From owner-freebsd-net@FreeBSD.ORG  Tue Nov 23 12:29:24 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0445C106566C
	for <freebsd-net@freebsd.org>; Tue, 23 Nov 2010 12:29:24 +0000 (UTC)
	(envelope-from spawk@acm.poly.edu)
Received: from acm.poly.edu (acm.poly.edu [128.238.9.200])
	by mx1.freebsd.org (Postfix) with ESMTP id 842D88FC12
	for <freebsd-net@freebsd.org>; Tue, 23 Nov 2010 12:29:23 +0000 (UTC)
Received: (qmail 93773 invoked from network); 23 Nov 2010 12:02:41 -0000
Received: from unknown (HELO ?192.168.0.2?) (spawk@96.224.221.101)
	by acm.poly.edu with CAMELLIA256-SHA encrypted SMTP;
	23 Nov 2010 12:02:41 -0000
Message-ID: <4CEBAD46.2070301@acm.poly.edu>
Date: Tue, 23 Nov 2010 07:02:14 -0500
From: Boris Kochergin <spawk@acm.poly.edu>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US;
	rv:1.9.2.12) Gecko/20101031 Thunderbird/3.1.6
MIME-Version: 1.0
To: "Ronald F. Guilmette" <rfg@tristatelogic.com>
References: <41757.1290513201@tristatelogic.com>
In-Reply-To: <41757.1290513201@tristatelogic.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org
Subject: Re: Configuring for 1 static and 1 DHCP interface ?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Nov 2010 12:29:24 -0000

On 11/23/10 06:53, Ronald F. Guilmette wrote:
> I just recently re-jigged my main server/workstation so that instead
> of just having a single interface that talks to the Internet via a
> single static IP, it now has, in addition to that, one other interface
> (and card) that's talking to one of those little black&blue Linksys
> router thingies to which other machines on my local network are connected
> (all using DHCP which is implemented in the Linksys box).
>
> For most stuff the default routing should be out via the original interface
> (and its static IP) but when the main server/workstation wants to talk
> to anything in 192.168.1.0/24, it should instead route those packets
> via the second/newer interface over to the Linksys box, i.e. so that
> this main machine can talk to other stuff on the local network.
>
> So anyway, here's what I have now in my /etc/rc.conf file:
>
> defaultrouter="69.62.255.254"
> network_interfaces="fxp0 rl0 lo0 auto"
> ifconfig_fxp0="inet 69.62.255.118 netmask 255.255.255.0"
> ifconfig_rl0="DHCP"
>
> This is problematic for several reasons.  First, as I have learned,
> having any interface set to "DHCP" in the /etc/rc.conf file causes
> all sorts of DHCP magic to happen at startup time, and the end result
> of all that magic is that two undesirable things happen:
>
>     1)  The /etc/resolv.conf file gets replaced with something that
>         causes DNS resolutions to go someplace other than where I want
>         them to go, and...
>
>     2)  the default route that I attempted to set in the /etc/rc.conf
>         file gets clobbered and replaced by a default route obtained
>         from the DHCP negotiation on the second interface.
>
> I tried to work around these problems by simply putting code into my
> /etc/rc.local file that would restore the proper /etc/resolv.conf file
> and that would also restore the proper default route.
>
> That all actually seemed to be working well, _except_ that I just now
> noticed that, for reasons that are not apparent to me, my ntpd daemon
> is apparently trying to send its time sync packets out, via the original/
> main/default interface, but with the source IP address being the RFC 1918
> address that was obtained dynamically for the second interface via DHCP
> i.e. 192.168.1.101.  That creates a definite problem because my IPFW
> firewall rules were set up to avoid me leaking RFC 1918 IPs out onto
> the public internet.  So anyway, the result is that now my ntpd is
> utterly failing to communicate with any of the time servers it should be
> talking to (causing my time to drift slowly out of whack) AND I am now
> getting a whole lot of message in /var/log/messages like this:
>
>
> Nov 23 03:04:35 segfault kernel: ipfw: 3200 Deny UDP 192.168.1.101:123 128.118.25.3:123 out via fxp0
> Nov 23 03:04:35 segfault ntpd[1064]: sendto(128.118.25.3): Permission denied
>
>
> Obviously, none of this is at all good.  But where exactly did I go wrong?
> Why did my ntpd daemon latch on to the 192.168.1.101 IP address?  Why is
> it attempting to originate packets from that IP address, rather than from
> 69.62.255.118 as it used to do? (And how can I get it to do that Right Thing
> again?)  And why is the kernel now attempting to route those packets out to
> the net via my main/original interface, fxp0?  (THAT is REALLY perplexing!)
>
> This is all quite mysterious to me, and I'd appreciate any help.
>
> Here is my current routing table, in case that's of any help.  The
> 69.62.255.254 is the gateway address my ISP gave me... you know... to
> go along with my static IP.
>
> P.S.  If possible, please answer on-list.   Otherwise my geeky spam filter
> may cause me to miss your reply.  Thanks.
>
> ===================================================================
> Routing tables
>
> Internet:
> Destination        Gateway            Flags    Refs      Use  Netif Expire
> default            69.62.255.254      UGS         0  2706435   fxp0
> 69.62.255.0/24     link#3             UC          0        0   fxp0
> 69.62.255.118      00:a0:c9:dd:11:7e  UHLW        1   123493    lo0
> 69.62.255.254      00:00:0e:07:ac:00  UHLW        2        9   fxp0     72
> 127.0.0.1          127.0.0.1          UH          0 11955888    lo0
> 192.168.1.0/24     link#2             UC          0        0    rl0
> 192.168.1.1        00:1d:7e:c9:83:03  UHLW        1        1    rl0   1200
> 192.168.1.101      00:50:bf:43:5a:b9  UHLW        1        8    lo0
>
> Internet6:
> Destination                       Gateway                       Flags      Netif Expire
> ::1                               ::1                           UHL         lo0
> fe80::%lo0/64                     fe80::1%lo0                   U           lo0
> fe80::1%lo0                       link#5                        UHL         lo0
> ff01:5::/32                       fe80::1%lo0                   UC          lo0
> ff02::%lo0/32                     fe80::1%lo0                   UC          lo0
>
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

Hi. I hypothesize that ntpd is started before your rc.local script is 
run, so it uses the NAT IP and default route. Take a look at the 
dhclient.conf man page for how to ignore certain DHCP-provided 
information for an interface. For example:

# cat /etc/dhclient.conf
...
interface "wlan0" {
   supersede domain-name "poly.edu";
   supersede domain-name-servers 128.238.9.202;
}

The above overrides any DHCP-provided domain name and DNS servers with 
what I have above on the wlan0 interface.

-Boris