Здравствуйте,
при изменении:
route change default 10.0.0.1
остаются в интернет только пользователи сквида меняем обратно:
route change default 170.112.31.1 - все в работе.

Пользователи с прямым подключением остаются без интернета.
Предполагаю косяк с правилами ipfw.

Прошу помощи.

Подробности:
провайдер 1 - статический ip
провайдер 2 - pppoe, статический ip, mpd5

FreeBSD 10.1
Ядро с опциями:
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
options         IPDIVERT
options         DUMMYNET
options         IPFIREWALL_NAT
options         LIBALIAS
options         ROUTETABLES=2
options         IPFIREWALL_FORWARD

rc.conf:
hostname="inet"
gateway_enable="YES"

defaultrouter="170.112.31.1"

setfib1_enable="YES" #Это второй провайдер,
setfib1_defaultroute="10.0.0.1"

#Локалка
ifconfig_re2="inet 192.168.101.254 netmask 0xffffff00"
#Провайдер 2 с pppoe
ifconfig_re1="inet 192.168.0.1 netmask 0xffffff00 -rxcsum -tso"
#провайдер 1, статичный ip
ifconfig_re0="inet 170.112.31.48 netmask 255.255.255.192 -rxcsum -tso"

squid_enable="YES"

firewall_enable="YES"
firewall_script="/etc/ipfw.rule"
firewall_type="open"

mpd_enable="YES"

ipfw:

#!/bin/sh
ipfw="/sbin/ipfw"

iProv1="re0"
Prov1IP="170.112.31.48"

iProv2="re1"
Prov2IP="192.168.0.1"

iLocalNet="re2"
LocalIP="192.168.101.254"
LocalNet="192.168.101.0/24"

#Opredeleniya portov=============================================================
ssh="22"
video="37777"
pochta="25, 110, 465, 993, 995"
#********************************************************************************

${ipfw} -f flush
${ipfw} nat 1 delete

#================================================================================
${ipfw} add 50 deny ip from any to any not verrevpath in
${ipfw} add 100 deny ip from any to any frag
${ipfw} add 120 reject ip from 192.168.0.0/16 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 125 reject ip from any to 192.168.0.0/16 in recv ${iProv1}, ${iProv2}
${ipfw} add 130 reject ip from 172.16.0.0/12 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 135 reject ip from any to 172.16.0.0/12 in recv ${iProv1}, ${iProv2}
${ipfw} add 140 reject ip from 169.254.0.0/16 to any in recv ${iProv1}, ${iProv2}
${ipfw} add 145 reject ip from any to 169.254.0.0/16 in recv ${iProv1}, ${iProv2}
${ipfw} add 150 reject ip from ${LocalNet} to any in via ${iProv1}, ${iProv2}
${ipfw} add 200 reject tcp from any to any not established tcpflags fin
${ipfw} add 250 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
${ipfw} add 300 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
${ipfw} add 350 deny all from any 137-139 to any
${ipfw} add 400 deny all from any to any dst-port 137-139
#********************************************************************************

#Internet bez proksi.=Tablica 1 zanyata bruteblockd==============================
${ipfw} table 2 add 192.168.101.36
${ipfw} table 2 add 192.168.101.197
${ipfw} table 2 add 192.168.101.21
${ipfw} table 2 add 192.168.101.12
#********************************************************************************

#Pryamoy dostup k etim IP=(table 3)==============================================
${ipfw} table 3 add 195.149.70.70    #Mesplan
#********************************************************************************

#Zapreshaem vse, chto nalovil bruteblockd========================================
${ipfw} add 450 deny all from table\(1\) to me
#********************************************************************************

#Razreshaem vse po loopback======================================================
${ipfw} add 500 allow all from any to any via lo0
#********************************************************************************

#Razreshaem squid================================================================
${ipfw} add 550 allow all from ${LocalNet} to ${LocalIP}
${ipfw} add 600 allow all from any to any uid squid
#********************************************************************************

#SSH=============================================================================
${ipfw} add 650 allow tcp from any to me ${ssh} keep-state
#********************************************************************************

#Konfiguriruem NAT===============================================================
${ipfw} nat 1 config log if ${iProv1} reset same_ports deny_in
${ipfw} nat 2 config log if ${iProv2} reset same_ports deny_in
#********************************************************************************

#Pochta v NAT====================================================================
${ipfw} add 700 nat 1 ip from ${LocalNet} to any ${pochta} out via ${iProv1}
${ipfw} add 701 nat 2 ip from ${LocalNet} to any ${pochta} out via ${iProv2}
#********************************************************************************

#Videonabludeniye================================================================
${ipfw} add 750 nat 1 ip from ${LocalNet} to any ${video} out via ${iProv1}
${ipfw} add 751 nat 2 ip from ${LocalNet} to any ${video} out via ${iProv2}
#********************************************************************************

#DNS iz localki ot KD============================================================
${ipfw} add 800 nat 1 udp from ${LocalNet} to any 53 out via ${iProv1}
${ipfw} add 801 nat 2 udp from ${LocalNet} to any 53 out via ${iProv2}
#********************************************************************************

#Internet bez proksi=============================================================
${ipfw} add 850 nat 1 ip from table\(2\) to any out via ${iProv1}
${ipfw} add 851 nat 2 ip from table\(2\) to any out via ${iProv2}
${ipfw} add 900 nat 1 ip from ${LocalNet} to table\(3\) out via ${iProv1}
${ipfw} add 901 nat 2 ip from ${LocalNet} to table\(3\) out via ${iProv2}
${ipfw} add 950 nat 1 ip from any to any in via ${iProv1}
${ipfw} add 951 nat 2 ip from any to any in via ${iProv2}
#********************************************************************************

#Razreshaem vse chto v nat popalo================================================
#Dostup bez proksi
${ipfw} add 1000 allow all from table\(2\) to not ${LocalNet} in via ${iLocalNet}
#Dostup bez proksi k nekotorum saytam
${ipfw} add 1050 allow all from ${LocalNet} to table\(3\) in via ${iLocalNet}
#Dostup k pochte
${ipfw} add 1100 allow all from ${LocalNet} to not ${LocalNet} ${pochta} in via ${iLocalNet}
#Dostup k DNS
${ipfw} add 1150 allow udp from ${LocalNet} to not ${LocalNet} 53 in via ${iLocalNet}
#Dostup k videonabludeniyu
${ipfw} add 1200 allow all from ${LocalNet} to not ${LocalNet} ${video} in via ${iLocalNet}
#********************************************************************************

#Poluchaem otvety================================================================
${ipfw} add 1250 allow all from not ${LocalNet} to ${LocalNet} in via ${iProv1}
${ipfw} add 1251 allow all from not ${LocalNet} to ${LocalNet} in via ${iProv2}
${ipfw} add 1300 allow all from not ${LocalNet} to ${LocalNet} out via ${iLocalNet}
*********************************************************************************

#Razreshaem shlyzy hodit v inet==================================================
${ipfw} add 1350 allow all from me to any
#********************************************************************************

• Резервный канал,Barbos, 14:23 , 12-Мрт-15

Локализовал проблему.

Было:
сетевая карта - 192.168.0.1 (re2) -> mpd5 10.0.0.1 -> 89.209.XXX.XX (адрес выданный провайдером)

при изменении default router на 10.0.0.1 сквид работал, напрямую через нат - нет

Локализация:
изменил адрес локальной сетевой с 192.168.0.1 на 192.168.0.254
сетевая карта - 192.168.0.254 (re2) -> роутер tp-link 192.168.0.1 -> 89.209.XXX.XX (адрес выданный провайдером)

при изменении default router на 192.168.0.1 - все заработало как надо.

Что в первом варианте может быть не так?