Date: Sun, 4 Feb 2001 08:28:29 -0800 From: "DINKEY,GENE (HP-Loveland,ex1)" <gene_dinkey@hp.com> To: "'Mark B. Withers'" <mwithers@one.net>, Robert Hough <rch@solveinteractive.com> Cc: freebsd-questions <freebsd-questions@FreeBSD.ORG> Subject: RE: Internal gateway/firewall Message-ID: <F341E03C8ED6D311805E00902761278C531560@xfc04.fc.hp.com>
next in thread | raw e-mail | index | archive | help
> -----Original Message-----
> From: Mark B. Withers [mailto:mwithers@one.net]
> Sent: Sunday, February 04, 2001 8:42 AM
> To: Robert Hough
> Cc: freebsd-questions
> Subject: Internal gateway/firewall
>
>
> Robert,
>
> Thanks for your reply.
>
> I did some experimenting last night with the two interfaces (had them
> both plugged into a hub) and found that indeed each interface
> responds independantly when called upon by it's ip address.
>
> This is good news.
>
> I am attempting to configure my FreeBSD box as a firewall/gateway. I
> have 2 ISA 3-com 509 nics.
>
> The first device ep0 is connected to my DSL "router/modem" and I want
> my second interface (ep1) to be connected to my internal lan which
> consists of one Win95 machine and the FreeBSD machine ("Foobar").
>
> Here is an equivalent scheme of what it looks like (ips have been
> altered to protect the innocent as well):
>
> Also note, ep0 is configured through DHCP
>
> DSL router/modem = 10.255.23.161
> ep0 = 10.255.23.164
> netmask = 255.255.255.248
> broadcast = 10.255.23.167
> windows machine = 10.255.23.162 (same netmask and broadcast as ep0)
>
> Proposed ip scheme for ep1:
>
> ep1 = 192.0.0.1
> subnetmask 255.255.255.248 (thought there was no need for more than 8)
> broadcast 192.0.0.7
>
> Whenever I configured and bring ep1 up, I receive the following error
> message (ip's changed to match above example):
>
> The bottom line of this posted error messages is that I don't yet know
> how to manually configure my routing table nor do I currently know how
> to configured /etc/rc.conf for this yet. I need to recompile the
> kernel first. Any information you can provide as far as routing goes
> to the diagram at the bottom (Network Diagram) would be helpful.
>
> I just included this information for reference in case it is needed.
>
> Feb 3 19:00:51 foobar /kernel: arp: 10.255.23.161 is on ep0 but got
> reply from ** mac address of dsl router/modem ** on ep1
>
> ** ip addrss belongs to the router/modem and the mac address also, but
> the system somehow ties or links it to device ep0 and states that the
> reply is from ep1 **
>
> Feb 3 19:05:21 foobar /kernel: arp: 10.255.23.162 is on ep0 but got
> reply from ** mac address from windows machine ** on ep1
>
> ** ip address belongs to windows machine. somehow links to ep0 and
> gets reply from (mac address of windows machine) on ep1. **
>
> Feb 3 19:05:21 foobar /kernel: arp: 10.255.23.161 is on ep0 but got
> reply from ** mac address of dsl router/modem ** on ep1
>
> ** IP address is from windows machine on ep0, but got reply from mac
> address of windows machine on ep1 **
>
> Feb 3 19:09:23 foobar /kernel: arp: 10.255.23.164 is on lo0 but got
> reply from ** mac address for ep0 ** on ep1
>
> ** here we have the ip address for ep0 along with the mac address for
> ep0, but the kernel called it "ep1" at the end of the line ?? **
>
> Feb 3 19:09:23 foobar /kernel: arp: 10.255.23.161 is on ep0 but got
> reply from ** mac address of dsl router/modem ?? ** on ep1
>
> ** here we have the ip address of the dsl router/modem saying it's on
> ep0 but received a reply from the mac address of the dsl router/modem.
> **
>
> Here is the output of ipconfig -a on my system:
>
> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 10.255.23.164 netmask 0xfffffff8 broadcast 10.255.23.167
> ether ** mac address of ep0 **
> media: 10baseT/UTP
> supported media: 10baseT/UTP
> ep1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 192.0.0.1 netmask 0xfffffff8 broadcast 192.0.0.7
> ether ** mac address of ep1 **
> media: 10baseT/UTP
> supported media: 10base2/BNC 10baseT/UTP
>
> Here is the output from netstat :
>
> Routing tables
>
> Internet:
> Destination Gateway Flags Netif Expire
> default 10.255.23.161 UGSc ep0
> 10.255.23.160/29 link#2 UC ep0 =>
> 10.255.23.161 *router mac addr* UHLW ep0 1198
> 10.255.23.164 *mac of ep0* UHLW lo0
> 127.0.0.1 127.0.0.1 UH lo0
>
> ** I omitted ipv6 info here. **
>
> That's about all the info I can give. I've saved this information as a
> reference so that I can further analyse it.
>
> Everything's not hooked up correctly right now so I am not surprised
> that it's behaving strangely.
>
> I wish to have the following format:
>
> (Network Diagram)
>
> DSL router/Modem
> |
> ep0
> |
> Foobar --> FreeBSD machine w/2 ISA nics
> |
> ep1 --> Would bridging be necessary to separate this?
> |
> Hub
> |
> Windows machine
>
> I'll probably have to reset the ip address configuration/routing
> information on the windows box after I figure out my new kernel
> configuration. Recompiling the kernel is necessary for this.
I can't see in here if you've looked at natd, but thats what you want to do
what your asking.
Just take a look at the man page, it has steps for setting everything up.
If you follow those you will have a basic configuration running in no
time...
It's a matter of choice but for my internal network i went with 10. since a)
it's reserved for internal use, and, b) it happened to be used in the natd
setup guide :). It's also very easy to remember...
Good luck - it's not too hard and the man page should set you on the right
path.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F341E03C8ED6D311805E00902761278C531560>