From owner-freebsd-stable Wed Sep 26 16: 8:29 2001 Delivered-To: freebsd-stable@freebsd.org Received: from tp.databus.com (p101-46.acedsl.com [160.79.101.46]) by hub.freebsd.org (Postfix) with ESMTP id 9158B37B409 for ; Wed, 26 Sep 2001 16:08:22 -0700 (PDT) Received: (from barney@localhost) by tp.databus.com (8.11.6/8.11.4) id f8QN7bJ80780; Wed, 26 Sep 2001 19:07:37 -0400 (EDT) (envelope-from barney) Date: Wed, 26 Sep 2001 19:07:32 -0400 From: Barney Wolff To: "Gary W. Swearingen" Cc: Jamie Norwood , freebsd-stable@FreeBSD.ORG Subject: Re: 127/8 continued Message-ID: <20010926190732.A80636@tp.databus.com> References: <20010924094048.X5906-100000@coredump.scriptkiddie.org> <3BB0A0A2.6CCC454B@chrisland.net> <20010926103827.S37693@buffoon.automagic.org> <20010926133747.Y37693@buffoon.automagic.org> <20010926134253.A65444@mushhaven.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from swear@blarg.net on Wed, Sep 26, 2001 at 03:20:14PM -0700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At first glance, you can't do what you want with only a /29. Every "link" requires a /30, because the first and last addresses cannot be assigned to interfaces. Also, I rather doubt that you can get an Ethernet to work as a point-to-point link because the driver needs to arp. (Yes of course the crossover cables work - that's not the point.) One thing you might try is to replace the DSL router with a mere DSL modem, or, if possible, put the DSL router into bridge mode. That way, the firewall can use the external address that was assigned to the DSL router (which is in some other netblock than your /29) as its external address, and then a hub or switch on the internal side will connect all your other boxes. I run my DSL /29 this way. The only other choice is to run the firewall as a bridge. This is not a matter of documentation - what you're asking route to do cannot be done. Barney Wolff On Wed, Sep 26, 2001 at 03:20:14PM -0700, Gary W. Swearingen wrote: > Jamie Norwood writes: > > > On Wed, Sep 26, 2001 at 01:37:48PM -0400, Joe Abley wrote: > > > > > > If you'd like to describe in as simple terms as possible what you're > > > trying to achieve, I'd be happy to work through it with you. Maybe > > > off-list, unless you think there is some general issue that needs > > > publicising. > > > > I'd be interested in keeping in on this, I am curious as to the > > situation and how it is being handled. I do networking for a living, > > so love being in on odd things. > > Two gluttons for punishment, I guess. > > I don't want to take the time right now to rerun tests so I can > accurately explain the problems I have had and don't want to waste your > kindly-offered time further with any more general discussion at this > time. (I want to get a web site back on line at its new non-ISP domain > after my ISP shut down, etc.) > > But here's the basic situation if you'd care to suggest something for > me to experiment with later: > > My firewall talks to a DSL router, a DMZ server, and a workstation over > three network segments (crossover Tbase10) - no hubs or switches. > > I've got a /29 subnet so there's one address for each of the six host > interfaces, should they be needed. I don't want to do NAT because I > don't see the need for it (and it's problematical and I'm headstrong). > > oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo > > That's it, but rambling on... > > I considered doing a bridging firewall so all segments could be on one > (sub)network but meagerness of documentation discouraged an attempt. > > AFAIK, to do "correct" networking, my three network segments separated > by a routing firewall require three separate networks while my > ISP-assigned subnet supports only two sub-subnets. > > I also tried setting it all up on 10.x addresses with public IPs aliased > on the server and workstation; I might have just messed up. Should > that work? > > I currently have addresses assigned like this: > > a.b.c.0 subnetwork (ISP-assigned) > a.b.c.1 DSL router (ISP-assigned; not sure why I couldn't choose) > a.b.c.2 firewall's workstation interface > a.b.c.3 workstation > a.b.c.4 firewall's server interface > a.b.c.5 server > a.b.c.6 firewall's DSL router interface > a.b.c.7 subnetwork broadcast (ISP-assigned) > > The following is the only thing I've blundered upon which works on the > workstation (and server). (It's considerably worse on the firewall.) > > $ netstat -nr > Destination Gateway Flags Refs Use Netif Expire > 127.0.0.1 127.0.0.1 UH 0 334 lo0 > > $ ifconfig xl0 a.b.c.3/29 [IIRC, /30 works too; 31 or 32 don't] > > $ netstat -nr > Destination Gateway Flags Refs Use Netif Expire > default a.b.c.2 UGSc 0 0 xl0 > 127.0.0.1 127.0.0.1 UH 0 334 lo0 > a.b.c.0/29 link#2 UC 1 0 xl0 => > > At which point I can ping firewall but no further. I wish it didn't > auto-add the route, but, oh well; it makes some sense. > > Then I delete the subnet route and add one for a.b.c.2/31: > > Using "route add a.b.c.2/31 -interface xl0" gives: > a.b.c.2/31 link#2 UCSc 0 0 xl0 => > which routes as desired. > > (Using "route add a.b.c.2 -interface xl0" gives: > a.b.c.2 UHLS 0 0 lo0 > which is hardly what I want and doesn't route as desired.) > > Unfortunately, doing "ifconfig xl0 down; go fishing; ifconfig xl0 up" > puts back the a.b.c.0/29 route, breaking my routing. > > If I start with: > ifconfig xl0 a.b.c.2/31 > > I get from netstat: > Destination Gateway Flags Refs Use Netif Expire > default a.b.c.2 UGSc 0 0 xl0 > 127.0.0.1 127.0.0.1 UH 0 334 lo0 > a.b.c.2/31 link#2 UC 1 0 xl0 => > > which looks pretty good (except Flags), but doesn't ping past the firewall. > > Thanks again for your interest. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message