From owner-freebsd-isp Wed May 29 15:49:22 2002 Delivered-To: freebsd-isp@freebsd.org Received: from starcraft.mweb.co.za (starcraft.mweb.co.za [196.2.45.78]) by hub.freebsd.org (Postfix) with ESMTP id 9BB2437B403 for ; Wed, 29 May 2002 15:49:07 -0700 (PDT) Received: from cpt-dial-196-30-178-169.mweb.co.za ([196.30.178.169] helo=genocide) by starcraft.mweb.co.za with smtp (Exim 4.01) id 17DCBv-0004GJ-00 for freebsd-isp@freebsd.org; Thu, 30 May 2002 00:45:18 +0200 Message-ID: <008401c20762$e40ad5e0$0101a8c0@megalan.co.za> From: "Chris Knipe" To: References: <005201c20714$220071b0$04ef10ac@wireless> <009201c20736$1b604e80$0101a8c0@megalan.co.za> <001201c2074f$c3076dd0$04ef10ac@wireless> Subject: Re: Firewall Setup Date: Thu, 30 May 2002 00:40:14 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > ----- Original Message ----- > From: "Chris Knipe" > To: "Max" ; > Sent: Wednesday, May 29, 2002 5:25 PM > Subject: Re: Firewall Setup > > > > > My network has other routers hardware and software. I want just few > > machines > > > to use this new router instead of the whole network so that even if a > > client > > > sets this > > > router has his default gateway, he will not be able to access the > > Internet! > > > > Isn't this more of a static-routing option rather than a firewall? A > > firewall will block the packets, meaning that the clients which use the > > "wrong" router, will have *no* internet access, rather than be directed > > towards the right router. > > > > You can most probably redirect the packets from one firewall to another, > but > > that's limited to a per port basis. I think the simplest solution would > > just be to re-route certain data from the "wrong" router, to the "right" > > router > > > > route add if I'm not mistaken. > > > > So, if you have 10.0.0.0/255.0.0.0 and want 10.0.1.0/24 to be assigned to > > router 1, on your 2, you'll add a static route for that network, routing > it > > back to router 1. > > > In my terms, here's what I am looking @ > I have 172.16.239.0/24 and I would like only 172.16.239.104/29 to access > this router > > In your terms, what would that look like? I'm going to presume that Router 1 is on 172.16.239.1 and Router 2 on 172.16.239.105 The default gateway (next hop) of Router 1, is x.x.x.x and the default gateway (next hop) of Router 2, is y.y.y.y Router 1 (Default that everyone use) - You have a normal default gateway, just as any other router route add 0.0.0.0 0.0.0.0 x.x.x.x Router 2 (Only allowed by 172.16.239.104/29) - Default route routes back into your network, the additional subnet routes to the "gateway". route add 172.16.239.104 255.255.255.248 y.y.y.y route add 0.0.0.0 0.0.0.0 172.16.239.1 --OR-- route add 0.0.0.0 0.0.0.0 x.x.x.x I have not tested this, I don't have the resources to. In theory something like this should work however. Play around with it, read some fine manuals, it is very possible. I've done something very similar on FreeBSD before re-routing a network via two different Internet connections (redundancy type of scenario).... Some things to keep in mind: - Dynamic routing (such as routed, or BGP, RIP, etc) *WILL* break this, so I'd recommend not doing this if you already use any form of dynamic routing. - IP Forwarding and those kind of stuff is obviously required. - On Router 2, it is also essential (under Linux it is, I don't know if FreeBSD behaves in the same way) that the subnet's route (172.16.239.104/29) comes BEFORE your default route. -- me To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message