Date: Tue, 25 Jan 2005 23:04:37 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Doug Poland" <doug@polands.org>, <questions@freebsd.org> Subject: RE: Running public IP's inside an RFC 1597 network Message-ID: <LOBBIFDAGNMAMLGJJCKNCECCFAAA.tedm@toybox.placo.com> In-Reply-To: <20050126024201.GA49980@polands.org>
next in thread | previous in thread | raw e-mail | index | archive | help
owner-freebsd-questions@freebsd.org wrote: > Hello, > > I'm running a typical Class C RFC 1597 network in my lab. What I want > to do is create another network, accessible from my private addresses, > that use public IPs. The public IPs exist in the wild but I > want to have > an isolated environment where I can test what happens in > public space, in > my lab, before I deploy changes. > Hoo boy. OK first of all an IP is an IP is an IP. Machines don't know or care if we humans designate a subnet as public or private. In any case you cannot have 'public' ip's 'inside' a private IP subnet, unless there's some tunnel connection from the public network on the inside to the real outside Internet. > All the machines in question are running 5.3-STABLE. > > What I've setup so far are two test servers, host1 (H1) and host2 (H2) > with public IPs, and a gateway (GW) machine with one public IP and one > private IP. All three machines are on a switch, the gateway has two > NICs, one on the public switch and one on the private switch. > > e.g., > > External IP Internal IP Defaultrouter IP > --------------------- -------------- --------------- > GW 123.456.789.1/24 10.20.30.40/24 10.20.30.1 > H1 123.456.789.154/24 123.456.789.1 > H2 123.456.789.161/24 123.456.789.1 > > > I can ping between the 3 "public" IP's fine until I turn on the GW > interface with the private IP. At that point, the GW cannot ping the > two "public" servers. > Impossible. Or more accurately, if the GW is correctly configured it don't work this way. a default route such as: 0.0.0.0 0.0.0.0 -> 10.20.30.1 is the absolute most general route there is for a machine. ANY route other than another default, is more specific than it, and thus will take priority. In a correctly configured system when you define an interface, such as 123.456.789.1/24 the system automatically creates a /24 route for the 123.456.789.0 subnet that points out that interface. This route is -more specific- than the default, thus ANY IP that has a prefix that matches this subnet will follow the more specific route, and be routed out of the interface. This is a fundamental property of any host. You aren't saying how your 'turning on' the GW interface. If you have NOT defined gateway_enable="YES" in the /etc/rc.conf file then it might be possible to get funny behavior like this if you have multiple interfaces active in the system. Or, if you turn on the firewall with a restricted set of access lists, same thing. > Obviously I'll need NAT'ing from the GW to H1 and H2 if I want packets > from other hosts on my private network to see the "public" servers. Incorrect. All you need is a route in the 10.20.30.1 router for 123.456.789.0/24 pointing back to 10.20.30.40. Since all the hosts on 123.456.789.0/24 know to use 123.456.789.1 as their default gateway, and that machine knows where 10.20.30.0/24 is, routing works normally. > What I can't figure out is how to tell my GW machine that packets > destined for the 123.456.789.0/24 network are to go through my other > NIC, not out through the GW's default router. > It is more useful to stand this question on it's head. As yourself, how can you PREVENT packets from just naturally going out the 123.456.789.1 interface that have a destination prefix of 123.456.789 ? > I hope I've explained the situation clearly. Googling and reading the > friendly manuals has not revealed a solution to me. Well, what your trying to do is, as they say, pointless, which is why nobody does it, which is why it's not documented. Why don't you tell us what you REALLY are trying to accomplish? What exactly does a 'public space' have that you need to test on that a 'private space' doesen't, and why are you under the impression that it will continue to remain a 'public space' the second you isolate it? Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNCECCFAAA.tedm>