Date: Wed, 9 Oct 2002 15:01:34 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Bill Moran <wmoran@potentialtech.com> Cc: Paul te Bokkel <paul@tebokkel.com>, Thomas Quinot <thomas@cuivre.fr.eu.org>, freebsd-stable@FreeBSD.ORG Subject: Re: Setup routing entry for host with a non-local IP address Message-ID: <200210092201.g99M1YTA007964@apollo.backplane.com> References: <20021009151733.GA15162@melusine.cuivre.fr.eu.org> <20021009210242.GA34352@tebokkel.com> <3DA49D72.6070205@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yes, you can put multiple subnets or multiple addresses on the same
subnet on the same physical interface. I do it all the time:
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 216.240.41.17 netmask 0xffffffc0 broadcast 216.240.41.63
inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
inet 216.240.41.21 netmask 0xffffffff broadcast 216.240.41.21
ether 00:b0:d0:f0:67:cb
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
# in /etc/rc.conf:
ifconfig_fxp0="inet 216.240.41.17 netmask 255.255.255.192"
ifconfig_fxp0_alias0="inet 10.0.0.2 netmask 255.255.255.0"
ifconfig_fxp0_alias1="inet 216.240.41.21 netmask 255.255.255.255"
There a couple of issues here. First, you have to think of the
physical interface as being two physical interfaces even though
there is really just one.
For example, if you have some other machine X at 216.240.41.10 which has
no knowledge of 10.* you have to give that machine a gateway route for
10.* that points to, say, 216.240.41.17 (the above machine), or the
gateway handling its default route must know about 10.*. That machine
may just echo the packet out the same interface it came in on if that is
where the 10.* net is, which is fine.
Second, services on the machine with the multiple IP aliases may get
somewhat confused and care must be taken. For example, an NFS server
may receive a UDP request on one IP address and reply from another IP
address, confusing the client. Sendmail might initiate an outgoing
connection using ip address A when talking to a machine on ip address
B's subnet, and so forth. Those internal services, such as NFS, that
you do not wish to route to the outside world, can be bound to your
internal IP space. These issues can usually be resolved with
careful configuration work.
It is best to use IP aliases only on those machines that absolutely
need them. Other machines should just use a single IP address and
route appropriately.
Finally, you need to be careful when mixing an internal
non-internet-routable network such as 10.* with an internet routable
network. If you want services running on the internal 10.* network
to talk to services on the internet they have to be run through a NAT
gateway. You *CAN* mix NAT and non-NAT traffic... that is, you have
the NAT gateway intercept 10.* traffic that is being routed to the outside
world while ignoring IPs that are already externally routable, depending
on your situation.
Finally #2, be sure that your border router is configured to prevent
internal IP pollution from leaking to the outside world or vise versa.
i.e. the border router should drop any packet coming from the outside
world whos source or destination IP is 10.* and should drop any packet
coming from the inside world whos source IP is 10.* and whos destination
IP is external (or perhaps route it through NAT rather then drop it). If
you do not filter your internal nets at your border router then outside
entities can spoof internal addresses.
See 'man firewall' for more information on border router configuration.
-Matt
Matthew Dillon
<dillon@backplane.com>
:Paul te Bokkel wrote:
:> On Wed, Oct 09, 2002 at 05:17:33PM +0200, Thomas Quinot wrote:
:>
:>>Suppose that on a 4.6.2 machine (hostA), I have an interface xl0
:>>with address 10.10.1.2, netmask 255.255.255.0.
:>>
:>>On that ethernet, I have a host (hostB) that is set up as 10.10.0.1,
:>>netmask 255.255.255.0. I need to send a packet from hostA to hostB,
:>>
:>>Am I trying to do something impossible, or am I just clueless enough
:>>that I did not find the proper way of cajoling the kernel into
:>>cooperation?
:
:Is it feasible to add an alias on xl0 that is in the 10.10.0.x network
:space? That sounds like the easiest way to handle the issue to me.
:
:>
:> Answer A, however, answer B sounds feasible.. ;)
:>
:> No x.y.1.q/24 host can reach x.y.0.z/24 on the same physical net
:> without further provisions (like a gateway or aliassed IP's).
:> Try putting hostB in the 10.10.0-net or use a netmask /16 (255.255.0.0).
:>
:> Regards,
:>
:> Paul
:
:--
:Bill Moran
:Potential Technologies
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210092201.g99M1YTA007964>