From owner-freebsd-questions Sat Apr 22 1:29:49 2000 Delivered-To: freebsd-questions@freebsd.org Received: from yoonax.net (cmauch4.wia.com [206.159.17.195]) by hub.freebsd.org (Postfix) with ESMTP id 5456B37B516 for ; Sat, 22 Apr 2000 01:29:43 -0700 (PDT) (envelope-from cpm@yoonax.net) Received: from xterm2000 (ihost12.yoonax.net [10.0.0.12]) by yoonax.net (8.9.3/8.9.3) with SMTP id BAA00887; Sat, 22 Apr 2000 01:29:24 -0700 (PDT) (envelope-from cpm@yoonax.net) Reply-To: From: "Charles Mauch" To: "Ryan Thompson" Cc: Subject: RE: My routes and gates are giving me headaches Date: Sat, 22 Apr 2000 01:29:04 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thanks for your help, I had fun toying with some new ideas for a few hours, but I guess I didn't give you guys a good picture of what I was trying to do. See down for the gory details. > You are correct to run natd on the external interface, but, > if you wish to enable natd for the 24 network (i.e, you wish to map local > 10.0.0.0/8 addresses to public 24.0.0.0/8 addresses, you must run natd on > ep0). Thus, to specify everything explicitly (not always necessary, but > sometimes helpful): > > natd -n ep0 -u -redirect_address 10.0.0.3 24.10.68.155 > > Note that you can specify more than one redirect_address (by repeating the > -redirect_address command in a similar manner), but only the LAST internal > address specified will recieve inbound packets from 24.10.68.155. I'd never used the redirect_address before. Is this static NAT? To tell you the truth, i'm not that interested (yet) in redirecting all ports to the workstations... I'll keep this email handy though ;) > natd can be a tricky beast to the unwary, so keep the manpage handy :-) Tell me about it. > On the machine(s) that will do web browsing across 24.0.0.0/8, try: > > route delete default # *** > route add default 24.10.68.1 > route add -net 206.154.19.128/25 206.154.19.194 We're talking about the web server right? the browsers will be on 10.0.0.0/8 addresses. In any case, that route didn't do much except disable the isdn side and turn the cablemodem side back on. Now, if we're talking about the client side, it appeared to work. But anything hitting anything in that /28 wasn't sending responses back. > Always run netstat -rn to check your routing tables against what they > should be. Observe the MAC addresses and check against ifconfig -a to > verify that the routes are going through the correct interfaces. > tcpdump(1) is also your friend. Everything looks kosher actually. Well, things match up. > If your setup is the reverse, or if you are trying to share IPs in a weird > way, you may want port based nat. You MAY want to run a web proxy on your > 24.0.0.0/8 machine. Also, please forgive any errors in syntax. This is > all off the top of my head. I've run Squid+Junkbuster for quite some time. Saves that expensive ISDN bandwidth, kills cookies. Gotta like ;) > Different setups will probably be required depending on the role of the > machine(s) in question. For instance, a machine that serves web requests > on port 80 AND browses, on two different networks, will require some > massaging of routes to ensure that the correct requests originate and > travel through the correct networks--port based NAT won't work with in the > way you might expect. My route tables are certainly tense, they need a good massage. ;) > If this doesn't appear to help, please reply with a specific explanation > of how your network is set up (i.e., which computers are connected to what, > and which addresses (internal and external) belong to each interface). > Output of netstat -rn, ifconfig -a and any relevant configuration > information that you might not have already stated will help us. Okay, I'll lay out the goodies below. This is how I would like it to look like. Workstation (10.0.0.12) ----- HUB ----- Other Workstations | >>---------->>-------------- | <<--------------<<-------------- client usage, no services | (fxp0) <<------ Internet Services ----- <<----------<<-------------- | <<--------------<<-------------- ----------- Cable Modem -- (ep0) -- | FreeBSD |-- (fxp1) --- Cisco 700 -- ISP ----------- And this is how it currently stands Workstation (10.0.0.12) ----- HUB ----- Other Workstations | | This side is IDLE (fxp0) ALL TRAFFIC GOES THROUGH ISDN | ----------- Cable Modem -- (ep0) -- | FreeBSD |-- (fxp1) --- Cisco 700 -- ISP ----------- As I've tried to illustrate in my own primitive way, Internal Mail and Web Browsing should go out the left hand side and leave out the Cable Modem. (ep0) Incoming Internet Mail and Web traffic should come in from the right hand side and leave via fxp1 and ISDN Router. Below is my current configuration. At this point, the cable modem is just sitting there doing nothing. I can ping the cable modem's router, and if i reset my ipfw divert rule, natd, and default route, the cable modem works fine - while dumping the ISDN side. Here's a table of values ;) host | Workstation | 10.0.0.12 | /24 - 255.255.255.0 | 10.0.0.2 fxp0 | Into Hub | 10.0.0.2 | /24 - 255.255.255.0 | no gateway fxp1 | ISDN Router | 206.159.17.195 | /28 - 255.255.255.240 | 206.159.17.194 ep0 | Cable Modem | 24.5.78.155 | /24 - 255.255.255.0 | 24.5.78.1 netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 206.159.17.194 UGSc 68 128 fxp1 10/24 link#1 UC 0 0 fxp0 10.0.0.12 0:a0:4b:7:43:4 UHLW 5 255 fxp0 1110 10.0.0.255 ff:ff:ff:ff:ff:ff UHLWb 1 65 fxp0 24.5.78/24 link#3 UC 0 0 ep0 24.5.78.155 0:50:4:19:14:75 UHLW 1 44 lo0 24.5.78.255 ff:ff:ff:ff:ff:ff UHLWb 4 113 ep0 127.0.0.1 127.0.0.1 UH 11 27 lo0 206.159.17.192/28 link#2 UC 0 0 fxp1 206.159.17.194 0:40:f9:17:20:fe UHLW 69 0 fxp1 836 206.159.17.195 0:8:c7:45:3:3 UHLW 3 297 lo0 206.159.17.207 ff:ff:ff:ff:ff:ff UHLWb 0 15 fxp1 ifconfig -a fxp0: flags=8843 mtu 1500 inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255 ether 00:a0:c9:55:2c:2c media: autoselect (10baseT/UTP) status: active supported media: autoselect 100baseTX 100baseTX 10baseT/UTP 10baseT/UTP fxp1: flags=8843 mtu 1500 inet 206.159.17.195 netmask 0xfffffff0 broadcast 206.159.17.207 ether 00:08:c7:45:03:03 media: autoselect (10baseT/UTP) status: active supported media: autoselect 100baseTX 100baseTX 10baseT/UTP 10baseT/UTP ep0: flags=8843 mtu 1500 inet 24.5.78.155 netmask 0xffffff00 broadcast 24.5.78.255 ether 00:50:04:19:14:75 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 If you can do anything with this info, that'd be great. ;) I'll keep playing on my side too. Thanks. --- Charles Mauch / cpm@yoonax.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message