From owner-freebsd-questions Sun Jan 20 18:16:21 2002 Delivered-To: freebsd-questions@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id A50C637B41A for ; Sun, 20 Jan 2002 18:16:15 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id 3FD9B137C1; Sun, 20 Jan 2002 21:16:19 -0500 (EST) Message-Id: <5.1.0.14.0.20020120205959.00a99618@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 20 Jan 2002 21:15:30 -0500 To: Nick Rogness From: Allen Landsidel Subject: Re: multihomed routing woes.. Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: References: <5.1.0.14.0.20020120013959.00aaaff8@rfnj.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 12:59 01/20/2002 -0600, Nick Rogness wrote: >On Sun, 20 Jan 2002, Allen Landsidel wrote: > > > [please reply off-list.. not subscribed.] > > > > Ok.. for several hours I've been banging my head against the > > proverbial brick wall, trying to resolve an issue that's been a > > nuisance for some time. > > > > To start from the begining.. my network looks like this : > > > > [LAN] <--> [firewall] <--> [router] <--> [internet] > > > > The lan side has a public /28 block. > > Why does the lan have a public block? I have a static IP block from my ISP.. I would also like to have a firewall other than the piece of junk in lucent dslpipe "router." Thus, all the actual boxes get real IPs (for the most part) and I need a solution that allows me to put the firewall between the router and the lan. > > The firewall has one address from that block on the interior > > interface, and an address in the 10/8 block on the exterior. The > > router has an address on the 10/8 block on the interior, the ISP > > assigned address on the WAN interface, and a static route to the > > firewall 10/8 for my IP block. > > > > The problem is simple : All outgoing traffic that *originates* on the > > firewall attempts to use the 10/8 address. I'm looking for some easy > > way to force it to use it's internal address for traffic destined to > > go out the exterior interface, but so far to no avail. > > > > The real problem here is that you are running publics on your > inside. Why are you doing this and not using static nat for this? Why should I use nat if I'm paying for an IP block? The lan is not an intranet, it's a bunch of "real" servers out on the internet. > If you have a good reason, then maybe running nat on the router or > getting another /30 for your BSD<-->Router would help out. You > could also trip out nat but it would be a mess. The reason is simply that I'd rather not go through the hassle of assigning a bunch of private IPs to my boxes just because they're inside the firewall. What would really be great is an unnumbered interface between the firewall and the router, but I don't think either FreeBSD or the cheapy lucent dsl router support this option. Getting the /30 would do, but it seems to me there should be a way to handle this "as-is" that isn't a massive hack. > > My brain can't seem to think of a way to do this via route, and natd + > > my current stateful IPFW appears to be a no-go.. searching the lists > > and usenet have turned up others with the same problems, but no real > > solutions using these tools. Apparently my only options are: > > > 1) ditch the stateful ipfw configuration in favor of a simple > > 'established' rule (ick) > > That might help while you are debugging. If I do this, it will work.. period. I had it this way in the past, but thought that I'd rather switch to stateful routing so forged packets couldn't blow past the firewall and to the machines within. > > 2) (maybe?) switch to ipf/ipnat. > > This will gain you nothing...probably make things worse. I've heard that ipf/ipnat can do exactly what I need.. perhaps I am mistaken. > > 3) Set up a proxy on one of the internal machines and have the firewall > > go through that to get out (ick) > > No. Heh.. but it would work.. I think I didn't explain the problem too clearly.. I'll try and explain more clearly here. The "lan" consists of every machine I have other than the firewall. Web, dns, ftp, cvsup, etc etc servers, all of them in a rack and on a switch. The internal interface for the firewall is also on this segment, and has the first IP address in the /28 block. The external interface of the firewall is the only device plugged into the integrated (and slow) hub built into the router. This serves many purposes but the most important two are : 1) Every packet must pass through the firewall before any others see it, via sniffing or any other method. 2) Any machine surreptitiously plugged into the routers hub will not be able to access the internet; I consider this important. Everything works great *except* for internet access on the firewall itself. Because the default route on the firewall is 10.0.0.1, it always attempts to use it's interface on that subnet for internet access. The result, obviously, is that I cannot install ports, packages, or anything else directly from the firewall; I have to download the packages/tarballs on another machine and transfer them to the firewall, and then do the install. I'm only concerned with nating one address, the external firewall interface. natd, however, has about zero capability for this when used on a stateful firewall. I'm coming up with other ideas.. but this seems like it should be easy to do, even if it's not. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message