

$cmd add 1500 deny gre from 192.168.1.XXX to any // This rule will drop first GRE packet from PPTP SERVER when VPN initiates 

# Next few IF's will keep firewall rules consistent in cases if ISP connections will go down

if [ $pif0status == "UP" ] && [ $pif1status == "UP" ]; then 
  $cmd add 2000 skipto 2040 ip from table\(101\) to any in recv $lif // Smart Load balancing using arpalert 
  $cmd add      skipto 2080 ip from table\(102\) to any in recv $lif // Smart Load balancing using arpalert 
fi

if [ $pif2status == "UP" ]; then
  $cmd add      skipto 2100 ip from table\(120\) to any in recv $lif // Smart Load balancing using arpalert 
fi

if [ $pif0status == "UP" ]; then
  $cmd add 2040 setfib 0 ip from any to any via $lif keep-state
  $cmd add 2050 allow tag 101 ip from any to any via $lif
fi

if [ $pif1status == "UP" ]; then
  $cmd add 2080 setfib 1 ip from any to any via $lif keep-state
  $cmd add 2090 allow tag 102 ip from any to any via $lif
fi

if [ $pif2status == "UP" ]; then
  $cmd add 2100 setfib 2 ip from any to any via $lif keep-state
  $cmd add 2110 allow tag 120 ip from any to any via $lif
fi

################################################################################

$cmd add 3050 deny ip from any to 192.168.0.0/16 in recv $pifs
$cmd add      deny ip from 192.168.0.0/16 to any in recv $pifs
$cmd add      deny ip from any to 172.16.0.0/12 in recv $pifs
$cmd add      deny ip from 172.16.0.0/12 to any in recv $pifs
$cmd add      deny ip from any to 10.0.0.0/8 in recv $pifs
$cmd add      deny ip from 10.0.0.0/8 to any in recv $pifs
$cmd add      deny ip from any to 169.254.0.0/16 in recv $pifs
$cmd add      deny ip from 169.254.0.0/16 to any in recv $pifs

################################################################################

if [ $pif1status == "UP" ]; then
  $cmd add 11000 fwd $pif1gw all from $pif1ip to any via $pif0 // Send reply to necessary interface
fi

if [ $pif2status == "UP" ]; then
  $cmd add 11100 fwd $pif2gw all from $pif2ip to any via $pif0 // Send reply to necessary interface
fi

################################################################################

$cmd add 13000 skipto 31000 log ip from any to $pif0ip 22 in recv $pif0 // sshd
$cmd add       skipto 31000 log ip from any to $pif1ip 22 in recv $pif1 // sshd
$cmd add       skipto 31000 log ip from any to $pif2ip 22 in recv $pif2 // sshd
$cmd add       skipto 31000 log ip from any to $pif0ip 1723 in recv $pif0 // PPTP server
$cmd add       skipto 31000 log ip from any to $pif1ip 1723 in recv $pif1 // PPTP server
$cmd add       skipto 31000 log ip from any to $pif2ip 1723 in recv $pif2 // PPTP server
$cmd add       skipto 31000 gre from any to $pif0ip in recv $pif0 // PPTP server
$cmd add       skipto 31000 gre from any to $pif1ip in recv $pif1 // PPTP server
$cmd add       skipto 31000 gre from any to $pif2ip in recv $pif2 // PPTP server

################################################################################

if [ $pif0status == "UP" ]; then
  $cmd add 20000 deny log ip from any to any in via $pif0 setup // Reject and Log all setup of incoming connections from the outside 
  $cmd add       deny log ip from any to any in via $pif1 setup // Reject and Log all setup of incoming connections from the outside 
  $cmd add       deny log ip from any to any in via $pif2 setup // Reject and Log all setup of incoming connections from the outside 
fi

################################################################################

if [ $pif0status == "UP" ]; then
  $cmd nat 101 config if $pif0 same_ports reset \
			redirect_port tcp 192.168.1.XXX:1723 $pif0ip:1723 \
                        redirect_proto gre 192.168.1.XXX $pif0ip
fi

if [ $pif1status == "UP" ]; then
  $cmd nat 102 config if $pif1 same_ports reset \
			redirect_port tcp 192.168.1.XXX:1723 $pif1ip:1723 \
                        redirect_proto gre 192.168.1.XXX $pif1ip
fi

if [ $pif2status == "UP" ]; then
  $cmd nat 120 config if $pif2 same_ports reset \
			redirect_port tcp 192.168.1.XXX:1723 $pif2ip:1723 \
                        redirect_proto gre 192.168.1.XXX $pif2ip
fi

################################################################################

# NAT
if [ $pif0status == "UP" ]; then

  $cmd add 31000 nat 101 ip from any to any via $pif0 // $pif0 nat
  $cmd add       skipto 35000 tag 101 ip from any to any in recv $pif0
fi

if [ $pif1status == "UP" ]; then
  $cmd add 31500 nat 102 ip from any to any via $pif1 // $pif1 nat
  $cmd add       skipto 35000 tag 102 ip from any to any in recv $pif1
fi

if [ $pif2status == "UP" ]; then
  $cmd add 32500 nat 120 ip from any to any via $pif2 // $pif2 nat 
  $cmd add       skipto 35000 tag 120 ip from any to any in recv $pif2
fi


################################################################################

$cmd add 35000 allow tcp from any to any established // Allow TCP through if setup succeeded

$cmd add 50000 allow all from any to any
$cmd add 65534 deny all from any to any

################################################################################

exit 0


 END of ANSWER ====================================



 ANSWER ====================================

http://skeletor.org.ua/?p=1279


 END of ANSWER ====================================



 ANSWER ====================================

http://birdofluck.livejournal.com/8778.html


 END of ANSWER ====================================



 ANSWER ====================================

Well, let's suppose that your ISP interfaces have respectively $ispN_ip and 
$ispN_router as interface IP and ISP router IP. And that $natN is the divert 
port corresponding to the NAT for the given ISP. Then you get something like 

# This treats incoming trafic 
ipfw add 1310 divert $nat1 ip from any to any in via $if1 
ipfw add 1320 divert $nat2 ip from any to any in via $if2 
... 
ipfw add 13N0 divert $natN ip from any to any in via $ifN 

# Check states 
ipfw add 3000 check-state 

# Load balance outgoing trafic 
# Note: change 1/N, 1/(N-1), etc by actual values for your N 
ipfw add 10100 prob 1/N skipto 20100 ip from $internal to any keep-state 
ipfw add 10200 prob 1/(N-1) skipto 20200 ip from $internal to any keep-state 
... 
ipfw add 10N00 skipto 20N00 ip from $internal to any keep-state 

# Do outgoing NAT 
ipfw add 20100 divert $nat1 from $internal to any out 
ipfw add 20110 fwd $isp1_router ip from $isp1_ip 
ipfw add 20200 divert $nat2 from $internal to any out 
ipfw add 20210 fwd $isp2_router ip from $isp2_ip 
... 
ipfw add 20N00 divert $natN from $internal to any out 
ipfw add 20N10 fwd $ispN_router ip from $ispN_ip 


And here is what the natd.conf would look like 

### ISP 1 ### 
port 8868 
dynamic yes 
interface re1 

### ISP 2 ### 
instance dsl2 
port 8869 
dynamic yes 
interface re2 

### ISP N ### 
instance dsl3 
port 8870 
dynamic yes 
interface re 


 END of ANSWER ====================================



 ANSWER ====================================

http://www.linux.org.ru/forum/admin/10011112


 END of ANSWER ====================================



 ANSWER ====================================

#!/bin/sh -
fwcmd="/sbin/ipfw -q"

ips1="em0"
ips2="em1"

${fwcmd} -f flush

# allow ssh on all interface
${fwcmd} add allow tcp from any to me 2211 in via ${ips1}
${fwcmd} add allow tcp from any to me 2211 in via ${ips2}

# network address translation
${fwcmd} add fwd 195.111.111.111 ip from 195.151.111.112 to any
${fwcmd} add fwd 62.117.222.222 ip from 62.117.222.223 to any

${fwcmd} nat 1 config if ${ips1} reset deny_in same_ports unreg_only redirect_port tcp 192.168.ххх.ххх:2900 2900

${fwcmd} nat 2 config if ${ips2} reset deny_in same_ports unreg_only redirect_port tcp 192.168.ххх.ххх:2900 2900

${fwcmd} add nat 1 all from any to any
${fwcmd} add nat 2 all from any to any

# Deny all
${fwcmd} add deny all from any to any


 END of ANSWER ====================================



 ANSWER ====================================

http://www.lissyara.su/articles/freebsd/tuning/ipfw_nat/


 END of ANSWER ====================================



 ANSWER ====================================

${FwCMD} add nat 100 all from ${User1} to any out via ${LanOut1}
${FwCMD} add nat 100 all from any to ${IpOut} in via ${LanOut1}
${FwCMD} add nat 200 all from ${User2} to any out via ${LanOut2}
${FwCMD} add nat 200 all from any to ${IpOut} in via ${LanOut2}


 END of ANSWER ====================================



 ANSWER ====================================

http://www.hilik.org.ua/freebsd-организовываем-резервный-канал/


 END of ANSWER ====================================



 ANSWER ====================================

http://technotrance.su/index.php/moi-zametki/24-autoswitching-internet


 END of ANSWER ====================================



 ANSWER ====================================

http://habrahabr.ru/post/66851/


 END of ANSWER ====================================



 ANSWER ====================================

Проблему перенаправлением порта 3389 решил.
в etc/natd.conf написано - 
port 8668
redirect_port tcp 192.168.10.1:3389 212.119.109.58:3389
redirect_port tcp 192.168.10.5:110 212.119.109.58:110

firewall.conf -

fwcmd="/sbin/ipfw -q"
lanout="fxp0"
lanin="fxp1"
ipout="212.212.212.121"
ipin="192.168.10.254"
netmask="24"
netin="192.168.10.0"
${fwcmd} -f flush
${fwcmd} add check-state
${fwcmd} add allow ip from any to any via lo0
${fwcmd} add divert 8668 tcp from any to 212.212.212.121 3389 via fxp0
${fwcmd} add divert 8668 tcp from 192.168.10.1 3389 to any via fxp0
${fwcmd} add allow tcp from any to 192.168.10.1 3389 via any
${fwcmd} add divert 8668 tcp from any to 212.212.212.121 110 via fxp0
${fwcmd} add divert 8668 tcp from 192.168.10.5 110 to any via fxp0
${fwcmd} add allow tcp from any to 192.168.10.5 110 via any
${fwcmd} add divert natd ip from ${netin}/${netmask} to any out via ${lanout}
${fwcmd} add divert natd ip from any to ${ipout} in via ${lanout}
${fwcmd} add allow tcp from any to any established
${fwcmd} add allow ip from ${ipout} to any out xmit ${lanout}
${fwcmd} add allow udp from any 53 to any via ${lanout}
${fwcmd} add allow tcp from any to ${ipout} 49152-65535 via ${lanout}
${fwcmd} add allow icmp from any to any icmptypes 0,8,11
${fwcmd} add allow tcp from any to ${ipout} 25 via ${lanout}
${fwcmd} add allow tcp from any to ${ipout} 110 via ${lanout}
${fwcmd} add allow tcp from any to any via ${lanin}
${fwcmd} add allow udp from any to any via ${lanin}
${fwcmd} add allow icmp from any to any via ${lanin}
${fwcmd} add deny log tcp from any to any

В таком виде редирект порта 3389 работает, а вот почта так и не перенаправляется на 192.168.10.5


 END of ANSWER ====================================



 ANSWER ====================================

http://forum.lissyara.su/viewtopic.php?f=8&t=19448


 END of ANSWER ====================================



 ANSWER ====================================

http://www.opennet.ru/base/net/2link_balance2.txt.html


 END of ANSWER ====================================



 ANSWER ====================================

http://sysadmins.ru/topic320039.html


 END of ANSWER ====================================

Ваша відповідь