Date: Sat, 22 Apr 2000 01:29:04 -0700 From: "Charles Mauch" <cpm@yoonax.net> To: "Ryan Thompson" <ryan@sasknow.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: RE: My routes and gates are giving me headaches Message-ID: <NDBBJECCALJAGLIEMPKIAELBCMAA.cpm@yoonax.net> In-Reply-To: <Pine.BSF.4.21.0004212257460.18268-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for your help, I had fun toying with some new ideas for a few hours,
but I guess I didn't give you guys a good picture of what I was trying to
do. See down for the gory details.
> You are correct to run natd on the external interface, but,
> if you wish to enable natd for the 24 network (i.e, you wish to map local
> 10.0.0.0/8 addresses to public 24.0.0.0/8 addresses, you must run natd on
> ep0). Thus, to specify everything explicitly (not always necessary, but
> sometimes helpful):
>
> natd -n ep0 -u -redirect_address 10.0.0.3 24.10.68.155
>
> Note that you can specify more than one redirect_address (by repeating the
> -redirect_address command in a similar manner), but only the LAST internal
> address specified will recieve inbound packets from 24.10.68.155.
I'd never used the redirect_address before. Is this static NAT? To tell
you the truth, i'm not that interested (yet) in redirecting all ports to the
workstations... I'll keep this email handy though ;)
> natd can be a tricky beast to the unwary, so keep the manpage handy :-)
Tell me about it.
> On the machine(s) that will do web browsing across 24.0.0.0/8, try:
>
> route delete default # ***
> route add default 24.10.68.1
> route add -net 206.154.19.128/25 206.154.19.194
We're talking about the web server right? the browsers will be on
10.0.0.0/8 addresses. In any case, that route didn't do much except disable
the isdn side and turn the cablemodem side back on. Now, if we're talking
about the client side, it appeared to work. But anything hitting anything
in that /28 wasn't sending responses back.
> Always run netstat -rn to check your routing tables against what they
> should be. Observe the MAC addresses and check against ifconfig -a to
> verify that the routes are going through the correct interfaces.
> tcpdump(1) is also your friend.
Everything looks kosher actually. Well, things match up.
> If your setup is the reverse, or if you are trying to share IPs in a weird
> way, you may want port based nat. You MAY want to run a web proxy on your
> 24.0.0.0/8 machine. Also, please forgive any errors in syntax. This is
> all off the top of my head.
I've run Squid+Junkbuster for quite some time. Saves that expensive ISDN
bandwidth, kills cookies. Gotta like ;)
> Different setups will probably be required depending on the role of the
> machine(s) in question. For instance, a machine that serves web requests
> on port 80 AND browses, on two different networks, will require some
> massaging of routes to ensure that the correct requests originate and
> travel through the correct networks--port based NAT won't work with in the
> way you might expect.
My route tables are certainly tense, they need a good massage. ;)
> If this doesn't appear to help, please reply with a specific explanation
> of how your network is set up (i.e., which computers are connected to
what,
> and which addresses (internal and external) belong to each interface).
> Output of netstat -rn, ifconfig -a and any relevant configuration
> information that you might not have already stated will help us.
Okay, I'll lay out the goodies below. This is how I would like it to look
like.
Workstation (10.0.0.12) ----- HUB ----- Other Workstations
|
>>---------->>-------------- |
<<--------------<<--------------
client usage, no services | (fxp0) <<------ Internet
Services -----
<<----------<<-------------- |
<<--------------<<--------------
-----------
Cable Modem -- (ep0) -- | FreeBSD |-- (fxp1) --- Cisco 700 -- ISP
-----------
And this is how it currently stands
Workstation (10.0.0.12) ----- HUB ----- Other Workstations
|
|
This side is IDLE (fxp0) ALL TRAFFIC GOES THROUGH
ISDN
|
-----------
Cable Modem -- (ep0) -- | FreeBSD |-- (fxp1) --- Cisco 700 -- ISP
-----------
As I've tried to illustrate in my own primitive way, Internal Mail and Web
Browsing should go out the left hand side and leave out the Cable Modem.
(ep0)
Incoming Internet Mail and Web traffic should come in from the right hand
side and leave via fxp1 and ISDN Router.
Below is my current configuration. At this point, the cable modem is just
sitting there doing nothing. I can ping the cable modem's router, and if i
reset my ipfw divert rule, natd, and default route, the cable modem works
fine - while dumping the ISDN side.
Here's a table of values ;)
host | Workstation | 10.0.0.12 | /24 - 255.255.255.0 | 10.0.0.2
fxp0 | Into Hub | 10.0.0.2 | /24 - 255.255.255.0 | no gateway
fxp1 | ISDN Router | 206.159.17.195 | /28 - 255.255.255.240 |
206.159.17.194
ep0 | Cable Modem | 24.5.78.155 | /24 - 255.255.255.0 | 24.5.78.1
netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif
Expire
default 206.159.17.194 UGSc 68 128 fxp1
10/24 link#1 UC 0 0 fxp0
10.0.0.12 0:a0:4b:7:43:4 UHLW 5 255 fxp0 1110
10.0.0.255 ff:ff:ff:ff:ff:ff UHLWb 1 65 fxp0
24.5.78/24 link#3 UC 0 0 ep0
24.5.78.155 0:50:4:19:14:75 UHLW 1 44 lo0
24.5.78.255 ff:ff:ff:ff:ff:ff UHLWb 4 113 ep0
127.0.0.1 127.0.0.1 UH 11 27 lo0
206.159.17.192/28 link#2 UC 0 0 fxp1
206.159.17.194 0:40:f9:17:20:fe UHLW 69 0 fxp1 836
206.159.17.195 0:8:c7:45:3:3 UHLW 3 297 lo0
206.159.17.207 ff:ff:ff:ff:ff:ff UHLWb 0 15 fxp1
ifconfig -a
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
ether 00:a0:c9:55:2c:2c
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP
<full-duplex> 10baseT/UTP
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 206.159.17.195 netmask 0xfffffff0 broadcast 206.159.17.207
ether 00:08:c7:45:03:03
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP
<full-duplex> 10baseT/UTP
ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 24.5.78.155 netmask 0xffffff00 broadcast 24.5.78.255
ether 00:50:04:19:14:75
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
If you can do anything with this info, that'd be great. ;) I'll keep
playing on my side too.
Thanks.
---
Charles Mauch / cpm@yoonax.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBJECCALJAGLIEMPKIAELBCMAA.cpm>