From owner-freebsd-questions@FreeBSD.ORG Sat Nov 24 04:12:13 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4ACB716A41A for ; Sat, 24 Nov 2007 04:12:13 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id A41D413C447 for ; Sat, 24 Nov 2007 04:12:11 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id PAA05885; Sat, 24 Nov 2007 15:11:52 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 24 Nov 2007 15:11:51 +1100 (EST) From: Ian Smith To: Alaor Barroso de Carvalho Neto In-Reply-To: <20071123151355.0B21416A4D4@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Bill Moran , freebsd-questions@freebsd.org Subject: Re: routing problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2007 04:12:13 -0000 On Fri, 23 Nov 2007 12:33:26 -0200 "Alaor Barroso de Carvalho Neto" wrote: > 2007/11/23, Bill Moran : > > > > "Alaor Barroso de Carvalho Neto" wrote: [..] > > > > > em0 external world XXX.XXX.XXX.XXX > > > > > rl0 adm 192.168.1.80 > > > > > rl1 acad 192.168.2.90 > > > > > rl3 database 10.10.0.50 > > > > > > > > > > They are all separated networks. What I want: 192.168.2 should only access > > > > > the internet, shouldn't have access to 192.168.1 or 10.10/16. > > > > > 192.168.1should access the internet and > > > > > 10.10/16, but shouldn't access the academic network. 10.10/16 should access > > > > > only the 192.168.1 network, but it's not a problem if they had access to > > > > > internet too. > > > > > > > > > > How I would set up my rc.conf with my static routes? > > > > > > > > This is beyond the scope of routing. You'll need to install a packet > > > > filter. The best at this time is probably pf: ipfw works fine too for these sorts of network policy separation :) > > > Yes, I have IPFIlTER installed, but if I would want to everybody ping to > > > everybody and then block the things in the firewall, it isn't about routes? > > > because neighter of my networks are pinging to any other right now. By ping > > > I mean have access. I thought it would have something to do with setting > > > routes. BTW, my ipfilter now just pass everything because I'm building the > > > server, but I already have a config file with the blocks that I would apply. > > > > That's a completely different scenario than the one you described in > > your previous message. > > > > Do you have gatetway_enable="YES" in /etc/rc.conf? > > > > -- > > Bill Moran > > http://www.potentialtech.com Just to add a couple of points to what Bill's pursuing here: > Yeah, I know, I was trying to make it work with only adm and external, but > the real scenario I have is this. Yes I have this line, my rc.conf is like > this: > [...] > gateway_enable="yes" > defaultrouter="XXX.XXX.XXX.158" (the external ip) > ifconfig_em0="inet XXX.XXX.XXX.130 netmask 255.255.255.227" If that wasn't a typo, this is a non-contiguous netmask. I suspect you want 255.255.255.224, assuming the default router is in the same subnet? Specifying CIDR notation with route and ifconfig can make netmask fatfingering a bit less likely (eg here XXX.XXX.XXX.130/27) I'm not saying this odd netmask explains your problem, nor that I fully understand the effect of non-contiguous netmasks, but it's worth fixing. > ifconfig_rl0="inet 192.168.1.80 netmask 255.255.255.0" > ifconfig_rl1="inet 192.168.2.90 netmask 255.255.255.0" > ifconfig_rl2="inet 10.10.0.50 netmask 255.255.0.0" > [...] On which machine/s is NAT translation taking place? Eg if 10.10/16 were allowed access to the internet via here, where would they get NAT'd to the external IP? Cheers, Ian