Date: Mon, 8 Mar 2004 13:53:33 -0600 From: "Micheal Patterson" <micheal@tsgincorporated.com> To: "Wayne Pascoe" <freebsd-feb@penguinpowered.org>, <freebsd-questions@freebsd.org> Subject: Re: Alias in different subnet on card Message-ID: <284001c40547$0af4d190$4df24243@tsgincorporated.com> References: <20040308180221.GA19486@marvin.penguinpowered.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Wayne Pascoe" <freebsd-feb@penguinpowered.org> To: <freebsd-questions@freebsd.org> Sent: Monday, March 08, 2004 12:02 PM Subject: Alias in different subnet on card > Hi all, > > I'm running a firewall at the moment using FreeBSD 5.2.1 and IPFW. I > have 3 interfaces in the machine. > > I need to be able to firewall a 4th range of IP's. I have tried to do > this by adding an alias to xl1, but this hasn't worked. If I add the > alias with a mask of 255.255.255.255, no other machine can ping the > alias. I also see the following in /var/log/messages > Mar 8 18:02:13 styx-tmp kernel: arplookup 19x.xxx.xxx.196 failed: host > is not on local network > > The primary IP on xl 1 is currently 19x.xxx.xxx.1 and the mask on there is > 255.255.255.128 (/25) > > If I add the alias with a mask of 255.255.255.240 (/28) which is the > correct mask for this subnet, and the mask that all other machines use, > then I am able to ping this address. However, at this point, no > forwarding appears to take place for machines using this IP address as > their default route. > > Is there any way to use an alias to do firewalling like this or do I > have to get another network card? The problem with another network card > is that will mean a whole new machine as I'm out of slots in this one. > > Thanks in advance ? > > -- > Wayne Pascoe > Microsoft complaining about the source > license used by Linux is like the event > horizon calling the kettle black - adamba on k5 You have 3 networks in a firewall, and since we don't know the full topology, I'll use these network ranges for my example: 192.168.1.0, 192.168.2.0, and 192.168.3.0. You now want to add a 4th range, let's say, 192.168.4.0. ipconfig_xl1="inet 192.168.1.1 netmask 255.255.255.128" ipconfig_xl1_alias0="inet 192.168.2.1 netmask 255.255.255.128" ipconfig_xl1_alias1="inet 192.168.3.1 netmask 255.255.255.128" ipconfig_xl1_alias2="inet 192.168.4.1 netmask 255.255.255.128" The only time you would use a netmask of 255.255.255.255 is if the aliased IP is a member of a subnet that is already assigned on the interface. ipconfig_xl1_alias3="inet 192.168.1.2 netmask 255.255.255.255" Then you will need to add the appropriate firewall rules to allow those networks to either talk / no talk to the remaining network segments. It would help to have all of the ip information that you're using and your current alias maps to see just what's going on. Although, I'd guess that the first problem may be a subnetting issue. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?284001c40547$0af4d190$4df24243>