Date: Wed, 30 Sep 1998 22:24:57 -0500 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: steven@shellnet.co.uk (Steven Fletcher) Cc: freebsd-isp@FreeBSD.ORG Subject: Re: IPFW, Dual network cards Message-ID: <3.0.3.32.19980930222457.00788dd8@207.227.119.2> In-Reply-To: <3615a823.10152184@smtp.shellnet.co.uk> References: <3.0.3.32.19980930152823.00720380@207.227.119.2> <3.0.3.32.19980930152823.00720380@207.227.119.2>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:18 PM 9/30/98 GMT, Steven Fletcher wrote: >>You are aware that by default Windoze does NetBEUI over TCP/IP and file sharing should be done via NetBEUI. > >Aha. This is a case of simply closing the relevant tcp ports via ipfw >yes ? Truely, but using a FBSD server as a router does this without adding filters everywhere and what about NT colo's (which you have)? In an ISP environment, filter the ports adds a bit more work (and overhead), since you need to protect from colo's _and_ dialup. There is no reason to add IFPW to several machines if one will do and cover them all. Unless you want to protect them from each other, which is a good idea. Matter of desired security and style. I've simplified a bit, but overall setup decides the solution. Not allowing telnet simplifies everything. >> He was a bit slow > >Aren't they all? }:> This guy ran a business selling websites no less and I didn't care to do his work for him. Not ignorant, which I don't consider a bad word, but truely slow. Disgustingly so. >What follows this line is only for the strong-minded: > >Okay, so I have managed to get FreeBSD installed and the network cards >in place. > >The situation is this: > >I have one Intel EtherExpress PRO as fxp0. This is the card that is >connected to our Cisco switch @ 100Mb/s (the main network). This (I >belive) is what is known as the public interface? Its IP is >194.129.209.8 (eth2-fw1.bolton.shellnet.co.uk) > >Then there is one RealTek(Groan) 8019 card as ed0. This is setup >correctly as far as I can see - However occasionally the kernel says >"ed0: device timeout". I think I am right here in setting its IPs as >192.168.0.1 (for the internal network) and as 194.129.209.15 (which >will be the default gateway of the bandwidth limited machines that use >it.) It's connected to a cheap 8 port non-switching hub. The following >diagram should illustrate this: Ususally device timeouts on ed0 (and ep0 in 2.2.5 and earlier) mean that the IRQ/address the kernel is looking for are not how the card is set. Were you able to 'netstat -i' and ping the ip from another machine on the internal network? God knows how many oddball cards I've dealt with that had no driver disks and were so no-name brand that I had to hunt for the right combination. Thanks the gods of FBSD for visual_userconfig! > .-----------------------. > | FreeBSD 3 | > '-----------------------' > / \ > Intel Realtek > 194.129.209.8 192.168.0.1/194.129.209.15 > | | | > | Internal network | > Cisco Hub to | > 2501 router. bandwidth limited servers > >So, I plugged in the cards and hubs, and now I'd like to do the >following: > >1) Using IOS for the IP's of the bandwidth limited servers, I'll >plonk: > >ip route 194.129.209.whatever 255.255.255.255 Ethernet0 194.129.209.8 >or >ip route 194.129.209.whatever 255.255.255.255 Ethernet0 194.129.209.15 >? Why do you have the same network on both sides? And since you have unrouteable private IP addresses on the Realtek. This is a case for natd, but even if they were routeable IPs, it would be incorrect. The routes don't make sense to me either and you seem to be talking Ciscoese. >Will 194.129.209.8 know that 194.129.209.whatever is accessible via >the RealTek card and be able to forward the packets? Or will the rest >of my network be able to see 194.129.209.15 even though it is >indirectly connected to the network? Just how do I tell FreeBSD to >route packets from one network card to the 2nd network card and vice >versa. > >I've tried this, y'see, with no luck. > >The situation before was that some of our smart-arse customers we able >to change the default gateway and subnet mask (Windows NT hosted >servers) of their machines and bypass (at least) the outgoing >bandwidth limitations - incoming traffic was still limited by the >router statements so physical security is the next step up. No clue on your needs, so I'm not going into detail and related subjects have been on the list often enough. Not to rudely push you to the archives, but there are several alternative to the overall network design and a bit of reading will make for plenty of ideas of varying complex simplicity. ;) Using private IPs will conserve your nets of course. For starters in rc.conf you need: gateway_enable=YES natd_enable="YES" natd_interface="fxp0" natd_flags="" Your kernel will need to be recompiled with: options IPFIREWALL options IPDIVERT You will need to 'man natd' for more details or check the list archives, but I only say this because there is a very simple way.... Why not use SNMP on the Cisco and MRTG for this instead. No need for the server and NAT and they _must_ go through the switch. However, you will use your routeable IP addresses and it will cost more per colo server, but then how do setup fees come about? <g> >Anyway, it didn't appear to work after almost all afternoon trying to >figure this out.... I'm a little stuck now and am desperately looking >for people who've done this before to advise on how I go about >resolving this situation :) Not suprising with private IPs that would only have worked locally. I've never done natd myself, except from home, but it certainly helps being on the lists here for 2+ years and also on Livingston's lists, so only the specifics and experience lack, not alternative methods. It would be cheaper to use NAT and your setup, but using the switch will segment the servers and should be smidgen better for performance (ducks). My preference. >Thanks for reading... It's a little long but I have a habit of wanting >to make things clear - usually undone in that I in fact make thinks >worse. Network questions are frequently long. Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19980930222457.00788dd8>