From owner-freebsd-questions  Mon Nov 19 14: 4:53 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from fenris.cc (fenris.cc [65.205.165.233])
	by hub.freebsd.org (Postfix) with ESMTP id 8832037B416
	for <freebsd-questions@freebsd.org>; Mon, 19 Nov 2001 14:04:49 -0800 (PST)
Received: (qmail 12259 invoked from network); 19 Nov 2001 21:55:41 -0000
Received: from unknown (HELO loki.intra) (12.4.196.10)
  by fenris.cc with SMTP; 19 Nov 2001 21:55:41 -0000
Received: by loki.intra (sSMTP sendmail emulation); Mon, 19 Nov 2001 17:05:04 -0500
Date: Mon, 19 Nov 2001 17:05:04 -0500
From: Zak Johnson <zakj@fenris.cc>
To: freebsd-questions@freebsd.org
Subject: Complex routing for a firewall
Message-ID: <20011119220504.GA3048@loki.intra>
Mail-Followup-To: freebsd-questions@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.23.2i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I am having some trouble setting up routing for my (admittedly strange)
network.  I control x.x.165.232/29.  My gateway (controlled by my ISP)
is x.x.164.1.  My intended setup:

ISP Gateway (x.x.164.1)
        |
firewall rl0 (inet x.x.165.233 netmask 255.255.254.0)
firewall rl1 (inet x.x.165.234 netmask 255.255.255.248)
        |
servers (inet x.x.165.235-237 netmask 255.255.255.248)

The firewall's rl0 has the odd netmask because otherwise FreeBSD
complains on `route add default x.x.164.1`.  Adding the following route
on the firewall allows the firewall to communicate with the servers and
the gateway, and vice-versa:

	route add x.x.165.233/29 -iface rl1 -cloning

But the servers cannot get to the gateway (or even rl0 on the firewall).
Using ipfilter, /etc/ipf.rules says:

	pass in quick all
	pass out quick all

and net.inet.ip.forwarding=1.  What am I missing?  Do I need to try to
convince my ISP to give me one IP on the x.x.164.1/24 network for rl0?
Please let me know if I'm leaving out any required information.

-- 
Zak Johnson <zakj-freebsd@fenris.cc>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message