From owner-freebsd-questions Wed Oct 10 11:46:47 2001 Delivered-To: freebsd-questions@freebsd.org Received: from kanawha.cnpapers.net (kanawha.cnpapers.net [208.247.228.5]) by hub.freebsd.org (Postfix) with ESMTP id BFE1B37B406 for ; Wed, 10 Oct 2001 11:46:41 -0700 (PDT) Received: from is-ua2.cnpapers.com (fw162.cnpapers.net [208.247.228.162]) by kanawha.cnpapers.net (8.9.3/8.8.7) with ESMTP id OAA11981; Wed, 10 Oct 2001 14:57:06 -0400 Message-Id: <5.1.0.14.2.20011010141951.0419e750@mail.cnpapers.com> X-Sender: jholstein@mail.cnpapers.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 10 Oct 2001 14:47:16 -0400 To: freebsd-questions@freebsd.org From: "John Holstein, IS" Subject: Re: gateway and multiple subnets round II Cc: cjclark@alum.mit.edu In-Reply-To: <20011009232857.D387@blossom.cjclark.org> References: <5.1.0.14.2.20011009143853.041e3ec8@pop.cotse.com> <5.1.0.14.2.20011009143853.041e3ec8@pop.cotse.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 11:28 PM 10/9/2001 -0700, you wrote: >On Tue, Oct 09, 2001 at 02:43:53PM -0400, John Holstein, IS wrote: > > I am setting up a test firewall where I want to pass multiple subnets from > > ed0 to the internet connection on ed1. > > > > For instance: > > > > 192.168.0.x -----> > > 192.168.1.x -----> > > -----> ed0 FREEBSD BOX ed1 -------> internet > > 192.9.200.x -----> > > 192.9.205.x -----> > > > > What is the best way to go about this, without the use of a designated > > gateway on each subnet. > > > > set the subnet mask of ed0 to 0.0.0.0? > > > > I don't need to alias the gateway addresses of all the subnets, the > subnets > > in question are not looking for a particular out... they are being routed > > from a cisco router, looking at ed0 to be the out, but the old box that > was > > in place, a Cisco Pix, was passing everything..... > >So, are you saying the real picture is, > > 192.168.0.x -----} > 192.168.1.x -----} > }--Cisco Router--|ed0 FreeBSD GW ed1|---- internet > 192.9.200.x -----} > 192.9.205.x -----} This is exactly what I need to do. >If that's the case, you just need to add the routes on the FreeBSD >gateway, > > # route add net 192.168.0.0 > # route add net 192.168.1.0 > # route add net 192.168.200.0 > # route add net 192.168.205.0 > >Where is the IP address of the router's interface on >the network with the FreeBSD box's ed0. > >To load these at boot, put something like, > > static_routes="0 1 200 205" > route_0="net 192.168.0.0 " > route_1="net 192.168.0.0 " > route_200="net 192.168.200.0 " > route_205="net 192.168.205.0 " > >In rc.conf(5). >-- >Crist J. Clark cjclark@alum.mit.edu > cjclark@jhu.edu > cjc@freebsd.org I think I am missing something. I have done the above, completely, including adding the routes to rc.conf but if I sit a box on _any_ subnet other than 192.9.200 (the same subnet as ed0), I cannot get out. in fact, prior to setting the route, if i were behind the cisco router on 192.9.200, i could get out from there, but if I were on any other I couldn't. Now, if I am behind the cisco router, I cannot get out at all. If I am on a box, on the 192.9.200 subnet, connected to a hub/switch directly in line with ed0 on the freebsd box, I can get out, any other subnet listed, I cannot. First I would like to get the test box to work, no matter which of the subnets listed I am on.. then add the box inline with the cisco router... so let's leave the router out of the equation for the time being.... I want to take a 192.x.x.x subnet and route it across a FreeBSD Firewall configured box, with ed0 at 192.9.200.254 and make it out to the net: Test Box 192.9.205.200 ------> hub ------> ed0 192.9.200.254 FreeBSD Firewall ed1 xxx.xxx.xx.1 -------> router --------> internet Doing this, I would need to add the single route to the FreeBSD box: static_routes="205" route_0="net 192.9.205.0 192.9.205.200" the 192.9.205.200 as added in the route_0 would allow anything coming from .200 to pass and anything coming back into the freebsd box with an originating return IP within the 9.205.x subnet would be routed back across 9.205.200, correct? That being the case, and all things are considered to be entered properly, what would be the cause of lost packets or not being able to bounce 9.205.x across ed0 to ed1? John Holstein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message