From owner-freebsd-questions Tue Mar 18 9:10:29 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E755937B401 for ; Tue, 18 Mar 2003 09:10:25 -0800 (PST) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 957E143F75 for ; Tue, 18 Mar 2003 09:10:24 -0800 (PST) (envelope-from brundage@sr2-unwk-13.sfbay.sun.com) Received: from sfbaymail2sca.sfbay.sun.com ([129.145.155.42]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id KAA04536 for ; Tue, 18 Mar 2003 10:10:24 -0700 (MST) Received: from sr2-unwk-13.sfbay.sun.com (daemon@sr2-unwk-13.SFBay.Sun.COM [129.149.2.37]) by sfbaymail2sca.sfbay.sun.com (8.12.8+Sun/8.12.8/ENSMAIL,v2.2) with ESMTP id h2IHANnl027342 for ; Tue, 18 Mar 2003 09:10:23 -0800 (PST) Received: (from brundage@localhost) by sr2-unwk-13.sfbay.sun.com (8.11.6+Sun/8.11.6) id h2IHAMp62886 for freebsd-questions@freebsd.org; Tue, 18 Mar 2003 09:10:22 -0800 (PST) Date: Tue, 18 Mar 2003 09:10:22 -0800 From: Dean To: freebsd-questions@freebsd.org Subject: Best practice for bridge/nat Message-ID: <20030318091021.B26823@sr2-unwk-13.sfbay.sun.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello Questions, Please cc me in replies. I have a small network setup at home that I would like to protect with a single machine. I have broken up my networks into a dmz and private 10/8 net. In the past I used a single picoBSD bridging firewall between the Internet and my dmz and a separate machine for NAT'ing my 10/8 network. All of this worked quite well, but I would like to cut down on the number of machines I manage and lower my power requirements. I set up a single -STABLE machine with four NIC's to handle this task. With this setup I am seeing a loss of connectivity that I think is attributed to arp movements on my firewall. Here is a graphic of my single firewall solution: __________________ ( Big bad Internet ) __________________ | | | bridged rl0 | +---------------------------+ | | rl3 10.0.0.254 | tfz (my firewall) |---------------- Home Net --------+ | | +---------------------------+ | | rl1 rl2 bridged xx.xx.59.160 | | | | | | +------- DMZ ----------+ Clear enough? Is this a good idea? Things usually work fine, but once in a while my connection hangs for many minutes. I suspect some arp mishaps and would like to straighten them out. At the very least, I would like to stop the mac address migration and log-filling messages. I see the following messages in my logs (and related messages the logs of machines in the DMZ) Mar 18 08:39:42 <0.3> tfz /kernel: arp: 00:90:47:00:b3:62 is using my IP address xx.xx.59.160! Mar 18 08:39:42 <0.3> tfz /kernel: arp: 00:90:47:00:98:ac is using my IP address xx.xx.59.160! The two mac addresses in question here are different interfaces on tfz. tfz:/root# ifconfig -a rl0: flags=8943 mtu 1500 ether 00:90:47:00:98:e8 media: Ethernet autoselect (10baseT/UTP) status: active rl1: flags=8943 mtu 1500 ether 00:90:47:00:98:ac media: Ethernet autoselect (100baseTX ) status: active rl2: flags=8843 mtu 1500 inet xx.xx.59.160 netmask 0xffffff00 broadcast 64.81.59.255 ether 00:90:47:00:b3:62 media: Ethernet autoselect (100baseTX ) status: active rl3: flags=8843 mtu 1500 inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.255 inet 10.0.0.253 netmask 0xffffffff broadcast 10.0.0.253 ether 00:90:47:00:98:ca media: Ethernet autoselect (100baseTX ) status: active My ipfw rules are currently open. I understand that ipfw does not touch arp. I added 350 and 375 hoping that the rules would fix the problem. 00050 divert 8668 ip from any to any via rl2 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00350 deny log ip from xx.xx.59.160 to any out xmit rl1 00375 deny log ip from any to 64.81.59.160 in recv rl1 65000 allow ip from any to any 65535 deny ip from any to any Natd is running on the correct interface tfz:/root# p natd root 78 1 Ss 0.0 0.4 ?? 7:32.33 /sbin/natd -f /etc/natd.conf -n rl2 I also notice that I am running a -PRERELEASE. Should I make world again? tfz:/home/brundage-> uname -a FreeBSD tfz 4.8-PRERELEASE FreeBSD 4.8-PRERELEASE #1: Wed Feb 19 14:31:50 PST 2003 root@pookah.3llamas.com:/usr/obj/usr/src/sys/TFZ i386 Thank you for the help. --Dean - Unscrambler of eggs -- Quality Web Hosting http://www.3llamas.com Take your time, take your chances -------------------------------------------------------------------------------- It matters not how strait the gate / How charged with punishment the scroll I am the master of my fate / I am the captain of my soul. -- Invictus -- -- William E Henley -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message