From owner-freebsd-net@FreeBSD.ORG Thu Sep 2 18:17:43 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0227616A4CE for ; Thu, 2 Sep 2004 18:17:43 +0000 (GMT) Received: from fritz.delphinium.net (pcp487354pcs.howard01.md.comcast.net [68.55.21.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0E2343D48 for ; Thu, 2 Sep 2004 18:17:42 +0000 (GMT) (envelope-from rip@bronzedragon.net) Message-ID: <413763C1.90208@bronzedragon.net> Date: Thu, 02 Sep 2004 14:17:37 -0400 From: rip User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5 X-Accept-Language: en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: 3 NICs - 1 upstream, 2 downstream to same subnet?? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2004 18:17:43 -0000 Hello All; Here is the puzzle Config : 5.1-Release 3 xl interfaces xl0, xl1, xl2 I am trying to make a configuration to isolate the WiFi APs on a single segment. DHCP hands out 'good' addresses (10.0.0.x) to MACs it recognizes and 'bad' (10.99.0.x) when the MAC does not match and is taken from the common pool. I then will use ipfw to block the trespassers, but do a bit of data collection at the same time. I don't expect much bad traffic here since WEP will keep out the casual. Just a defense-in-depth thing. I have the upstream interface on xl2 no problem; I want to have 2 segments of 10.0.0.0/8 on xl0 and xl1 --pseudo commands)-- ifconfig xl2 inet 198.162.1.1 //upstream router ifconfig xl1 inet 10.0.0.254 netmask 255.0.0.0 // this box = default router + all wired machines ifconfig xl0 inet 10.?.?.? netmask 255.0.0.0 // Wifi AP segment + all wifi connections --ipfw-- deny ip from 10.99.0.0/16 to any in via xl0 // block trespassers ?? Is this possible? ?? What sort of ip address should xl0 have. When I gave it a 10.99.0.0 255.0.0.0 address, the netstat -rn said all 10 traffic was on xl0, whicj was not true. ?? Will the OS route traffic comming in on xl0 (with good ips) throug the stacks to xl1 and then on to xl0 for external traffic. ?? Will this act as a switch (mac specific) or a hub (broadcast mode). I have had problems with multiple interfaces if this type (xl). I found that I had to insure all interfaces were down as each one was configured. If another xl interface is up, an error message is returned about an existing file. Rip Toren