From owner-freebsd-questions Sun Feb 4 8:28:58 2001 Delivered-To: freebsd-questions@freebsd.org Received: from palrel1.hp.com (palrel1.hp.com [156.153.255.242]) by hub.freebsd.org (Postfix) with ESMTP id 529F537B503 for ; Sun, 4 Feb 2001 08:28:36 -0800 (PST) Received: from amrelay2.boi.hp.com (amrelay2.boi.hp.com [15.56.8.41]) by palrel1.hp.com (Postfix) with ESMTP id 32D5C732; Sun, 4 Feb 2001 08:28:35 -0800 (PST) Received: from xpabh1.boi.hp.com (xpabh1.boi.hp.com [15.56.8.33]) by amrelay2.boi.hp.com (8.9.3 (PHNE_18979)/8.9.3 SMKit7.02) with ESMTP id JAA15567; Sun, 4 Feb 2001 09:28:33 -0700 (MST) Received: by xpabh1.boi.hp.com with Internet Mail Service (5.5.2653.19) id <1H4XLPWJ>; Sun, 4 Feb 2001 08:28:31 -0800 Message-ID: From: "DINKEY,GENE (HP-Loveland,ex1)" To: "'Mark B. Withers'" , Robert Hough Cc: freebsd-questions Subject: RE: Internal gateway/firewall Date: Sun, 4 Feb 2001 08:28:29 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > -----Original Message----- > From: Mark B. Withers [mailto:mwithers@one.net] > Sent: Sunday, February 04, 2001 8:42 AM > To: Robert Hough > Cc: freebsd-questions > Subject: Internal gateway/firewall > > > Robert, > > Thanks for your reply. > > I did some experimenting last night with the two interfaces (had them > both plugged into a hub) and found that indeed each interface > responds independantly when called upon by it's ip address. > > This is good news. > > I am attempting to configure my FreeBSD box as a firewall/gateway. I > have 2 ISA 3-com 509 nics. > > The first device ep0 is connected to my DSL "router/modem" and I want > my second interface (ep1) to be connected to my internal lan which > consists of one Win95 machine and the FreeBSD machine ("Foobar"). > > Here is an equivalent scheme of what it looks like (ips have been > altered to protect the innocent as well): > > Also note, ep0 is configured through DHCP > > DSL router/modem = 10.255.23.161 > ep0 = 10.255.23.164 > netmask = 255.255.255.248 > broadcast = 10.255.23.167 > windows machine = 10.255.23.162 (same netmask and broadcast as ep0) > > Proposed ip scheme for ep1: > > ep1 = 192.0.0.1 > subnetmask 255.255.255.248 (thought there was no need for more than 8) > broadcast 192.0.0.7 > > Whenever I configured and bring ep1 up, I receive the following error > message (ip's changed to match above example): > > The bottom line of this posted error messages is that I don't yet know > how to manually configure my routing table nor do I currently know how > to configured /etc/rc.conf for this yet. I need to recompile the > kernel first. Any information you can provide as far as routing goes > to the diagram at the bottom (Network Diagram) would be helpful. > > I just included this information for reference in case it is needed. > > Feb 3 19:00:51 foobar /kernel: arp: 10.255.23.161 is on ep0 but got > reply from ** mac address of dsl router/modem ** on ep1 > > ** ip addrss belongs to the router/modem and the mac address also, but > the system somehow ties or links it to device ep0 and states that the > reply is from ep1 ** > > Feb 3 19:05:21 foobar /kernel: arp: 10.255.23.162 is on ep0 but got > reply from ** mac address from windows machine ** on ep1 > > ** ip address belongs to windows machine. somehow links to ep0 and > gets reply from (mac address of windows machine) on ep1. ** > > Feb 3 19:05:21 foobar /kernel: arp: 10.255.23.161 is on ep0 but got > reply from ** mac address of dsl router/modem ** on ep1 > > ** IP address is from windows machine on ep0, but got reply from mac > address of windows machine on ep1 ** > > Feb 3 19:09:23 foobar /kernel: arp: 10.255.23.164 is on lo0 but got > reply from ** mac address for ep0 ** on ep1 > > ** here we have the ip address for ep0 along with the mac address for > ep0, but the kernel called it "ep1" at the end of the line ?? ** > > Feb 3 19:09:23 foobar /kernel: arp: 10.255.23.161 is on ep0 but got > reply from ** mac address of dsl router/modem ?? ** on ep1 > > ** here we have the ip address of the dsl router/modem saying it's on > ep0 but received a reply from the mac address of the dsl router/modem. > ** > > Here is the output of ipconfig -a on my system: > > lp0: flags=8810 mtu 1500 > ep0: flags=8843 mtu 1500 > inet 10.255.23.164 netmask 0xfffffff8 broadcast 10.255.23.167 > ether ** mac address of ep0 ** > media: 10baseT/UTP > supported media: 10baseT/UTP > ep1: flags=8843 mtu 1500 > inet 192.0.0.1 netmask 0xfffffff8 broadcast 192.0.0.7 > ether ** mac address of ep1 ** > media: 10baseT/UTP > supported media: 10base2/BNC 10baseT/UTP > > Here is the output from netstat : > > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > default 10.255.23.161 UGSc ep0 > 10.255.23.160/29 link#2 UC ep0 => > 10.255.23.161 *router mac addr* UHLW ep0 1198 > 10.255.23.164 *mac of ep0* UHLW lo0 > 127.0.0.1 127.0.0.1 UH lo0 > > ** I omitted ipv6 info here. ** > > That's about all the info I can give. I've saved this information as a > reference so that I can further analyse it. > > Everything's not hooked up correctly right now so I am not surprised > that it's behaving strangely. > > I wish to have the following format: > > (Network Diagram) > > DSL router/Modem > | > ep0 > | > Foobar --> FreeBSD machine w/2 ISA nics > | > ep1 --> Would bridging be necessary to separate this? > | > Hub > | > Windows machine > > I'll probably have to reset the ip address configuration/routing > information on the windows box after I figure out my new kernel > configuration. Recompiling the kernel is necessary for this. I can't see in here if you've looked at natd, but thats what you want to do what your asking. Just take a look at the man page, it has steps for setting everything up. If you follow those you will have a basic configuration running in no time... It's a matter of choice but for my internal network i went with 10. since a) it's reserved for internal use, and, b) it happened to be used in the natd setup guide :). It's also very easy to remember... Good luck - it's not too hard and the man page should set you on the right path. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message