From owner-freebsd-questions@FreeBSD.ORG  Thu Jun  5 05:36:30 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D4A8137B401
	for <freebsd-questions@freebsd.org>;
	Thu,  5 Jun 2003 05:36:30 -0700 (PDT)
Received: from onyx.breakawaygames.com
	(ip66-3-217-81.z217-3-66.customer.algx.net [66.3.217.81])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BF1D043F75
	for <freebsd-questions@freebsd.org>;
	Thu,  5 Jun 2003 05:36:27 -0700 (PDT)
	(envelope-from mthomas@breakawayltd.com)
Received: from mthomasxp (host167 [192.168.100.167])
	by onyx.breakawaygames.com (8.11.4/8.11.4) with SMTP id h55CaRf34463
	for <freebsd-questions@freebsd.org>;
	Thu, 5 Jun 2003 08:36:27 -0400 (EDT)
	(envelope-from mthomas@breakawayltd.com)
From: "Mark Thomas" <mthomas@breakawayltd.com>
To: <freebsd-questions@freebsd.org>
Date: Thu, 5 Jun 2003 08:36:50 -0400
Message-ID: <KOEILOHHAMNABNLJONMMIEGOCAAA.mthomas@breakawayltd.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: Firewall/DMZ routing
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2003 12:36:31 -0000

[Please cc me directly with any replies. Thanks]

I'm setting up a multihomed firewall box. I have all interfaces up and
running but have something going wrong with routing. The setup:

ISP router [A.B.C.144/28, using A.B.C.145]
  |
FIREWALL PUBLIC    [A.B.C.146/29]
FIREWALL DMZ IFACE [A.B.C.153/29]
  |
DMZ TEST HOST      [A.B.C.154/29]

I can ping all IPs from the firewall, the firewall from the test DMZ host,
and the public firewall IP from the world, but not the firewall DMZ
interface or the DMZ test host. All interfaces are up. The firewall is setup
as a gateway.

If I do a tcpdump on the public interface while pinging the test host from
the world I see:

08:33:08.160246 arp who-has A.B.C.154 tell A.B.C.145

netstat -rn says:

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            A.B.C.145          UGSc       60      879    em0
127.0.0.1          127.0.0.1          UH          1      372    lo0
A.B.C.144/29       link#1             UC          3        0    em0
A.B.C.145          00:02:17:61:75:85  UHLW        1        0    em0   1200
A.B.C.146          00:0b:db:90:37:8b  UHLW        0        8    lo0
A.B.C.152/29       link#3             UC          0        0    em2

I think I should have 2 /29 networks with the firewall routing them, right?
Do I need to change the router config? Do I need to establish static routes?

Thanks for any pointers,

Mark Thomas
mthomas@breakwayltd.com