Date: Sun, 20 Jan 2002 12:59:54 -0600 (CST) From: Nick Rogness <nick@rogness.net> To: Allen Landsidel <all@biosys.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: multihomed routing woes.. Message-ID: <Pine.BSF.4.21.0201201251460.50917-100000@cody.jharris.com> In-Reply-To: <5.1.0.14.0.20020120013959.00aaaff8@rfnj.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 20 Jan 2002, Allen Landsidel wrote: > [please reply off-list.. not subscribed.] > > Ok.. for several hours I've been banging my head against the > proverbial brick wall, trying to resolve an issue that's been a > nuisance for some time. > > To start from the begining.. my network looks like this : > > [LAN] <--> [firewall] <--> [router] <--> [internet] > > The lan side has a public /28 block. Why does the lan have a public block? > The firewall has one address from that block on the interior > interface, and an address in the 10/8 block on the exterior. The > router has an address on the 10/8 block on the interior, the ISP > assigned address on the WAN interface, and a static route to the > firewall 10/8 for my IP block. > > The problem is simple : All outgoing traffic that *originates* on the > firewall attempts to use the 10/8 address. I'm looking for some easy > way to force it to use it's internal address for traffic destined to > go out the exterior interface, but so far to no avail. > The real problem here is that you are running publics on your inside. Why are you doing this and not using static nat for this? If you have a good reason, then maybe running nat on the router or getting another /30 for your BSD<-->Router would help out. You could also trip out nat but it would be a mess. > My brain can't seem to think of a way to do this via route, and natd + > my current stateful IPFW appears to be a no-go.. searching the lists > and usenet have turned up others with the same problems, but no real > solutions using these tools. Apparently my only options are: > 1) ditch the stateful ipfw configuration in favor of a simple > 'established' rule (ick) That might help while you are debugging. > 2) (maybe?) switch to ipf/ipnat. This will gain you nothing...probably make things worse. > 3) Set up a proxy on one of the internal machines and have the firewall > go through that to get out (ick) No. > 4) Probably other silly hacks like 1,3 that are no more elegant. > Nick Rogness <nick@rogness.net> - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0201201251460.50917-100000>