From owner-freebsd-net@freebsd.org Tue Sep 15 19:10:56 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1318D3DD032 for ; Tue, 15 Sep 2020 19:10:56 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BrXrH0zLcz4VbC for ; Tue, 15 Sep 2020 19:10:54 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 08FJAqQ4054358 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 15 Sep 2020 12:10:52 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 08FJAqER054356; Tue, 15 Sep 2020 12:10:52 -0700 (PDT) (envelope-from jmg) Date: Tue, 15 Sep 2020 12:10:52 -0700 From: John-Mark Gurney To: Abelenda Diego Cc: kaycee gb , freebsd-net@freebsd.org Subject: Re: IP "routing" issue Message-ID: <20200915191052.GN4213@funkthat.com> Mail-Followup-To: Abelenda Diego , kaycee gb , freebsd-net@freebsd.org References: <20200909164254.5e7e3891@debian> <20200910185400.593a8ce2@debian> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="uvMug2t/eFzFwVce" Content-Disposition: inline In-Reply-To: <20200910185400.593a8ce2@debian> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Tue, 15 Sep 2020 12:10:52 -0700 (PDT) X-Rspamd-Queue-Id: 4BrXrH0zLcz4VbC X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [-1.83 / 15.00]; TO_DN_SOME(0.00)[]; SIGNED_PGP(-2.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; MID_RHS_MATCH_FROM(0.00)[]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.25)[-0.246]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_SPAM_SHORT(0.31)[0.313]; NEURAL_HAM_LONG(-0.99)[-0.994]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[funkthat.com]; AUTH_NA(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[no SPF record]; FREEMAIL_CC(0.00)[hotmail.fr,freebsd.org]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2020 19:10:56 -0000 --uvMug2t/eFzFwVce Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Abelenda Diego wrote this message on Thu, Sep 10, 2020 at 18:54 +0200: > Hello, >=20 > Thank you for pointing route "-iface" however I can't seem to manage what= I > want. >=20 > When I use: > "route add -host $IP_NOT_IN_SUBNET -iface bce0" >=20 > I get "netstat -rn" to say someting like: >=20 > Internet: > Destination Gateway Flags Netif Expire > default $UPSTREAM_GW UGS bce0 > 10.0.0.1 link#7 UHS lo0 > $IP_NO_IN_SUBNET $MAC_ADDRESS_OF_BCE0 UHS bce0 >=20 >=20 > Which seem somehow appropriate, so I try to ping $IP_NOT_IN_SUBNET and I = get: >=20 > root@opnsense2:~ # ping $IP_NOT_IN_SUBNET > PING $IP_NOT_IN_SUBNET ($IP_NOT_IN_SUBNET): 56 data bytes > 36 bytes from $UPSTREAM_GW: Redirect Host(New addr: $PUBLIC_IP_OF_BCE0). >=20 > Which doesn't seem appropriate at all wrt the routing table... >=20 > Did I use "route add" wrong? >=20 > Also I want to keep the setup simple, going through private IPs on the pu= blic VLAN of the datacenter might get me in trouble with them, and using ot= her VLANs for that will be a pain. Can you provide a diagram of the network layout, and where the configuration needs to go? Because if it's just the opnsense box that needs the IP addresses, adding them as an alias to bce is enough to make it work. If you're trying to do something else, like have boxes behind the opnsense box have those IP addresses, then: route add $IP_NO_IN_SUBNET $IP_OF_BOX_WITH_IP_NO_IN_SUBNET would just work. I just noticed the 10.0.0.1 IP on lo0, and that's a bit odd to have... > On Wed, 9 Sep 2020 17:35:45 +0200 > kaycee gb wrote: >=20 > > Le Wed, 9 Sep 2020 16:42:54 +0200, > > Abelenda Diego a =E9crit : > >=20 > > > Hello, > > >=20 > > > I've got a FreeBSD installation in a DataCenter that provided me with= a > > > single address IPv4 with an upstream gateway (cidr is fine the upstre= am > > > gateway works everything is nice and running). I use this machine for > > > Masquerading an private infrastructure. > > >=20 > > > Now I need other machines with public IPv4 and when I requested the > > > additional IPv4 to the DataCenter, they gave me a bunch of /32 addres= ses > > > saying that my previous IPv4 MUST be configured as next-hop on their = side. > > > From my understanding in FreeBSD the route command is unable to perfo= rm this > > > kind of configuration where you tell that the IPv4 /32 is available w= ithout > > > next-hop (no via) on a specific link. I know the linux "ip route add = $IP dev > > > $LINK" configures this, but I cannot seem to map this knowledge to Fr= eeBSD. > > >=20 > > > Is it possible to perform this very special setup with any command on > > > FreeBSD? If yes what is that command? > > >=20 > > > Best regards, > > > Diego Abelenda =20 > >=20 > > Hi, > >=20 > > Do the other machines have a private address ? Is it a problem if they = have > > one ?=20 > > If it is possible, you can route via this private address on your FreeB= SD > > installation to the new one and assign a public/32 to the last. > >=20 > > Alternatively to doing routing like above, if you have a firewall enabl= ed on > > the first machine, you can do address forwarding between the first and = the > > new one.=20 > >=20 > > And last, maybe with something like -iface from "route" you can achieve= what > > you want.=20 --=20 John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." --uvMug2t/eFzFwVce Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJfYRG7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MEI1RTRGMTNDNzYyMDZDNjEyMDBCNjAy MDVGMEIzM0REMDA2QURBAAoJECBfCzPdAGraknUQAKFBLVJ062NVho5Chf1RDZx2 d1lHkjmgkecWU7F9ukTBLam4SA6euIDxufurG1ipez/p0eq7JKFnUo6EpiC7Vmj6 T2t0J4f/8vZrn9ljlC9p6uCMuwn1R9F/4nO7kX12qDdOBcZH/tA6BQ82sehOSAKp wmwZEv//TQQpQy7PCe5x7yWUTo9VUV3L2eM4KpMlvVWAAcmwGCCiLLQ2Ppu5WeQl 2KxhWqSkmbWtVYpqh559z12wMapEo8b/vKcuG4URgH5IRXtBGBuKpzJpZ5VUQzcN DvK6YcMI1nBiNy0BsR/VLtjyFb72Fk6usBiztvDzDjyLiIJUzgVVrBc96MdHOj60 qOn7rJckr69ogHQs7yCT3yL1s2YisKCi9di02gytG3rmanv/uB+dqNno5tlgF8C+ WTVXREIRgrj8i865DJp+VvPi2yO5GdV7pt2BoC9siLlWWVnWXNClV7y3J370Oyye KlBa9p5V2zgGV9HPuFJjpwfiGuh7+nA6BFkGUrljcpuv9WOuk/Ro+RIB0Ive1TGP cc43yt5DiUaCK+qot7X/FBMRtl5zLUbwxF4tOy4ISY/1ov7hyhyvm35aM6e8Va4V UzLw7GUEWMD9mQPJeMF2wkrJa57MyBT2ZuPAhNSaPoEVcta0yO+FcziuqIfB5TPF pI91mzfUTZjgm1ci50LH =NP8q -----END PGP SIGNATURE----- --uvMug2t/eFzFwVce--