Date: Sat, 24 Nov 2007 15:11:51 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Alaor Barroso de Carvalho Neto <alaorneto@gmail.com> Cc: Bill Moran <wmoran@potentialtech.com>, freebsd-questions@freebsd.org Subject: Re: routing problem Message-ID: <Pine.BSF.3.96.1071124132024.2076A-100000@gaia.nimnet.asn.au> In-Reply-To: <20071123151355.0B21416A4D4@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 23 Nov 2007 12:33:26 -0200 "Alaor Barroso de Carvalho Neto" <alaorneto@gmail.com> wrote: > 2007/11/23, Bill Moran <wmoran@potentialtech.com>: > > > > "Alaor Barroso de Carvalho Neto" <alaorneto@gmail.com> wrote: [..] > > > > > em0 external world XXX.XXX.XXX.XXX > > > > > rl0 adm 192.168.1.80 > > > > > rl1 acad 192.168.2.90 > > > > > rl3 database 10.10.0.50 > > > > > > > > > > They are all separated networks. What I want: 192.168.2 should only access > > > > > the internet, shouldn't have access to 192.168.1 or 10.10/16. > > > > > 192.168.1should access the internet and > > > > > 10.10/16, but shouldn't access the academic network. 10.10/16 should access > > > > > only the 192.168.1 network, but it's not a problem if they had access to > > > > > internet too. > > > > > > > > > > How I would set up my rc.conf with my static routes? > > > > > > > > This is beyond the scope of routing. You'll need to install a packet > > > > filter. The best at this time is probably pf: ipfw works fine too for these sorts of network policy separation :) > > > Yes, I have IPFIlTER installed, but if I would want to everybody ping to > > > everybody and then block the things in the firewall, it isn't about routes? > > > because neighter of my networks are pinging to any other right now. By ping > > > I mean have access. I thought it would have something to do with setting > > > routes. BTW, my ipfilter now just pass everything because I'm building the > > > server, but I already have a config file with the blocks that I would apply. > > > > That's a completely different scenario than the one you described in > > your previous message. > > > > Do you have gatetway_enable="YES" in /etc/rc.conf? > > > > -- > > Bill Moran > > http://www.potentialtech.com Just to add a couple of points to what Bill's pursuing here: > Yeah, I know, I was trying to make it work with only adm and external, but > the real scenario I have is this. Yes I have this line, my rc.conf is like > this: > [...] > gateway_enable="yes" > defaultrouter="XXX.XXX.XXX.158" (the external ip) > ifconfig_em0="inet XXX.XXX.XXX.130 netmask 255.255.255.227" If that wasn't a typo, this is a non-contiguous netmask. I suspect you want 255.255.255.224, assuming the default router is in the same subnet? Specifying CIDR notation with route and ifconfig can make netmask fatfingering a bit less likely (eg here XXX.XXX.XXX.130/27) I'm not saying this odd netmask explains your problem, nor that I fully understand the effect of non-contiguous netmasks, but it's worth fixing. > ifconfig_rl0="inet 192.168.1.80 netmask 255.255.255.0" > ifconfig_rl1="inet 192.168.2.90 netmask 255.255.255.0" > ifconfig_rl2="inet 10.10.0.50 netmask 255.255.0.0" > [...] On which machine/s is NAT translation taking place? Eg if 10.10/16 were allowed access to the internet via here, where would they get NAT'd to the external IP? Cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1071124132024.2076A-100000>