From owner-freebsd-questions@FreeBSD.ORG Fri Nov 23 14:50:41 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7754916A421 for ; Fri, 23 Nov 2007 14:50:41 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from mail.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.freebsd.org (Postfix) with ESMTP id 2708D13C4D5 for ; Fri, 23 Nov 2007 14:50:40 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from working (c-71-60-127-199.hsd1.pa.comcast.net [71.60.127.199]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.potentialtech.com (Postfix) with ESMTP id 43CBEEBC3B; Fri, 23 Nov 2007 09:50:40 -0500 (EST) Date: Fri, 23 Nov 2007 09:50:39 -0500 From: Bill Moran To: "Alaor Barroso de Carvalho Neto" Message-Id: <20071123095039.b8439467.wmoran@potentialtech.com> In-Reply-To: <2949641c0711230633t562adcd6j4792f72719ca9bf6@mail.gmail.com> References: <2949641c0711210609xc9fcb89t8217cd0995d1c86b@mail.gmail.com> <474440FC.5090901@ibctech.ca> <2949641c0711210644y3ffe8d19ub409b581971e2b1d@mail.gmail.com> <2949641c0711210646p7ded7321g66c4978bb56f1868@mail.gmail.com> <47444C3C.3000003@ibctech.ca> <2949641c0711230452t202d4875k821d5ff753ca0307@mail.gmail.com> <20071123083415.838efb76.wmoran@potentialtech.com> <2949641c0711230541l1d031b93t6f095b7e0853577d@mail.gmail.com> <20071123091111.e5cfa679.wmoran@potentialtech.com> <2949641c0711230633t562adcd6j4792f72719ca9bf6@mail.gmail.com> X-Mailer: Sylpheed 2.4.7 (GTK+ 2.12.1; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: routing problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Nov 2007 14:50:41 -0000 "Alaor Barroso de Carvalho Neto" wrote: > > 2007/11/23, Bill Moran : > > > > "Alaor Barroso de Carvalho Neto" wrote: > > > > > Yes, I have IPFIlTER installed, but if I would want to everybody ping to > > > everybody and then block the things in the firewall, it isn't about routes? > > > because neighter of my networks are pinging to any other right now. By ping > > > I mean have access. By ping, mean ping. I don't know what "have access" means, but I know what "ping" means. So what do you really mean ... what are you actually doing? If you run ping 192.168.1.[some working IP] from a machine on the 192.168.2.0/24 network, what is the result? > > > I thought it would have something to do with setting > > > routes. BTW, my ipfilter now just pass everything because I'm building the > > > server, but I already have a config file with the blocks that I would apply. > > > > That's a completely different scenario than the one you described in > > your previous message. > > > > Do you have gatetway_enable="YES" in /etc/rc.conf? > > Yeah, I know, I was trying to make it work with only adm and external, but > the real scenario I have is this. Yes I have this line, my rc.conf is like > this: > [...] > gateway_enable="yes" > defaultrouter="XXX.XXX.XXX.158" (the external ip) > ifconfig_em0="inet XXX.XXX.XXX.130 netmask 255.255.255.227" > ifconfig_rl0="inet 192.168.1.80 netmask 255.255.255.0" > ifconfig_rl1="inet 192.168.2.90 netmask 255.255.255.0" > ifconfig_rl2="inet 10.10.0.50 netmask 255.255.0.0" > [...] > > I don't know if that matters, but the yes should be YES to things work? I'd > kill myself if this is the problem. Don't kill yourself. At least, if you do, will me all your stuff. The parameter is case-insensitive, I just prefer the caps. First off, what's the output of "sysctl net.inet.ip.forwarding"? If it is 0, then reboot and see if it starts working. Once you're sure that sysctl is being properly set (which is all that gateway_enable="yes" does), if you're still having problems, disable ipfilter altogether and see if it starts working. If it does, then it becomes a discussion of firewall rules. Also, is your DNS working properly? I don't know how many times I've seen DNS timeouts mistaken for network problems. 99% of the programs out there will _seem_ to have a network problem if the DNS isn't working properly. -- Bill Moran http://www.potentialtech.com