Date: Mon, 8 Mar 2004 21:43:57 +0000 From: Wayne Pascoe <freebsd-feb@penguinpowered.org> To: Micheal Patterson <micheal@tsgincorporated.com> Cc: freebsd-questions@freebsd.org Subject: Re: Alias in different subnet on card Message-ID: <20040308214357.GA20398@marvin.penguinpowered.org> In-Reply-To: <284001c40547$0af4d190$4df24243@tsgincorporated.com> References: <20040308180221.GA19486@marvin.penguinpowered.org> <284001c40547$0af4d190$4df24243@tsgincorporated.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 08, 2004 at 01:53:33PM -0600, Micheal Patterson wrote:
> You have 3 networks in a firewall, and since we don't know the full
> topology, I'll use these network ranges for my example: 192.168.1.0,
> 192.168.2.0, and 192.168.3.0. You now want to add a 4th range, let's say,
> 192.168.4.0.
Sorry about that... Let me be more specific about that... I will use
172.16.1.0 in place of my real IP range though. My real range is a /24
that has been subnetted for various companies that share our building.
xl0 - Interface that my workstation network connects to and is natted
out from
xl1 - Interface that my servers all connect to, from both networks
(eventually, I hope :) )
xl2 - Connection to router
xl0 - 192.168.2.1 netmask 255.255.255.0 (/24)
xl1 - 172.16.1.1 netmask 255.255.255.128 (/25)
xl2 - 172.16.1.243 netmask 255.255.255.248 (/29)
I am now trying to the network
172.16.1.192 netmask 255.255.255.240 (/28) to the firewall. The reserved
router IP address for this range is 172.16.1.193. This is the address I
was trying to add as an alias.
> ipconfig_xl1_alias0="inet 192.168.2.1 netmask 255.255.255.128"
So in my case, the correct line will be
ifconfig_xl1_alias0="inet 172.16.1.193 netmask 255.255.255.240"
This would be my first alias, as all the other networks have their own
card in the firewall... This is a temporary firewall though, and I've
now run out of slots for another network card. In the final
configuration, this network will have it's own network card.
> The only time you would use a netmask of 255.255.255.255 is if the aliased
> IP is a member of a subnet that is already assigned on the interface.
That's what I thought, but I got stumped when the machine wouldn't
forward packets coming in to this IP.
> Then you will need to add the appropriate firewall rules to allow those
> networks to either talk / no talk to the remaining network segments.
The machines in 172.16.1.192/28 can talk to the machines in
172.16.1.0/25 without any problems, and vice versa. They just don't talk
to machines beyond the firewall / on the internet.
--
Wayne Pascoe
I haven't lost my mind... It's backed
up on tape somewhere.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040308214357.GA20398>