Date: Tue, 18 Mar 2003 09:10:22 -0800 From: Dean <dean@deanandadie.net> To: freebsd-questions@freebsd.org Subject: Best practice for bridge/nat Message-ID: <20030318091021.B26823@sr2-unwk-13.sfbay.sun.com>
next in thread | raw e-mail | index | archive | help
Hello Questions,
Please cc me in replies.
I have a small network setup at home that I would like to protect with
a single machine. I have broken up my networks into a dmz and private 10/8 net.
In the past I used a single picoBSD bridging firewall between the Internet and
my dmz and a separate machine for NAT'ing my 10/8 network. All of this worked
quite well, but I would like to cut down on the number of machines I manage and
lower my power requirements. I set up a single -STABLE machine with four NIC's
to handle this task. With this setup I am seeing a loss of connectivity that I
think is attributed to arp movements on my firewall. Here is a graphic of my
single firewall solution:
__________________
( Big bad Internet )
__________________
|
|
|
bridged
rl0
|
+---------------------------+
| | rl3 10.0.0.254
| tfz (my firewall) |---------------- Home Net --------+
| |
+---------------------------+
| |
rl1 rl2
bridged xx.xx.59.160
| |
| |
| |
+------- DMZ ----------+
Clear enough? Is this a good idea?
Things usually work fine, but once in a while my connection hangs for many
minutes. I suspect some arp mishaps and would like to straighten them out. At
the very least, I would like to stop the mac address migration and log-filling
messages.
I see the following messages in my logs (and related messages the logs of
machines in the DMZ)
Mar 18 08:39:42 <0.3> tfz /kernel: arp: 00:90:47:00:b3:62 is using my IP address xx.xx.59.160!
Mar 18 08:39:42 <0.3> tfz /kernel: arp: 00:90:47:00:98:ac is using my IP address xx.xx.59.160!
The two mac addresses in question here are different interfaces on tfz.
tfz:/root# ifconfig -a
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:90:47:00:98:e8
media: Ethernet autoselect (10baseT/UTP)
status: active
rl1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:90:47:00:98:ac
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet xx.xx.59.160 netmask 0xffffff00 broadcast 64.81.59.255
ether 00:90:47:00:b3:62
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.255
inet 10.0.0.253 netmask 0xffffffff broadcast 10.0.0.253
ether 00:90:47:00:98:ca
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
My ipfw rules are currently open. I understand that ipfw does not touch arp.
I added 350 and 375 hoping that the rules would fix the problem.
00050 divert 8668 ip from any to any via rl2
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00350 deny log ip from xx.xx.59.160 to any out xmit rl1
00375 deny log ip from any to 64.81.59.160 in recv rl1
65000 allow ip from any to any
65535 deny ip from any to any
Natd is running on the correct interface
tfz:/root# p natd
root 78 1 Ss 0.0 0.4 ?? 7:32.33 /sbin/natd -f /etc/natd.conf -n rl2
I also notice that I am running a -PRERELEASE. Should I make world again?
tfz:/home/brundage-> uname -a
FreeBSD tfz 4.8-PRERELEASE FreeBSD 4.8-PRERELEASE #1: Wed Feb 19 14:31:50 PST 2003 root@pookah.3llamas.com:/usr/obj/usr/src/sys/TFZ i386
Thank you for the help.
--Dean - Unscrambler of eggs
--
Quality Web Hosting http://www.3llamas.com
Take your time, take your chances
--------------------------------------------------------------------------------
It matters not how strait the gate / How charged with punishment the scroll
I am the master of my fate / I am the captain of my soul. -- Invictus --
-- William E Henley --
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030318091021.B26823>