From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 28 13:38:02 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35AC916A4E1 for ; Fri, 28 Jul 2006 13:38:02 +0000 (UTC) (envelope-from webmaster@elaconta.com) Received: from dev2.elaconta.pt (adslfixo-b3-123-116.telepac.pt [213.13.123.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id A274443D67 for ; Fri, 28 Jul 2006 13:37:55 +0000 (GMT) (envelope-from webmaster@elaconta.com) Received: from 192.168.1.104 (localhost.elaconta.pt [127.0.0.1]) by dev2.elaconta.pt (Postfix) with SMTP id 4847D125667; Fri, 28 Jul 2006 14:37:53 +0100 (WEST) Received: from 192.168.1.21 (auth. user webmaster@elaconta.com@192.168.1.103) by 192.168.1.104 with HTTP; Fri, 28 Jul 2006 13:37:53 +0000 To: "vladone" Date: Fri, 28 Jul 2006 13:37:53 +0000 X-Mailer: IlohaMail/0.8.14 (On: 192.168.1.104) Message-ID: In-Reply-To: <367935308.20060728110514@spaingsm.com> From: "Webmaster Elaconta" Bounce-To: "Webmaster Elaconta" Errors-To: "Webmaster Elaconta" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: ipfw@freebsd.org Subject: Re: Re[2]: FreeBSD Gateway to replace old Linux gateway X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 13:38:02 -0000 Thanks for the tips everyone. I've thought about the subject and i'm going to use a bridge to solve the problem. As it is, we're nat'ing something that is already nat'ed (our router already hands out addresses in the 192.168.1.x range). Therefore, we're going with the bridge, even if it means reconfiguring all the clients in the LAN. ----------------------------------- Elaconta.com webmaster ----------------------------------- Em 7/28/2006, "vladone" escreveu: >Hello elaconta.com, > >Thursday, July 27, 2006, 2:03:26 AM, you wrote: > >> Tony Abou-Assaleh wrote: >>> I would like to see a reference that shows that it is not possible to hav= e >>> two networks with the same subnet IP ranges. In fact, your working linux >>> PC is a good example that it can be done. >>> >>> You need to be careful not to use the same full IP address on both sides >>> of the network, that's about it. The rest can be handled with a proper >>> configuration of the routing table. >>> >>> take a look at your routing table (using route) and see if you can >>> reproduce it on FreeBSD. If you run into problems on the freebsd, report >>> them, and someone might recognize something. >>> >>> Cheers, >>> >>> TAA >>> >>> ----------------------------------------------------- >>> Tony Abou-Assaleh >>> Email: taa@acm.org >>> Web site: http://taa.eits.ca >>> ----------------------[THE END]---------------------- >>> >>> On Wed, 26 Jul 2006, elaconta.com Webmaster wrote: >>> >>> =20 >>>> Howdy >>>> >>>> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs >>>> which serves as a firewall for our LAN and runs a Bind caching nameserve= r. >>>> Although the machine is getting old, it still works well. Thing is, i'm >>>> having a hard time trying to reproduce it, that is, getting another PC >>>> to do exactly the same thing this PC is doing. It was configured by a >>>> guy that left the company, so i can't simply ask him how he configured >>>> it configured. >>>> It's a precautionary measure, if the machine breaks down we need another >>>> one to go in its place. >>>> So while am at it i would love to replace the crusty old thing with a >>>> new one running FreeBSD. >>>> The networking scheme is: >>>> >>>> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) >>>> <-> (192.168.1.0/24) LAN >>>> >>>> Now, thing is, the Linux firewall has two NICs: >>>> >>>> NIC 1: 192.168.1.121 >>>> NIC 2: 192.168.1.122 >>>> >>>> The two NICs on the Linux box are configured with 192.168.1.121 and >>>> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses >>>> the company router (192.168.1.120) and 192.168.1.122 acesses the company >>>> LAN (192.168.1.0/24) >>>> >From what i've googled, this shouldn't even be possible, everything is >>>> on the same subnet. Regardless, it works great, and if i went and got an >>>> FreeBSD rig to replace the old Linux rig, it would have to retain this >>>> networking scheme, we can't afford to reconfigure the entire network >>>> just for switching our firewall. >>>> >>>> I known we could use a network bridge, but we need the caching >>>> nameserver functionality. >>>> >>>> I'm an all round Unix guy, but i'm a bit green on the routing departamen= t. >>>> >>>> Can an FreeBSD box be configured the same way the Linux box is so it can >>>> be a drop-in replacement for the Linux box? I can of course depict in >>>> further detail the configuration of the Linux box (netstat -r to show >>>> the routes, ifconfig or whatever). >>>> >>>> I've already prepped a FreeBSD 6.1 box which already works if the NICs i= n the gateway >>>> are in different subnets (dc0 is 192.168.1.125 and dc1 is 192.168.0.5, f= or instance), >>>> i've changed a PC in the network to the 192.168.0.20 IP (instead of 192.= 168.1.20) and >>>> if connected without a problem to the Internet, but we have lots of appl= iances which >>>> depend on the 192.168.1.0 style network. We would need the two NICs in t= he box to be in the same subnet... >>>> >>>> ----------------------------- >>>> Elaconta.com Webmaster >>>> ----------------------------- >>>> >>>> _______________________________________________ >>>> freebsd-ipfw@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>>> >>>> =20 >>> >>> >>> =20 >> The routing table on the Linux box, as shown per the "route" command: > >> [root@visao root]# route >> Tabela de Roteamento IP do Kernel >> Destino Roteador M=E1scaraGen. Op=E7=F5es M=E9t= rica >> Ref Uso Iface >> 192.168.1.0 * 255.255.255.0 U 0 =20 >> 0 0 eth1 >> 192.168.1.0 * 255.255.255.0 U 0 =20 >> 0 0 eth1 >> 127.0.0.0 * 255.0.0.0 U 0 =20 >> 0 0 lo >> default 192.168.1.120 0.0.0.0 UG 0 =20 >> 0 0 eth0 > >> Hum, some things in this table are in portuguese... Basically "Tabela de >> Roteamento IP do Kernel" means Kernel IP Routing Table, "Destino" means >> Destiny, "Roteador" means Router, "M=E1scara" means Mask. >U have two simply solutions, and one a little more complicated >1. use bridge, ho suggest someoane >2. if dont' wnat to change network configuration, then change part >from firewall to hub or modem or what u have. For example > modem 10.1.1.1 <----> 10.1.1.2 firewall (freebsd 6.1) > 192.168.1.2<------>lan 192.168.1.0/24 > with simple natd config like this > use_sockets yes > same_ports yes > interface xl0 > dynamic yes > assuming that in your firewall, xl0 is external interface with > ip 10.1.1.2, config kernel with proper oprions, and use > ipfirewall. >3. i think that is a bit more complicate with route but i don't think >that can work, but u can try. > > I recommend u variant 2 because is very clear, and need to change > only modem internal ip. > > >--=20 >Best regards, > vladone mailto:vladone@spaingsm.com > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"