From owner-freebsd-questions Mon Jul 26 7:13:31 1999 Delivered-To: freebsd-questions@freebsd.org Received: from tornado.cisco.com (tornado.cisco.com [171.69.104.22]) by hub.freebsd.org (Postfix) with ESMTP id E8C4C152EC for ; Mon, 26 Jul 1999 07:13:29 -0700 (PDT) (envelope-from bmcgover@bmcgover-pc.cisco.com) Received: from bmcgover-pc.cisco.com (bmcgover-pc.cisco.com [171.69.104.147]) by tornado.cisco.com (8.8.5-Cisco.1/8.6.5) with ESMTP id KAA06849; Mon, 26 Jul 1999 10:10:51 -0400 (EDT) Received: from bmcgover-pc.cisco.com (localhost.pa.dtd.cisco.com [127.0.0.1]) by bmcgover-pc.cisco.com (8.9.3/8.9.3) with ESMTP id KAA10268; Mon, 26 Jul 1999 10:10:49 -0400 (EDT) (envelope-from bmcgover@bmcgover-pc.cisco.com) Message-Id: <199907261410.KAA10268@bmcgover-pc.cisco.com> To: dune@cats.edu.ph Cc: questions@freebsd.org Subject: Re: Divert Date: Mon, 26 Jul 1999 10:10:49 -0400 From: Brian McGovern Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > What I had in mind is two networks coexisting in one physical network. Um, yes you can. No, you probably really don't want to. At least not with just one NIC in the "gateway". See below... > divert 8668 ip from any to any This may also be bogus. I don't think it'll quite do what you want, especially whereas ipfw rules get processed both on the way in, and on the way out. This rule would get caught in both directions and infinately loop through natd. I expect you'd want something more like: divert 8868 ip from any to any in via foo0 The major bobo with this design is the possibility for your single-nic'ed "gateway" to kick out ICMP redirect packets to the originating host. After all, to your "gateway", the client and the next hop router are both on the same interface, so your client should be able to directly reach the router, no? But, since they're on different logical lans, the client will think it can't, and you'll probably end up with host unreachable messages. This also brings up security and right-of-use issues, depending on your topography. Most cable modem companies (MediaOne comes to mind, as I'm a subscriber) allow only one PC to be connected to the cable modem or router. This device acts like an Ethernet _bridge_ to their network. Therefore, all of your PCs will see all of their traffic, and they, and all of their customers who use their same logical segment, potentially will see all of yours. This is bad for security, and network loading. Additionally, since its against their use policy, they'll probably unplug you pretty quickly. Over all, I think you're going to spend a large amount in time and headaches, rather than shelling $30 US for a second ethernet card. -Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message