From owner-freebsd-questions@FreeBSD.ORG Sat Nov 24 14:46:18 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5999D16A419 for ; Sat, 24 Nov 2007 14:46:18 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id EBB7E13C4D1 for ; Sat, 24 Nov 2007 14:46:16 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id BAA22771; Sun, 25 Nov 2007 01:45:36 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 25 Nov 2007 01:45:35 +1100 (EST) From: Ian Smith To: Alaor Barroso de Carvalho Neto In-Reply-To: <2949641c0711240434m71fbbc0fj73c7af80f88bad6d@mail.gmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Bill Moran , freebsd-questions@freebsd.org Subject: Re: routing problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2007 14:46:18 -0000 On Sat, 24 Nov 2007, Alaor Barroso de Carvalho Neto wrote: > 2007/11/24, Ian Smith : > > > > ipfw works fine too for these sorts of network policy separation :) > > > So ipfilter is not recommended by you guyz? No I didn't mean that; use your own favourite packet filter, any of them can handle what you've described. Bill suggested pf - lots of people seem to like it a lot - and I use ipfw because I (mostly) know how to. > > I'm not saying this odd netmask explains your problem, nor that I fully > > understand the effect of non-contiguous netmasks, but it's worth fixing. > > > My fault again, the mask is 255.255.255.224, I messed up the things the 27 > come from XXX.XXX.XXX.XXX/27, you're right! But in the config file it's > .224. Ok. Pasted output of 'ifconfig' and 'netstat -finet -nr' may help .. it's easier to parse familiar machine output than textual descriptions. > On which machine/s is NAT translation taking place? Eg if 10.10/16 were > > allowed access to the internet via here, where would they get NAT'd to > > the external IP? > > > > Cheers, Ian > > > > The ipfilter was nating, but I'm not sure about the NAT rules inside the > config file, I must recheck it monday, I just tested the redirection rules, > do you think this can be the problem? Dunno. I'd just run tcpdump in a different terminal for each interface and watch the traffic; what gets forwarded, or not, what gets translated by NAT, or not. As you said, pings are a useful start, as can be adding temporary firewall rules to log everything in and out per interface .. I know next to nothing about routed(8) and RIP, nor why you might prefer it to static and cloned routing, but taking it out of the mix might help with debugging until your basic routing and filtering works right? HTH, Ian