Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 30 May 2002 00:40:14 +0200
From:      "Chris Knipe" <savage@savage.za.org>
To:        <freebsd-isp@freebsd.org>
Subject:   Re: Firewall Setup
Message-ID:  <008401c20762$e40ad5e0$0101a8c0@megalan.co.za>
References:  <Pine.BSF.4.21.0205291657050.295-100000@park.rambler.ru> <005201c20714$220071b0$04ef10ac@wireless> <009201c20736$1b604e80$0101a8c0@megalan.co.za> <001201c2074f$c3076dd0$04ef10ac@wireless>

next in thread | previous in thread | raw e-mail | index | archive | help
> ----- Original Message -----
> From: "Chris Knipe" <savage@savage.za.org>
> To: "Max" <max@ecotech.com.lr>; <freebsd-isp@freebsd.org>
> Sent: Wednesday, May 29, 2002 5:25 PM
> Subject: Re: Firewall Setup
>
>
> > > My network has other routers hardware and software. I want just few
> > machines
> > > to use this new router instead of the whole network so that even if a
> > client
> > > sets this
> > > router has his default gateway, he will not be able to access the
> > Internet!
> >
> > Isn't this more of a static-routing option rather than a firewall?  A
> > firewall will block the packets, meaning that the clients which use the
> > "wrong" router, will have *no* internet access, rather than be directed
> > towards the right router.
> >
> > You can most probably redirect the packets from one firewall to another,
> but
> > that's limited to a per port basis.  I think the simplest solution would
> > just be to re-route certain data from the "wrong" router, to the "right"
> > router
> >
> > route add <network> <mask> <gateway>   if I'm not mistaken.
> >
> > So, if you have 10.0.0.0/255.0.0.0 and want 10.0.1.0/24 to be assigned
to
> > router 1, on your 2, you'll add a static route for that network, routing
> it
> > back to router 1.
> >
> In my terms, here's what I am looking @
> I have  172.16.239.0/24 and I would like only  172.16.239.104/29 to access
> this router
>
> In your terms, what would that look like?


I'm going to presume that Router 1 is on 172.16.239.1 and Router 2 on
172.16.239.105
The default gateway (next hop) of Router 1, is x.x.x.x and the default
gateway (next hop) of Router 2, is y.y.y.y



Router 1 (Default that everyone use) - You have a normal default gateway,
just as any other router

route add 0.0.0.0 0.0.0.0 x.x.x.x


Router 2 (Only allowed by 172.16.239.104/29) - Default route routes back
into your network, the additional subnet routes to the  "gateway".

route add 172.16.239.104 255.255.255.248 y.y.y.y
route add 0.0.0.0 0.0.0.0 172.16.239.1
  --OR--
route add 0.0.0.0 0.0.0.0 x.x.x.x


I have not tested this, I don't have the resources to.  In theory something
like this should work however.  Play around with it, read some fine manuals,
it is very possible. I've done something very similar on FreeBSD before
re-routing a network via two different Internet connections (redundancy type
of scenario)....

Some things to keep in mind:
- Dynamic routing (such as routed, or BGP, RIP, etc) *WILL* break this, so
I'd recommend not doing this if you already use any form of dynamic routing.
- IP Forwarding and those kind of stuff is obviously required.
- On Router 2, it is also essential (under Linux it is, I don't know if
FreeBSD behaves in the same way) that the subnet's route (172.16.239.104/29)
comes BEFORE your default route.


--
me




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008401c20762$e40ad5e0$0101a8c0>