From owner-freebsd-questions@freebsd.org Tue Feb 14 19:09:10 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D80DCDF7F3 for ; Tue, 14 Feb 2017 19:09:10 +0000 (UTC) (envelope-from karly@kipshouse.net) Received: from mgmt.ironboy.kipshouse.net (ironboy.kipshouse.net [IPv6:2001:470:835a:4242::42]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (Client CN "mx.kipshouse.net", Issuer "Starfield Secure Certificate Authority - G2" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 97AEB1F80 for ; Tue, 14 Feb 2017 19:09:09 +0000 (UTC) (envelope-from karly@kipshouse.net) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kipshouse.org; i=@kipshouse.org; q=dns/txt; s=kh-ss; t=1487099350; x=1518635350; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; z=Date:=20Tue,=2014=20Feb=202017=2010:43:08=20-0800|From: =20Karl=20Young=20|To:=20Ernie=20Luz ar=20|Cc:=20Bernt=20Hansson=20,=0D=0A=09"freebsd-questions@freebsd.org" =20|Subject:=20Re:=20links ys=20router=20behind=20gateway=20not=20working |Message-ID:=20<20170214184308.GI2787@mailboy.kipshouse.n et>|References:=20<58A3185B.7020606@gmail.com>=0D=0A=20=0D =0A=20<58A32ED6.1020504@gmail.com>|MIME-Version:=201.0 |In-Reply-To:=20<58A32ED6.1020504@gmail.com>; bh=I4NilOTUhnJo1HScQzHmDGJo3wrDs6xdeW+9CUfG3cw=; b=GsDhdRfzi3YoBhK4gyQetpqxK2+xWJu3W4u/P9SZZLKavVqXha1KDcRB HR2ZgWTpk2m3WYos9Cm3EtALi2EsLD5156g8etEYgRdzbzvaLxsyLuvEy ILijgOBYGZPiYSe6WO5HLB04oJqzwwD8IxJGD/7GLVRFZNy9g+JwpOorb rCUtMNLAi87c8NIherWGsq4SF1TldxCFvi+brKMTA/dfFaOwpB7HYZx83 IS7f6a2mSuqnWpZXMIYaGJh/mh2AVvP/XqtsFfODyhkltY5X1uNIM+ApJ rZclbj59olyr7elxvLW29qJEG8YyR56necuZUf+iiCFi9MhRHXzAommFG A==; Authentication-Results: d2.ironport.kipshouse.net; dkim=none (message not signed) header.i=none; spf=None smtp.pra=karly@kipshouse.org; spf=None smtp.mailfrom=karly@kipshouse.net; spf=None smtp.helo=postmaster@mailboy.kipshouse.net Received-SPF: None (d2.ironport.kipshouse.net: no sender authenticity information available from domain of karly@kipshouse.org) identity=pra; client-ip=2001:470:835a:1010::26; receiver=d2.ironport.kipshouse.net; envelope-from="karly@kipshouse.net"; x-sender="karly@kipshouse.org"; x-conformance=sidf_compatible Received-SPF: None (d2.ironport.kipshouse.net: no sender authenticity information available from domain of karly@kipshouse.net) identity=mailfrom; client-ip=2001:470:835a:1010::26; receiver=d2.ironport.kipshouse.net; envelope-from="karly@kipshouse.net"; x-sender="karly@kipshouse.net"; x-conformance=sidf_compatible Received-SPF: None (d2.ironport.kipshouse.net: no sender authenticity information available from domain of postmaster@mailboy.kipshouse.net) identity=helo; client-ip=2001:470:835a:1010::26; receiver=d2.ironport.kipshouse.net; envelope-from="karly@kipshouse.net"; x-sender="postmaster@mailboy.kipshouse.net"; x-conformance=sidf_compatible X-SBRS: None X-MID: 236001 X-RemoteIP: 2001:470:835a:1010::26 X-RemoteHost: 2001:470:835a:1010::26, mailboypriv.kipshouse.net X-IronPort-AV: E=McAfee;i="5800,7501,8439"; a="236001" Received: from mailboypriv.kipshouse.net (HELO mailboy.kipshouse.net) ([IPv6:2001:470:835a:1010::26]) by d2.ironport.kipshouse.net with ESMTP; 14 Feb 2017 11:09:09 -0800 Received: by mailboy.kipshouse.net (Postfix, from userid 500) id AFF5243F1A; Tue, 14 Feb 2017 10:43:08 -0800 (PST) Date: Tue, 14 Feb 2017 10:43:08 -0800 From: Karl Young To: Ernie Luzar Cc: Bernt Hansson , "freebsd-questions@freebsd.org" Subject: Re: linksys router behind gateway not working Message-ID: <20170214184308.GI2787@mailboy.kipshouse.net> References: <58A3185B.7020606@gmail.com> <58A32ED6.1020504@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <58A32ED6.1020504@gmail.com> X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.kipshouse.org/karly X-Work-URL: http://www.cisco.com/ X-Disclaimer: My opinions do not necessarily represent those of my employer. User-Agent: Mutt/1.5.20 (2009-12-10) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2017 19:09:10 -0000 Ernie Luzar(luzar722@gmail.com)@2017.02.14 11:22:46 -0500: > Bernt Hansson wrote: > >On 2017-02-14 15:46, Ernie Luzar wrote: > >>Hello list; > >> > >>I am running 11.0 on my gateway system. It has a small LAN > >>behind it. This gateway host has ipfilter firewall and a dhcp > >>server. The LAN is cabled from the host to a switch and from the > >>switch to each PC on the LAN. I added a cable from the switch to > >>a linksys wifi router. I can get wifi and cable connection to > >>the router but no connection to the public internet through the > >>LAN. The dhcp server lease file shoes a lease for the router. I > >>can see this ip address in the router's internal configuration. > >> > >>Is the problem because the router NATs it's issued ip address > >>and then the host gateway system NAT's it again? > >> > >>Thanks for any light you can shed on this > >Our connection is like this, can't check right now but it is from > >the top of my head. > > > >internet--gateway--switch---LAN > > | > > |-- wifi > > > >Hope this is readable. The switch is dell power connect 2716 wifi > >is asus something. > >. > > > > This is what the layout looks like > > |----router > internet--gateway--switch-|---lan pc > |---lan pc > |-- lan pc > > If you have two gateways (or routers, they are synonyms), you need to have two different networks, and a different topology. So your "gateway" (Freebsd box) should connect to Internet and NAT to an internal network (say, 10.0.0.0/24). It will have two interfaces: inbound from ISP (with external address) and internal (10.0.0.1 is used by convention). Your "router" (Linksys)'s uplink interface should connect to the internal interface of the "gateway" with a static address on the internal network (say, 10.0.0.2), and upstream gateway set to 10.0.0.1.. Then it will provide NAT to a second internal network (say, 192.168.0.0/24). If you have more LAN PCs than available ports on the Linksys "router" you can use a switch to add more ports. Sorry, I don't have enough patience for ascii-visio, or I would add a diagram. From your diagram above, move the switch to the downstream side of the lnksys (or remove it if you don't need extra ports). then change config to have two subnets. But if all your PCs are currently connected to one network, and you only need the linksys to provide wireless, you could leave the topology as it iss and reconfigure the linksys to act as a bridge. I do something like this, except I'm using PF as the firewall, and Airport as wireless bridge. Regards -karl > The router is a linksys model wrt160n with default internal config. > The LAN has worked for many years and still works with the router > connected as shown as above, but nothing connected to the router > works in this layout. I can cable a pc to the router and get > connected to the router and it says that I have internet connection, > but trying to browse to a url gives page not found error. The same > thing happens if I wifi connect to the router. > > The gateway is running ipfilter firewall and it's log shows nothing > getting logged for the ip address assigned to the router. > > The setup works if I place the router in front of the gateway so I > know there is nothing wrong with the router. Having it this way is a > security hole to my gateway server and lan. > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"