Date: Thu, 29 Jun 2000 12:43:50 -0400 From: "Rossen Raykov" <rraykov@sage-consult.com> To: <cjclark@alum.mit.edu> Cc: <FreeBSD-questions@FreeBSD.ORG> Subject: One more question about my routing nightmare... Message-ID: <070501bfe1e9$34bb1a50$4c00000a@sage> References: <01a701bfe08c$a8d8d890$4c00000a@sage> <20000627210456.H424@dialin-client.earthlink.net> <042701bfe127$fe1582e0$4c00000a@sage> <20000628211637.A451@dialin-client.earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Crist,
Sorry to bother again but I have one more (hope last ;) question.
I simplified my network.
now it is:
+--------------------+
|host 1 |
|ip: 2.0.0.200 |
|nm: 255.255.255.128 |
+--------------------+
^
|
v
+--------------------+
|if: fxp0 |
|ip: 2.0.0.252 |
|nm: 255.255.255.128 |
| |
| gateway |
| |
|if: dc0 |
|ip: 2.0.0.2 |
|nm: 255.255.255.128 |
+--------------------+
^
|
v
+--------------------+
|host 2 |
|ip: 2.0.0.126 |
|nm: 255.255.255.128 |
+--------------------+
There is not bridging, net.inet.ip.forwarding is 0, net.inet.ip.redirect is
1 and net.inet.ip.fw.enable is 0.
I am able to ping all combination of interfaces from the gateway.
I am able to ping both 2.0.0.252 and 2.0.0.2 (gateway) from 2.0.0.200 (host
1) but I still can not ping 2.0.0.126 (host 2).
When I run tcpdump on fxp0 there is echo requests to hest 2 (2.0.0.126) but
there are not responses.
As one can expect there is not whois (arp) requests for 2.0.0.126 MAC
address.
If I run tcpdump in the same time on dc0 interface (gateway) in the same
time, the result is silence!
I've tried this with routed and gated with rip enabled and without any extra
routing software (relaying only on the kernel).
The result is still the same!
It seems like I am missing some sysctl flags or kernel options.
What I have to enable/disable to do routing on BSD?
Please include copy of the answer to my e-mail, since I am not on the list.
Thanks in advance,
Rossen
----- Original Message -----
From: <cristjc@earthlink.net>
To: <Rossen.Raykov@sage-consult.com>
Cc: <FreeBSD-questions@FreeBSD.ORG>
Sent: Thursday, June 29, 2000 12:16 AM
Subject: Re: routing problem
> [Follow-ups re-ordered, line-wrap damage repaired]
>
> On Wed, Jun 28, 2000 at 01:40:46PM -0400, Rossen Raykov wrote:
> > ----- Original Message -----
> > From: <cristjc@earthlink.net>
> > To: <Rossen.Raykov@sage-consult.com>
> > Cc: <FreeBSD-questions@FreeBSD.ORG>
> > Sent: Wednesday, June 28, 2000 12:04 AM
> > Subject: Re: rouing problem
> >
> > > On Tue, Jun 27, 2000 at 07:08:52PM -0400, Rossen Raykov wrote:
> > > > Hi all!
> > > >
> > > > I am trying to use FreeBSD like gateway/firewall.
> > > > My network topology is like this one:
> > > >
> > > >
> > > > ISP 1 ISP 2
> > > >
> > > > ^ ^
> > > > | |
> > > > | |
> > > > +-------+ +--------+
> > > > | DSL | | ISDN |
> > > > +-------+ +--------+
> > > > IP 1.0.0.1 IP 2.0.0.1
> > > >
> > > > \ /
> > > > \ /
> > > >
> > > > IP 1.0.0.252 IP 2.0.0.2
> > > > MASK 255.255.255.0 MASK 255.255.255.252
> > > > -----------------------------------------
> > > > FreeBSD Box
> > > > -----------------------------------------
> > > > IP 2.0.0.252
> > > > MASK 255.255.255.0
> > > > |
> > > > |
> > > > -----------------------------------------
> > > > L A N HOST
> > > > NET 2.0.0.0 2.0.0.129
> > > >
> > > > I am running FreeBSD 4.0 and the kernel is compiled with the
following
> > > > options: IPFIREWALL, IPFIREWALL_VERBOSE, IPDIVERT, BRIDGE.
> > >
> > > Yikes.
> > >
> > > > In /etc/rc.conf following options are defined:
> > > > firewall_enable="YES"
> > > > firewall_type="open"
> > > > gateway_enable="YES"
> > > > router_enable="YES"
> > > > kern_securitylevel_enabled="NO"
> > > >
> > > > As one can expect after that the firewall rules are:
> > > > allow ip from any to any via lo0
> > > > deny ip from any to 127.0.0.0/8
> > > > allow ip from any to any
> > > > deny ip from any to any
> > > >
> > > > Routing connected sysctl flags are:
> > > > net.inet.ip.forwarding=1
> > > > net.inet.ip.redirect=1
> > > > net.inet.ip.fw.enable=1
> > > > net.inet.ip.fw.one_pass=1
> > >
> > > Missing,
> > >
> > > net.link.ether.bridge
> > > net.link.ether.bridge_ipfw
> > >
> > > > I am able to ping all neighbors interfaces from BSD box (1.0.0.1,
2.0.0.1
> > > > and 2.0.0.129).
> > > >
> > > > My first problem was that I was not able to ping 1.0.0.252 and
2.0.0.2
> > > > interfaces on the server from LAN host (2.0.0.129).
> > > > After I've enabled BRIDGE option in the kernel that become possible.
> > > >
> > > > Then a new problem appear - I cannot ping 1.0.0.1 and 2.0.0.1 from
the LAN
> > > > host (2.0.0.129).
> > > >
> > > > All IP addresses that I am using are real (routable) IP addresses.
> > > >
> > > > Where is my mistake?
> > > > Why I am not able to pass thru BSD box?
> > > > Are my network mask wrong or I am missing something on kernel/os
> > > > configuration level?
> > >
> > > I believe that the problem is that you are trying to mix routing and
> > > bridging. You should decide the FreeBSD box is going to do one or the
> > > other.
> > >
> > > > I have one more question too.
> > > > How to set up the box to work with 2 or more gateways and to make
dinamyc
> > > > routing?
> > > > Can someone give a URL devoted to this to me?
> > > > Recommendations for gated setting will be appreciated to.
> > >
> > > OK, it sounds like you want to do routing, then loose the
> > > bridging. Actually break up that 2.0.0.0/24 into subnets.
> >
> > Hi,
> >
> > First I've removed BRIDGING from the kernel (since I wish to do routing
;)
> > After that I've changed netmask for the LAN (2.0.0.0) to be
255.255.255.128
> > (the net mask for ISP 2 is still 255.255.255.252).
> > Finally I've disabled the ipfw using:
> > sysctl -w net.inet.ip.fw.enable=0
> > to simplify the configuration.
> >
> > As a result on the BSD box I am able to ping 1.0.0.1, 2.0.0.1 and
2.0.0.129.
> > >From 2.0.0.129 I am able to ping 2.0.0.252, 2.0.0.2 and 1.0.0.252 but
still
> > I am not able to ping neither 1.0.0.1 not 2.0.0.1.
> > The default gateway on 2.0.0.129 is set to 2.0.0.252. Why then my
> > routing/forwarding is not working?!
> > It have to be simple but seems I am missing something important and I
can
> > not find it...
> >
> > Any suggestions?
>
> I assume you still have net.inet.ip.forwarding=1. Sounds like one of
> two things, the FreeBSD router is not forwarding and the pings never
> make it to the targets, 1.0.0.1 and 2.0.0.1, OR they get there, but
> never come back which means the trouble is at the router or it could
> be a problem at the targets.
>
> Do a tcpdump(8) on the interface with 1.0.0.252 and see if the pings
> are coming out. Then see if the replies head back. Narrow down where
> the problem is.
> --
> Crist J. Clark cjclark@alum.mit.edu
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?070501bfe1e9$34bb1a50$4c00000a>