From owner-freebsd-net@FreeBSD.ORG Tue Nov 23 12:29:24 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0445C106566C for ; Tue, 23 Nov 2010 12:29:24 +0000 (UTC) (envelope-from spawk@acm.poly.edu) Received: from acm.poly.edu (acm.poly.edu [128.238.9.200]) by mx1.freebsd.org (Postfix) with ESMTP id 842D88FC12 for ; Tue, 23 Nov 2010 12:29:23 +0000 (UTC) Received: (qmail 93773 invoked from network); 23 Nov 2010 12:02:41 -0000 Received: from unknown (HELO ?192.168.0.2?) (spawk@96.224.221.101) by acm.poly.edu with CAMELLIA256-SHA encrypted SMTP; 23 Nov 2010 12:02:41 -0000 Message-ID: <4CEBAD46.2070301@acm.poly.edu> Date: Tue, 23 Nov 2010 07:02:14 -0500 From: Boris Kochergin User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.2.12) Gecko/20101031 Thunderbird/3.1.6 MIME-Version: 1.0 To: "Ronald F. Guilmette" References: <41757.1290513201@tristatelogic.com> In-Reply-To: <41757.1290513201@tristatelogic.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Configuring for 1 static and 1 DHCP interface ? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2010 12:29:24 -0000 On 11/23/10 06:53, Ronald F. Guilmette wrote: > I just recently re-jigged my main server/workstation so that instead > of just having a single interface that talks to the Internet via a > single static IP, it now has, in addition to that, one other interface > (and card) that's talking to one of those little black&blue Linksys > router thingies to which other machines on my local network are connected > (all using DHCP which is implemented in the Linksys box). > > For most stuff the default routing should be out via the original interface > (and its static IP) but when the main server/workstation wants to talk > to anything in 192.168.1.0/24, it should instead route those packets > via the second/newer interface over to the Linksys box, i.e. so that > this main machine can talk to other stuff on the local network. > > So anyway, here's what I have now in my /etc/rc.conf file: > > defaultrouter="69.62.255.254" > network_interfaces="fxp0 rl0 lo0 auto" > ifconfig_fxp0="inet 69.62.255.118 netmask 255.255.255.0" > ifconfig_rl0="DHCP" > > This is problematic for several reasons. First, as I have learned, > having any interface set to "DHCP" in the /etc/rc.conf file causes > all sorts of DHCP magic to happen at startup time, and the end result > of all that magic is that two undesirable things happen: > > 1) The /etc/resolv.conf file gets replaced with something that > causes DNS resolutions to go someplace other than where I want > them to go, and... > > 2) the default route that I attempted to set in the /etc/rc.conf > file gets clobbered and replaced by a default route obtained > from the DHCP negotiation on the second interface. > > I tried to work around these problems by simply putting code into my > /etc/rc.local file that would restore the proper /etc/resolv.conf file > and that would also restore the proper default route. > > That all actually seemed to be working well, _except_ that I just now > noticed that, for reasons that are not apparent to me, my ntpd daemon > is apparently trying to send its time sync packets out, via the original/ > main/default interface, but with the source IP address being the RFC 1918 > address that was obtained dynamically for the second interface via DHCP > i.e. 192.168.1.101. That creates a definite problem because my IPFW > firewall rules were set up to avoid me leaking RFC 1918 IPs out onto > the public internet. So anyway, the result is that now my ntpd is > utterly failing to communicate with any of the time servers it should be > talking to (causing my time to drift slowly out of whack) AND I am now > getting a whole lot of message in /var/log/messages like this: > > > Nov 23 03:04:35 segfault kernel: ipfw: 3200 Deny UDP 192.168.1.101:123 128.118.25.3:123 out via fxp0 > Nov 23 03:04:35 segfault ntpd[1064]: sendto(128.118.25.3): Permission denied > > > Obviously, none of this is at all good. But where exactly did I go wrong? > Why did my ntpd daemon latch on to the 192.168.1.101 IP address? Why is > it attempting to originate packets from that IP address, rather than from > 69.62.255.118 as it used to do? (And how can I get it to do that Right Thing > again?) And why is the kernel now attempting to route those packets out to > the net via my main/original interface, fxp0? (THAT is REALLY perplexing!) > > This is all quite mysterious to me, and I'd appreciate any help. > > Here is my current routing table, in case that's of any help. The > 69.62.255.254 is the gateway address my ISP gave me... you know... to > go along with my static IP. > > P.S. If possible, please answer on-list. Otherwise my geeky spam filter > may cause me to miss your reply. Thanks. > > =================================================================== > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif Expire > default 69.62.255.254 UGS 0 2706435 fxp0 > 69.62.255.0/24 link#3 UC 0 0 fxp0 > 69.62.255.118 00:a0:c9:dd:11:7e UHLW 1 123493 lo0 > 69.62.255.254 00:00:0e:07:ac:00 UHLW 2 9 fxp0 72 > 127.0.0.1 127.0.0.1 UH 0 11955888 lo0 > 192.168.1.0/24 link#2 UC 0 0 rl0 > 192.168.1.1 00:1d:7e:c9:83:03 UHLW 1 1 rl0 1200 > 192.168.1.101 00:50:bf:43:5a:b9 UHLW 1 8 lo0 > > Internet6: > Destination Gateway Flags Netif Expire > ::1 ::1 UHL lo0 > fe80::%lo0/64 fe80::1%lo0 U lo0 > fe80::1%lo0 link#5 UHL lo0 > ff01:5::/32 fe80::1%lo0 UC lo0 > ff02::%lo0/32 fe80::1%lo0 UC lo0 > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" Hi. I hypothesize that ntpd is started before your rc.local script is run, so it uses the NAT IP and default route. Take a look at the dhclient.conf man page for how to ignore certain DHCP-provided information for an interface. For example: # cat /etc/dhclient.conf ... interface "wlan0" { supersede domain-name "poly.edu"; supersede domain-name-servers 128.238.9.202; } The above overrides any DHCP-provided domain name and DNS servers with what I have above on the wlan0 interface. -Boris