From owner-freebsd-net  Fri Mar 19 12:43:59 1999
Delivered-To: freebsd-net@freebsd.org
Received: from tenor.codegen.com (tenor.CodeGen.COM [207.44.182.19])
	by hub.freebsd.org (Postfix) with ESMTP id 4E80E14D86
	for <net@freebsd.org>; Fri, 19 Mar 1999 12:43:57 -0800 (PST)
	(envelope-from tjm@codegen.com)
Received: from tenor.codegen.com (tjm@localhost.CodeGen.COM [127.0.0.1])
	by tenor.codegen.com (8.8.7/8.8.7) with ESMTP id MAA05519
	for <net@freebsd.org>; Fri, 19 Mar 1999 12:43:38 -0800 (PST)
	(envelope-from tjm@tenor.codegen.com)
Message-Id: <199903192043.MAA05519@tenor.codegen.com>
To: net@freebsd.org
Subject: Firewall configuration problem
Organization: CodeGen, Inc., San Francisco, CA
Date: Fri, 19 Mar 1999 12:43:37 -0800
From: "Thomas J. Merritt" <tjm@codegen.com>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I'm configuring a firewall and have run into a bit of a configuration problem.
The network map looks as follows.


    +----------+              +----------+                  | inside LAN
    |          |outside       |          |                  |
    |          |LAN           |          |                  |
----| DSL modem|--------------|fxp1  fxp0|------------------|
    |          |  xx.xx.xx.225|          |xx.xx.xx.230/29   |
    |          |              | Firewall |                  |
    +----------+              +----------+                  |
                                                            |
                                                            |
                              +----------+                  | 
                              |          |                  |
                              | Inside   |                  |
                              | Host     |------------------|
                              |          |xx.xx.xx.226/29   |
                              |          |                  |
                              +----------+                  |


The interfaces on the firewall machine are configured as follows.

    fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	    inet xx.xx.xx.230 netmask 0xfffffff8 broadcast xx.xx.xx.231
    fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	    inet xx.xx.xx.225 netmask 0xffffff00 broadcast xx.xx.xx.255

Packet forwarding is enabled.

    $ sysctl net.inet.ip.forwarding
    net.inet.ip.forwarding: 1

On the inside if I ping an outside machine.  I can see the packet route
to the firewall and then route out the DSL link.  The ping reply comes
back but doesn't make it to the firewall since there is no ARP response
to the who has query.

To attempt to fix the above problem I added a proxy arp on the firewall
for xx.xx.xx.226.

	$ arp -s xx.xx.xx.226 auto pub

With this entry the firewall will respond on the outside interface to
the who has query and the the packet will be received on fxp0.  The
problem at this point is that the packet gets sent back out fxp0 rather
than out fxp1 to the .226 machine.

Anyone have any recommendations on how to make this configuration work?

On previous firewall setups that I have done the inside subnet has been
completely routed by the ISP's router to the outside interface.  In the
DSL case though the subnet is just a chunk of addresses on the outside 
interface without any routing.  It seems like this is going to be an 
increasingly common configuration problem with the advent of DSL and cable
modems.

Any help would be greatly appreciated,

TJ Merritt
tjm@codegen.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message