From owner-freebsd-questions Wed Jun 28 21:20: 9 2000 Delivered-To: freebsd-questions@freebsd.org Received: from merlin.prod.itd.earthlink.net (merlin.prod.itd.earthlink.net [207.217.120.156]) by hub.freebsd.org (Postfix) with ESMTP id B399637BAF9 for ; Wed, 28 Jun 2000 21:20:04 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0753.cvx20-bradley.dialup.earthlink.net [209.179.252.243]) by merlin.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id VAA22818; Wed, 28 Jun 2000 21:19:56 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id VAA00493; Wed, 28 Jun 2000 21:18:29 -0700 (PDT) Date: Wed, 28 Jun 2000 21:16:37 -0700 From: "Crist J. Clark" To: Rossen Raykov Cc: FreeBSD-questions@FreeBSD.ORG Subject: Re: routing problem Message-ID: <20000628211637.A451@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: <01a701bfe08c$a8d8d890$4c00000a@sage> <20000627210456.H424@dialin-client.earthlink.net> <042701bfe127$fe1582e0$4c00000a@sage> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <042701bfe127$fe1582e0$4c00000a@sage>; from rraykov@sage-consult.com on Wed, Jun 28, 2000 at 01:40:46PM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [Follow-ups re-ordered, line-wrap damage repaired] On Wed, Jun 28, 2000 at 01:40:46PM -0400, Rossen Raykov wrote: > ----- Original Message ----- > From: > To: > Cc: > Sent: Wednesday, June 28, 2000 12:04 AM > Subject: Re: rouing problem > > > On Tue, Jun 27, 2000 at 07:08:52PM -0400, Rossen Raykov wrote: > > > Hi all! > > > > > > I am trying to use FreeBSD like gateway/firewall. > > > My network topology is like this one: > > > > > > > > > ISP 1 ISP 2 > > > > > > ^ ^ > > > | | > > > | | > > > +-------+ +--------+ > > > | DSL | | ISDN | > > > +-------+ +--------+ > > > IP 1.0.0.1 IP 2.0.0.1 > > > > > > \ / > > > \ / > > > > > > IP 1.0.0.252 IP 2.0.0.2 > > > MASK 255.255.255.0 MASK 255.255.255.252 > > > ----------------------------------------- > > > FreeBSD Box > > > ----------------------------------------- > > > IP 2.0.0.252 > > > MASK 255.255.255.0 > > > | > > > | > > > ----------------------------------------- > > > L A N HOST > > > NET 2.0.0.0 2.0.0.129 > > > > > > I am running FreeBSD 4.0 and the kernel is compiled with the following > > > options: IPFIREWALL, IPFIREWALL_VERBOSE, IPDIVERT, BRIDGE. > > > > Yikes. > > > > > In /etc/rc.conf following options are defined: > > > firewall_enable="YES" > > > firewall_type="open" > > > gateway_enable="YES" > > > router_enable="YES" > > > kern_securitylevel_enabled="NO" > > > > > > As one can expect after that the firewall rules are: > > > allow ip from any to any via lo0 > > > deny ip from any to 127.0.0.0/8 > > > allow ip from any to any > > > deny ip from any to any > > > > > > Routing connected sysctl flags are: > > > net.inet.ip.forwarding=1 > > > net.inet.ip.redirect=1 > > > net.inet.ip.fw.enable=1 > > > net.inet.ip.fw.one_pass=1 > > > > Missing, > > > > net.link.ether.bridge > > net.link.ether.bridge_ipfw > > > > > I am able to ping all neighbors interfaces from BSD box (1.0.0.1, 2.0.0.1 > > > and 2.0.0.129). > > > > > > My first problem was that I was not able to ping 1.0.0.252 and 2.0.0.2 > > > interfaces on the server from LAN host (2.0.0.129). > > > After I've enabled BRIDGE option in the kernel that become possible. > > > > > > Then a new problem appear - I cannot ping 1.0.0.1 and 2.0.0.1 from the LAN > > > host (2.0.0.129). > > > > > > All IP addresses that I am using are real (routable) IP addresses. > > > > > > Where is my mistake? > > > Why I am not able to pass thru BSD box? > > > Are my network mask wrong or I am missing something on kernel/os > > > configuration level? > > > > I believe that the problem is that you are trying to mix routing and > > bridging. You should decide the FreeBSD box is going to do one or the > > other. > > > > > I have one more question too. > > > How to set up the box to work with 2 or more gateways and to make dinamyc > > > routing? > > > Can someone give a URL devoted to this to me? > > > Recommendations for gated setting will be appreciated to. > > > > OK, it sounds like you want to do routing, then loose the > > bridging. Actually break up that 2.0.0.0/24 into subnets. > > Hi, > > First I've removed BRIDGING from the kernel (since I wish to do routing ;) > After that I've changed netmask for the LAN (2.0.0.0) to be 255.255.255.128 > (the net mask for ISP 2 is still 255.255.255.252). > Finally I've disabled the ipfw using: > sysctl -w net.inet.ip.fw.enable=0 > to simplify the configuration. > > As a result on the BSD box I am able to ping 1.0.0.1, 2.0.0.1 and 2.0.0.129. > >From 2.0.0.129 I am able to ping 2.0.0.252, 2.0.0.2 and 1.0.0.252 but still > I am not able to ping neither 1.0.0.1 not 2.0.0.1. > The default gateway on 2.0.0.129 is set to 2.0.0.252. Why then my > routing/forwarding is not working?! > It have to be simple but seems I am missing something important and I can > not find it... > > Any suggestions? I assume you still have net.inet.ip.forwarding=1. Sounds like one of two things, the FreeBSD router is not forwarding and the pings never make it to the targets, 1.0.0.1 and 2.0.0.1, OR they get there, but never come back which means the trouble is at the router or it could be a problem at the targets. Do a tcpdump(8) on the interface with 1.0.0.252 and see if the pings are coming out. Then see if the replies head back. Narrow down where the problem is. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message