From owner-freebsd-stable Wed Sep 26 15:21:56 2001 Delivered-To: freebsd-stable@freebsd.org Received: from lists.blarg.net (lists.blarg.net [206.124.128.17]) by hub.freebsd.org (Postfix) with ESMTP id 16F4D37B446 for ; Wed, 26 Sep 2001 15:21:49 -0700 (PDT) Received: from thig.blarg.net (thig.blarg.net [206.124.128.18]) by lists.blarg.net (Postfix) with ESMTP id 8F664BD20; Wed, 26 Sep 2001 15:21:48 -0700 (PDT) Received: from localhost.localdomain ([206.124.139.115]) by thig.blarg.net (8.9.3/8.9.3) with ESMTP id PAA11329; Wed, 26 Sep 2001 15:21:48 -0700 Received: (from jojo@localhost) by localhost.localdomain (8.11.3/8.11.3) id f8QMKFu60130; Wed, 26 Sep 2001 15:20:15 -0700 (PDT) (envelope-from swear@blarg.net) To: Jamie Norwood Cc: freebsd-stable@FreeBSD.ORG Subject: Re: 127/8 continued References: <20010924094048.X5906-100000@coredump.scriptkiddie.org> <3BB0A0A2.6CCC454B@chrisland.net> <20010926103827.S37693@buffoon.automagic.org> <20010926133747.Y37693@buffoon.automagic.org> <20010926134253.A65444@mushhaven.net> From: swear@blarg.net (Gary W. Swearingen) Date: 26 Sep 2001 15:20:14 -0700 In-Reply-To: <20010926134253.A65444@mushhaven.net> Message-ID: Lines: 100 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jamie Norwood writes: > On Wed, Sep 26, 2001 at 01:37:48PM -0400, Joe Abley wrote: > > > > If you'd like to describe in as simple terms as possible what you're > > trying to achieve, I'd be happy to work through it with you. Maybe > > off-list, unless you think there is some general issue that needs > > publicising. > > I'd be interested in keeping in on this, I am curious as to the > situation and how it is being handled. I do networking for a living, > so love being in on odd things. Two gluttons for punishment, I guess. I don't want to take the time right now to rerun tests so I can accurately explain the problems I have had and don't want to waste your kindly-offered time further with any more general discussion at this time. (I want to get a web site back on line at its new non-ISP domain after my ISP shut down, etc.) But here's the basic situation if you'd care to suggest something for me to experiment with later: My firewall talks to a DSL router, a DMZ server, and a workstation over three network segments (crossover Tbase10) - no hubs or switches. I've got a /29 subnet so there's one address for each of the six host interfaces, should they be needed. I don't want to do NAT because I don't see the need for it (and it's problematical and I'm headstrong). oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo That's it, but rambling on... I considered doing a bridging firewall so all segments could be on one (sub)network but meagerness of documentation discouraged an attempt. AFAIK, to do "correct" networking, my three network segments separated by a routing firewall require three separate networks while my ISP-assigned subnet supports only two sub-subnets. I also tried setting it all up on 10.x addresses with public IPs aliased on the server and workstation; I might have just messed up. Should that work? I currently have addresses assigned like this: a.b.c.0 subnetwork (ISP-assigned) a.b.c.1 DSL router (ISP-assigned; not sure why I couldn't choose) a.b.c.2 firewall's workstation interface a.b.c.3 workstation a.b.c.4 firewall's server interface a.b.c.5 server a.b.c.6 firewall's DSL router interface a.b.c.7 subnetwork broadcast (ISP-assigned) The following is the only thing I've blundered upon which works on the workstation (and server). (It's considerably worse on the firewall.) $ netstat -nr Destination Gateway Flags Refs Use Netif Expire 127.0.0.1 127.0.0.1 UH 0 334 lo0 $ ifconfig xl0 a.b.c.3/29 [IIRC, /30 works too; 31 or 32 don't] $ netstat -nr Destination Gateway Flags Refs Use Netif Expire default a.b.c.2 UGSc 0 0 xl0 127.0.0.1 127.0.0.1 UH 0 334 lo0 a.b.c.0/29 link#2 UC 1 0 xl0 => At which point I can ping firewall but no further. I wish it didn't auto-add the route, but, oh well; it makes some sense. Then I delete the subnet route and add one for a.b.c.2/31: Using "route add a.b.c.2/31 -interface xl0" gives: a.b.c.2/31 link#2 UCSc 0 0 xl0 => which routes as desired. (Using "route add a.b.c.2 -interface xl0" gives: a.b.c.2 UHLS 0 0 lo0 which is hardly what I want and doesn't route as desired.) Unfortunately, doing "ifconfig xl0 down; go fishing; ifconfig xl0 up" puts back the a.b.c.0/29 route, breaking my routing. If I start with: ifconfig xl0 a.b.c.2/31 I get from netstat: Destination Gateway Flags Refs Use Netif Expire default a.b.c.2 UGSc 0 0 xl0 127.0.0.1 127.0.0.1 UH 0 334 lo0 a.b.c.2/31 link#2 UC 1 0 xl0 => which looks pretty good (except Flags), but doesn't ping past the firewall. Thanks again for your interest. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message