From owner-freebsd-questions Sun Jan 20 10:58:28 2002 Delivered-To: freebsd-questions@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 6D7CF37B402 for ; Sun, 20 Jan 2002 10:58:20 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g0KIxsM53889; Sun, 20 Jan 2002 12:59:54 -0600 (CST) (envelope-from nick@rogness.net) Date: Sun, 20 Jan 2002 12:59:54 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Allen Landsidel Cc: freebsd-questions@FreeBSD.ORG Subject: Re: multihomed routing woes.. In-Reply-To: <5.1.0.14.0.20020120013959.00aaaff8@rfnj.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 20 Jan 2002, Allen Landsidel wrote: > [please reply off-list.. not subscribed.] > > Ok.. for several hours I've been banging my head against the > proverbial brick wall, trying to resolve an issue that's been a > nuisance for some time. > > To start from the begining.. my network looks like this : > > [LAN] <--> [firewall] <--> [router] <--> [internet] > > The lan side has a public /28 block. Why does the lan have a public block? > The firewall has one address from that block on the interior > interface, and an address in the 10/8 block on the exterior. The > router has an address on the 10/8 block on the interior, the ISP > assigned address on the WAN interface, and a static route to the > firewall 10/8 for my IP block. > > The problem is simple : All outgoing traffic that *originates* on the > firewall attempts to use the 10/8 address. I'm looking for some easy > way to force it to use it's internal address for traffic destined to > go out the exterior interface, but so far to no avail. > The real problem here is that you are running publics on your inside. Why are you doing this and not using static nat for this? If you have a good reason, then maybe running nat on the router or getting another /30 for your BSD<-->Router would help out. You could also trip out nat but it would be a mess. > My brain can't seem to think of a way to do this via route, and natd + > my current stateful IPFW appears to be a no-go.. searching the lists > and usenet have turned up others with the same problems, but no real > solutions using these tools. Apparently my only options are: > 1) ditch the stateful ipfw configuration in favor of a simple > 'established' rule (ick) That might help while you are debugging. > 2) (maybe?) switch to ipf/ipnat. This will gain you nothing...probably make things worse. > 3) Set up a proxy on one of the internal machines and have the firewall > go through that to get out (ick) No. > 4) Probably other silly hacks like 1,3 that are no more elegant. > Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message