Date: Thu, 21 May 1998 09:42:00 -0700 (PDT) From: Damon Reed <dreed@value.net> To: isp@FreeBSD.ORG Subject: Re: FreeBSD firewall Message-ID: <Pine.BSI.3.95.980521091953.11216A-100000@value.net> In-Reply-To: <199805201908.MAA07730@smtp.triax.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 20 May 1998, Joe Read wrote: > I'm trying to set up a simple little packet blocker box using two nics, > once of which uses a crossover cable to the router, another which goes > to our hub. I can't seem to route packets between the two, currently > I can't tell you why since I plugged the router straight back into the > hub to resume company productivity. :) > > Here's the setup I was trying: > > Subnet routed to us: 206.58.97.64/26 > Router eth1 IP address: 206.58.97.65 > > ed0 (crossover cable to router eth1 port): > ifconfig ed0 206.58.97.66 netmask 255.255.255.192 > route add -host 206.58.97.65 -interface ed0 > route add -net default 0.0.0.0 206.58.97.65 > > ed1 (lan connection): > ifconfig ed1 206.58.97.89 netmask 255.255.255.192 > route add -net 206.58.97.64 255.255.255.192 206.58.97.66 > > When the internal 95 boxes set their gateway to 97.89, > nothing happens. On the freebsd box I can ping 97.65, > but I can't ping any of the 95 boxes. I assume my > routing's correct, but I could be wrong. In theory this type of setup would be workable if you applied the right netmasks to the right interfaces (i.e.- The router and firewall shouldn't have the entire 64 addr netmask on their common interface. Otherwise they expect to be able to ARP the Win95 boxes on that segment.), and you set up the routing in the right order; configure all interfaces, set extraneous routes, hope gated doesn't stomp all over them. In practice, I would actually set the ed0-->router interface to a private network address, such as 192.168.1.0/30, like so: (Old timers may freely substitute 10.0.0 for 192.168.1) router:(for the ether if) ip addr 192.168.1.1 255.255.255.252 ip route 206.58.97.65 255.255.255.192 192.168.1.2 firewall: ifconfig ed0 192.168.1.2 netmask 255.255.255.252 ifconfig ed1 206.58.97.65 netmask 255.255.255.192 route add default 192.168.1.1 internal hosts: set addr on available addr in subnet (.66-.126) set def gateway to 206.58.97.65 Since the interface between the router and the firewall is only relevant to those two entities, you can get away with the non-public address without address translation; the router should have a public IP interface (On the WAN interface), and the firewall is reachable via its .65 address from the outside. The static route entry in the router may be extraneous if your routing (routed, gated) on the firewall box is working 100%, but since it's better to be paranoid than disconnected I put it in anyways. Damon Reed *Value Net Internetworking* -Network Administrator- dreed@value.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.95.980521091953.11216A-100000>