From owner-freebsd-net@FreeBSD.ORG Sat Feb 22 03:02:26 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2FE86567 for ; Sat, 22 Feb 2014 03:02:26 +0000 (UTC) Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id EAC441D29 for ; Sat, 22 Feb 2014 03:02:25 +0000 (UTC) Received: by mail-ob0-f172.google.com with SMTP id uz6so5242320obc.17 for ; Fri, 21 Feb 2014 19:02:18 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=kz2B87mMz/tVV4wqrpN/15XlVLx6eTquqVgu4jzcwzA=; b=ADi+seIOC+NTNGwZkb7WxNqh2Q23896zUdfzy2K0F3PjvKuIj8ArMFihn2/DnfnVEd I0i76hpK/It2XS4FzbfASpcqYqUDSIqcCrZkBaEr1EGyOMPgxJuVEd2gAfnDaz5e6HpA wzMc/qUjB8lF7yEriuLDU7qHqjoqeqTY6VzKODjvltfD+TxO2Sxs1RHrFWS1+mWzDYmj inksqtHpLiqOzFaOnnJ1klef6MRWGuhACS1MR8VMNGVJfNp9dg/zD4kKb2HRUe1pJZR7 WnqIZ2MnV66LVACtVqPLXyV0Xd2jHhkfxcvkGzcMn8s6L9WQL6WlT8W4J09pBCKndS32 gH/g== X-Gm-Message-State: ALoCoQm0XijhL/SAw1njalIYFdM0+AdqDpIN8hQ1ZWBJobYaK+d3o9PCH0HSVK9nlHp8LTigG722 X-Received: by 10.60.94.52 with SMTP id cz20mr12793454oeb.43.1393038138811; Fri, 21 Feb 2014 19:02:18 -0800 (PST) Received: from [10.0.0.20] (c-71-236-84-218.hsd1.pa.comcast.net. [71.236.84.218]) by mx.google.com with ESMTPSA id qh4sm15216876obc.4.2014.02.21.19.02.16 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 21 Feb 2014 19:02:17 -0800 (PST) Message-ID: <5308133F.7050504@natserv.net> Date: Fri, 21 Feb 2014 22:02:23 -0500 From: Francisco Reyes User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: FreeBSD behind a firewall Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Feb 2014 03:02:26 -0000 Setup Internet --> Vyatta firewall --> FreeBSD Trying to have the FreeBSD machine listen on http and https on local network and have the Vyatta firewall forward the traffic from the external connections. I have the Vyatta already configured to send to FreeBSD, but it seems the packets at the FreeBSD machine are not going back to the firewall.. The FreeBSD machine has 3 interfaces xn0 public - will have ssh open xn1 internal - visible in entire data center (Rackspace VM) xn2 internal - private net on 192.168.3.0 I have the Vyatta firewall sending traffic to xn2 and I am able to see it with TCPdump I tried setting a static route for all of 192.168.3.0 to go through the Vyatta firewall, but that did not seem to help. Output of netstat -r Internet: Destination Gateway Flags Refs Use Netif Expire default 162.209.99.1 UGS 0 3542 xn0 10.176.0.0/18 link#5 U 0 0 xn1 => 10.176.0.0/12 10.176.0.1 UGS 0 0 xn1 testvm link#5 UHS 0 0 lo0 localhost link#3 UH 0 0 lo0 162.209.99.0 link#4 U 0 0 xn0 testvm link#4 UHS 0 0 lo0 192.168.3.0 link#6 U 0 0 xn2 192.168.3.1 link#6 UHS 0 0 lo0 The FreeBSD machine is 192.168.3.1, the Vyatta firewall is 192.168.3.2 Relevant parts of /etc/rc.conf defaultrouter="162.209.99.1" static_routes="lan0 lan1 lan2" route_lan0="-net 10.176.0.0 -netmask 255.240.0.0 10.176.0.1" route_lan1="-net 10.208.0.0 -netmask 255.240.0.0 10.176.0.1" route_lan1="-net 192.168.3.0 -netmask 255.255.255.0 192.168.3.2" Any pointers on how I can get the traffic to go back to the Vyatta firewall? Does the firewall needs to be the gateway for the VM? The ideal would be to keep ssh outside as to not depend on the firewall and http and https to go throught he firewall.