From owner-freebsd-questions@FreeBSD.ORG Fri Nov 16 16:50:48 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C152616A41A for ; Fri, 16 Nov 2007 16:50:48 +0000 (UTC) (envelope-from alexus@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.180]) by mx1.freebsd.org (Postfix) with ESMTP id 7E24A13C457 for ; Fri, 16 Nov 2007 16:50:48 +0000 (UTC) (envelope-from alexus@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so1115540waf for ; Fri, 16 Nov 2007 08:50:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=hwhafUFcOYSFgnuEicrSW+w27ZZHfvbGub1YBmKPUHc=; b=iEHW+q2vIeQXNRMlQEgt2ytNhSw5lsNQk05WoZhbDsXmIeZzs0PFzCI3C1pM/z+tPdlcQ+NFYwDWoxMGZ6A5aS8SZO9dzy/9A7GreCv6ShCDpwqeO0QyX5Qmlvqr51zYVUIHSjvMnRDLxzwkFSV32EpITVmj5P/hkX0NCotKso0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZOIq3d7eM/+oO8EoWWl1AClLRluaTNwlkO/bpOIZO4aLN2/hOX9Xt4xIJhrfya421/90rRRJ7WlOSpC7j3yL/X6w0PukhSHzeS+JglhKIwUcrQI3RHpDf82snlOxK/84q0cbCputLBC4UgrUjlGkj0qS0t3WJUh/8mIHzUYIqEU= Received: by 10.114.124.1 with SMTP id w1mr627249wac.1195231847428; Fri, 16 Nov 2007 08:50:47 -0800 (PST) Received: by 10.114.176.14 with HTTP; Fri, 16 Nov 2007 08:50:47 -0800 (PST) Message-ID: <6ae50c2d0711160850x14df83c8nf278d995936349a7@mail.gmail.com> Date: Fri, 16 Nov 2007 11:50:47 -0500 From: alexus To: "Steve Bertrand" In-Reply-To: <473DA109.6020707@ibctech.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <6ae50c2d0711152118h2f2a9989q2b39eba077154041@mail.gmail.com> <20071116063832.GB4164@saraswathy.susmita.org> <473DA109.6020707@ibctech.ca> Cc: freebsd-questions@freebsd.org Subject: Re: multihome network X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 16:50:48 -0000 my private IP that eventually resolves to public IP through PIX is different then coming from my other public IP that assigned on my fxp1 that comes from another ISP, the fxp1 IP already configured this way so it pass everything to my box what i've tried is adding route on my box route add 216.112.241.24 216.112.241.25 255.255.255.248 still not go:( On Nov 16, 2007 8:54 AM, Steve Bertrand wrote: > Girish Venkatachalam wrote: > > On 00:18:42 Nov 16, alexus wrote: > >> Hello, > >> > >> I have two NICs on my box, one (primary) connected to switch and have > >> private IP. that IP also have a static route on Cisco PIX for > >> accessing this box from outside. the other interface has public IP > >> that is connected to another switch, i configure both IPs through > >> /etc/rc.conf, but I can not for some reason access my box through that > >> public IP, no firewall rules would prevent me from doing so. here is > >> my output for netstat -rn > >> > > -- snip > > > Your default route is 192.168.1.1 and not 216.112.241.24 > > Yes, but if he changes that, then he won't be able to access the box via > the PIX (private) connection. > > I will make these assumptions, then elaborate: > > The box in question is at your office. You are at home trying to access > it. The connection works by connecting to the public IP of the PIX (that > gets port-forwarded back), but does not work when accessing the direct > Internet facing port. > > I'm willing to bet that if you run a tcpdump on your machine at home you > are attempting the connection to the 216.112.241.x IP, you will actually > find that the machine is getting back to you just fine. However, many > OS's will drop a 'spoofed' packet. Essentially what is likely happening > is this: > > - you send from home a packet to 216.112.241.x. > - the office router/box accepts it > - the office router looks up in it's routing table a path back to your > home IP > - it has no particular route, so it sends it out the default gateway > (192.168.1.1) > - your pc at home notices that the packet was sent to a destination IP, > but it came back from a different one (the outside IP of the PIX) > - the packet is dropped as the source address is spoofed > > There are a couple ways to fix this. The first and easiest is if you are > only trying to connect to this box's public IP from one location, add a > static route on the office box to that network that routes to it's > public upstream > > The other way is to utilize policy-based routing. IPFW can do this, and > (from what I understand) so can PF. (In Cisco-land, you would use a > route-map). > > Steve > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > -- http://alexus.org/