Date: Thu, 17 Jan 2002 10:32:41 +0200 From: Sheldon Hearn <sheldonh@starjuice.net> To: freebsd-questions@FreeBSD.org Subject: Re: IPv4 tunnelling Message-ID: <21074.1011256361@axl.seasidesoftware.co.za> In-Reply-To: Your message of "Tue, 15 Jan 2002 15:12:19 %2B0200." <55173.1011100339@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 15 Jan 2002 15:12:19 +0200, Sheldon Hearn wrote:
> We're planning to migrate our entire colocated site (mail and web
> servers) to a new provider.
>
> During the propogation period required for DNS updates, we'd like to
> leave the old firewall in place and have it tunnel packets to the new
> firewall, presumably using gif(4).
Hopefully, the reason I haven't had feedback on this is simply that I
didn't provide enough useful information. :-)
A flaw I spotted in my plan (with help from Phil Regnauld), is that the
new firewall won't know whether to route outbound packets via the tunnel
or out through the public interface.
Therefore, it seems that, for as long as it takes for the new DNS
records to propogate, the servers on the new network will need two IP
addresses each -- the one pointed to by the DNS and one used to refer to
it through the tunnel and back.
Toward this goal, I now have the following configuration for testing:
New firewall (public interface 196.31.7.199)
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 216.123.44.3 --> 196.31.7.202 netmask 0xffffffff
physical address inet 196.31.7.199 --> 216.123.44.2
Old firewall (public interface 216.123.44.2)
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 196.31.7.202 --> 216.123.44.3 netmask 0xffffffff
physical address inet 216.123.44.2 --> 196.31.7.199
I have the following IPFW rules that ensure that I should be able to
ping from the old firewall:
add allow icmp from any to 216.123.44.2 icmptypes 0,3,8,11,12,13,14
add allow icmp from 216.123.44.0/24 to any icmptypes 0,3,8,11,12,13,14
Similar rules exist on the new firewall.
The new firewall has the following natd configuration:
-redirect_address 21.0.21.3 196.31.7.202
Also, the new firewall has 196.31.7.202 configured as an inet alias on
the public interface.
However, when I use ping to test the tunnel from the old firewall, I get
this:
ping -S 216.123.44.2 216.123.44.3
PING 216.123.44.3 (216.123.44.3) from 216.123.44.2: 56 data bytes
ping: sendto: Permission denied
I'm pretty sure I need to do something more, configuration-wise, to get
packets to enter and exit the tunnel correctly.
Any ideas? Alternatively, is there any good documentation out there on
using gif(4) tunnels? All the hits my searches turn up are for IPSec,
which we don't need (and which probably involves more overhead than at
least one of the firewalls can handle).
Ciao,
Sheldon.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?21074.1011256361>