Date: Mon, 16 Oct 2000 16:36:30 -0700 From: Gregory Sutter <gsutter@zer0.org> To: Wes Peters <wes@softweyr.com> Cc: Thierry Herbelot <herbelot@cybercable.fr>, hackers@FreeBSD.ORG Subject: Re: Routing issues Message-ID: <20001016163630.B98214@klapaucius.zer0.org> In-Reply-To: <39EA0823.D9D353D8@softweyr.com>; from wes@softweyr.com on Sun, Oct 15, 2000 at 01:40:19PM -0600 References: <20001014233212.H3444@klapaucius.zer0.org> <39E95406.8F1C0717@cybercable.fr> <39EA0823.D9D353D8@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2000-10-15 13:40 -0600, Wes Peters <wes@softweyr.com> wrote: > Thierry Herbelot wrote: > > Gregory Sutter wrote: > > > > > > I'm setting up a network that looks like this: > > > > > > --Internet----Router---Firewall > > > | > > > | /--- host > > > Switch----NAT-----<----- host > > > | \----- host > > > | \----- etc... > > > --------- > > > | | > > > email ns > > > > > > In other words, a fairly typical small network. I've got an 8-IP > > > subnet; all hosts outside the NAT have real IPs: > > > > > > router: 1.2.3.193 > > > firewall: 1.2.3.196 fxp0 > > > 1.2.3.197 fxp1 > > > nat: 1.2.3.198 > > > email: 1.2.3.194 > > > ns: 1.2.3.195 > > > > > > The problem I'm having is with my routing. Surprise. Here is > > > the routing table for the firewall: > > > > > > default 1.2.3.193 fxp0 > > > 1.2.3.193 link#1 fxp0 > > > 1.2.3.192/29 link#2 fxp1 > > > 1.2.3.196 lo0 > > > 1.2.3.197 lo0 > > > > > > The gateway_enable (net.inet.ip.forwarding) is also enabled on > > > the firewall. > > > > with a *routing* firewall, like the one you are using, you must have two > > different IP subnets, one for each physical interface (or else, the > > kernel will not know which interface to use to send a packet). > > You can handle it by using host routes to the interior computers, but that > is messy. The bridging was the key that I was missing. Turning it on instantly resulted in a working network with the configuration described above. The default route, since it's a host route anyway, is entered with interface fxp0, and the rest of the 1.2.3.192/29 network is routed with interface fxp1. Destination Gateway Flags Refs Use Netif Expire default 1.2.3.193 UGSc 1 163304 fxp0 127.0.0.1 127.0.0.1 UH 0 0 lo0 1.2.3.192/29 link#2 UCSc 3 0 fxp1 => 1.2.3.193 0:f:cf:7f:ff:f4 UHLW 1 32 fxp0 1032 1.2.3.196 0:df:f7:f6:1f:f6 UHLW 0 106 lo0 1.2.3.197 0:f:bf:f:df:f1 UHLS 0 2 lo0 net.inet.ip.forwarding: 1 net.link.ether.bridge_cfg: fxp0:1,fxp1:1, net.link.ether.bridge: 1 net.link.ether.bridge_ipfw: 1 Thanks to all who replied! Greg -- Gregory S. Sutter "How do I read this file?" mailto:gsutter@zer0.org "You uudecode it." http://www.zer0.org/~gsutter/ "I I I decode it?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001016163630.B98214>