From owner-freebsd-questions Tue Nov 20 21:47:25 2001 Delivered-To: freebsd-questions@freebsd.org Received: from creme-brulee.marcuscom.com (rdu57-28-046.nc.rr.com [66.57.28.46]) by hub.freebsd.org (Postfix) with ESMTP id D028537B417 for ; Tue, 20 Nov 2001 21:47:12 -0800 (PST) Received: from shumai.marcuscom.com (shumai.marcuscom.com [192.168.1.4]) by creme-brulee.marcuscom.com (8.11.6/8.11.6) with ESMTP id fAL5htJ79249; Wed, 21 Nov 2001 00:43:55 -0500 (EST) (envelope-from marcus@marcuscom.com) Subject: RE: Complex routing for a firewall From: Joe Clarke To: "Patrick O'Reilly" Cc: Zak Johnson , FreeBSD Question List In-Reply-To: References: Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/0.99.2 (Preview Release) Date: 21 Nov 2001 10:46:34 +0500 Message-Id: <1006321600.25264.1.camel@shumai.marcuscom.com> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 2001-11-21 at 00:32, Patrick O'Reilly wrote: > > From: Zak Johnson [mailto:zakj@fenris.cc] > > Sent: 20 November 2001 19:28 > > > > Thank you. According to my ISP, this is standard procedure for him; he > > claims Linux can handle this sort of setup just fine, although he hasn't > > shown me a working example. At any rate, I'll have to convince him to > > hand me out another IP in the gateway's netblock. > > > > I dunno what he's smoking, but it must be good stuff! :) > > Each link in an IP environment MUST be a network in its own right, even if > it is just a tiny subnet for a PPP link. The layout I described has two > distinct networks, one for the PPP link and one for the DMZ/Public LAN. To > use an address from one network on a NIC attached to the other network just > does not make sense. Whether the OS is Linux (or FreeBSD, or anything else) > has nothing to do with the issue! This isn't necessarily true. There is such a thing as unnumbered interfaces. Unnumbered interfaces are used in this kind of situation where the WAN is basically a point-to-point link. Basically, the WAN interface uses the LAN IP. However, In Zak's setup, the IP addresses from the provider overlap. Unless the provider gives you an address outside of rl1's subnet, this will never work. Joe > > Anyway, I suspect I am preaching to the converted. What surprises me is > that an ISP (whose one and only order of business is IP networking) is > apparently confused about how it should work! > > Here's a thought - I have previously had problems when dealing with a sales > person, or Customer Relationship Manager, or similar. These folks are NOT > technically minded, even though they might work for an ISP. He could easily > be omitting some vital information without even knowing it. Try to get hold > of the technical guy who is configuring the Router which is your gateway > (x.x.164.1). He will know which IP blocks have been allocated and routed to > you. And he should be able to confirm whether my guesswork before is > actually correct or not. > > I hope you get this sorted out. > > Regards, > Patrick. > > PS: > I notice that I forgot to copy my previous reply to the List, so I'm > including it here in case anyone else is in need of the same type of > information: > -------------------------------------------- > Zak, > > as Crist already suggested, your topology as described cannot work. I think > the problem is that you and your ISP are not quite on the same wavelength. > > Looking at the info in your message, here is what I would _GUESS_ your > topology should be. You should verify this with your ISP. > > ISP Gateway > x.x.164.1 /30 > | > | > rl0 = x.x.164.2 /30 > Your Firewall /Gateway > rl1 = x.x.165.233/29 > | > | > Other Servers > x.x.165.234/29 > x.x.165.235/29 > x.x.165.236/29 > x.x.165.237/29 > x.x.165.238/29 > > If this is correct, then all you need to do on your gateway is: > ------------------------ > defaultrouter=x.x.164.1 > ------------------------ > in /etc/rc.conf > > HTH, > Patrick. > ----------------------------------------------- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message