From owner-freebsd-questions Fri Jun 30 11:20:42 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail.norlight.com (mail.norlight.com [207.170.3.35]) by hub.freebsd.org (Postfix) with ESMTP id 3D4BA37C36F; Fri, 30 Jun 2000 11:20:36 -0700 (PDT) (envelope-from HRyu@norlight.com) Received: from lotus.norlight.com (lotus [89.87.145.18]) by mail.norlight.com (8.9.3/8.9.3) with ESMTP id NAA10886; Fri, 30 Jun 2000 13:20:33 -0500 Subject: Re: Dual Nic Firewall Configuration Woes To: Cc: freebsd-questions@FreeBSD.ORG, owner-freebsd-questions@FreeBSD.ORG X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: "Hyunseog Ryu" Date: Fri, 30 Jun 2000 13:20:35 -0500 X-MIMETrack: Serialize by Router on Lotus/Norlight(Release 5.0.4 |June 8, 2000) at 06/30/2000 01:20:34 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Jeff Do you want to use this machine as firewall? If so, you have to give different subnet to two NIC? In the example, you use 10.10.10.34 for de0, and 10.10.10.35 for de1. If you assign IP addresses that belong to same subnet, Kernel only recognize one interface only. |---------------------------------------------------------+-----------------------| | Internet Router 10.10.10.33 /255.255.255.224 | |------------------+---------------------------------------+-------------------| | 10.10.10.32/27 network 10.10.10.34 (de0) Machine 10.10.10.35 (de1) | |-----------------+--------------------------------| Inside protected network If somebody send packet to your inside protected network from Internet, Router will try to send packet to 10.10.10.35 directly. It doesn't go through Machine. ;> I'm not sure whether I expained well. But if you want to use this machine for firewall, you have to assign IP address that is different from other network interface in the firewall. ;> Hyun Sent by: To: owner-freebsd-questions@F cc: (bcc: Hyunseog Ryu/Brookfield/Norlight) reeBSD.ORG Subject: Dual Nic Firewall Configuration Woes 06/30/2000 12:41 PM Please respond to jeff Good afternoon FreeBSD'ers I am in the process of creating a firewall using a small p-133 with (2) netgear cards (shown as de0 and de1) and FreeBSD 4.0 I am creating this firewall as a drop-in replacement to an ailing rackmount appliance firewall. my problem is as follows: the subnet range from the ethernet side of the router is 255.255.255.224 (since there are only a handful of workstations to be secured) ***Note that I am using real ip's not 10.10.10.x*** ***10.10.10.x is for example only*** the current firewall has 10.10.10.34 as the external (non-trusted interface) and 10.10.10.35 as the trusted side of the interface. the router ethernet port is 10.10.10.33 and is configured as the default gateway for the firewall. I have tried to configure the Freebsd system as follows: ifconfig_de0="inet 10.10.10.34 netmask 255.255.255.224" ifconfig_de1="inet 10.10.10.35 netmask 255.255.255.224" default_gateway="10.10.10.33" gateway_enable="yes" option BRIDGING has been added to my kernel configuration once the system has been rebooted, I can only ping de0, if I shutdown de0 then de1 is pingable, but not both at the same time. this as you can imagine, is very frustrating to the development of my firewall. any help and guidance from anyone familliar with the design of firewalls using FreeBSD would be very welcomed. thank you in advance. Jeff jeff@digiman.org www.digiman.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message