Date: Sun, 15 Oct 2000 11:34:31 -0700 (PDT) From: Joseph Scott <joseph.scott@owp.csus.edu> To: Gregory Sutter <gsutter@zer0.org> Cc: hackers@FreeBSD.ORG Subject: Re: Routing issues Message-ID: <Pine.BSF.4.21.0010151124100.61884-100000@pebkac.owp.csus.edu> In-Reply-To: <20001014233212.H3444@klapaucius.zer0.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 14 Oct 2000, Gregory Sutter wrote:
> I'm setting up a network that looks like this:
>
>
> --Internet----Router---Firewall
> |
> | /--- host
> Switch----NAT-----<----- host
> | \----- host
> | \----- etc...
> ---------
> | |
> email ns
When I first looked at this, is there a reason why it isn't
something like this instead :
---Internet---Router---|
|
|
Firewall---Nat (Many Hosts)
|
|
|
(Multiple Servers)
You have to have a hub/switch between the firewall and each network (the
NAT and the server). You end up with a firewall with three nics. One the
surface what I'd probably do with something like this is actually NAT both
the many hosts and the servers network, but on the servers use a 1:1 IP
mapping (bimap if you are using IPFilter). The thing that would interest
me is if you could use bridging between the outside firewall nic and the
servers network in conjuction with NAT'ing the many hosts network. This
is something I've wondered about but never tried. If if it's doable I'm
not sure it would be a good idea.
Having the three nics would allow you to filter based on that
entire network based on which nic the traffic is coming from or heading
to.
>
> In other words, a fairly typical small network. I've got an 8-IP
> subnet; all hosts outside the NAT have real IPs:
>
> router: 1.2.3.193
> firewall: 1.2.3.196 fxp0
> 1.2.3.197 fxp1
> nat: 1.2.3.198
> email: 1.2.3.194
> ns: 1.2.3.195
>
> The problem I'm having is with my routing. Surprise. Here is
> the routing table for the firewall:
>
> default 1.2.3.193 fxp0
> 1.2.3.193 link#1 fxp0
> 1.2.3.192/29 link#2 fxp1
> 1.2.3.196 lo0
> 1.2.3.197 lo0
>
> The gateway_enable (net.inet.ip.forwarding) is also enabled on
> the firewall.
>
> >From the firewall, I can reach any host with no problems. However,
> from hosts inside the firewall, I cannot reach outside, and vice
> versa. I feel I must be missing something obvious, but have played
> with routes for hours to no avail.
>
> Does anyone see a problem with the routing of this network?
>
> Greg
> --
> Gregory S. Sutter Computing is a terminal addiction.
> mailto:gsutter@zer0.org
> http://www.zer0.org/~gsutter/
> PGP DSS public key 0x40AE3052
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
>
---
Joseph Scott
joseph.scott@owp.csus.edu
The Office Of Water Programs - CSU Sacramento
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0010151124100.61884-100000>