From owner-freebsd-questions@FreeBSD.ORG Wed Jan 26 07:04:50 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2445716A4CE for ; Wed, 26 Jan 2005 07:04:50 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E3D743D2F for ; Wed, 26 Jan 2005 07:04:49 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) j0Q74cj36484; Tue, 25 Jan 2005 23:04:38 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Doug Poland" , Date: Tue, 25 Jan 2005 23:04:37 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20050126024201.GA49980@polands.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Importance: Normal Subject: RE: Running public IP's inside an RFC 1597 network X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jan 2005 07:04:50 -0000 owner-freebsd-questions@freebsd.org wrote: > Hello, > > I'm running a typical Class C RFC 1597 network in my lab. What I want > to do is create another network, accessible from my private addresses, > that use public IPs. The public IPs exist in the wild but I > want to have > an isolated environment where I can test what happens in > public space, in > my lab, before I deploy changes. > Hoo boy. OK first of all an IP is an IP is an IP. Machines don't know or care if we humans designate a subnet as public or private. In any case you cannot have 'public' ip's 'inside' a private IP subnet, unless there's some tunnel connection from the public network on the inside to the real outside Internet. > All the machines in question are running 5.3-STABLE. > > What I've setup so far are two test servers, host1 (H1) and host2 (H2) > with public IPs, and a gateway (GW) machine with one public IP and one > private IP. All three machines are on a switch, the gateway has two > NICs, one on the public switch and one on the private switch. > > e.g., > > External IP Internal IP Defaultrouter IP > --------------------- -------------- --------------- > GW 123.456.789.1/24 10.20.30.40/24 10.20.30.1 > H1 123.456.789.154/24 123.456.789.1 > H2 123.456.789.161/24 123.456.789.1 > > > I can ping between the 3 "public" IP's fine until I turn on the GW > interface with the private IP. At that point, the GW cannot ping the > two "public" servers. > Impossible. Or more accurately, if the GW is correctly configured it don't work this way. a default route such as: 0.0.0.0 0.0.0.0 -> 10.20.30.1 is the absolute most general route there is for a machine. ANY route other than another default, is more specific than it, and thus will take priority. In a correctly configured system when you define an interface, such as 123.456.789.1/24 the system automatically creates a /24 route for the 123.456.789.0 subnet that points out that interface. This route is -more specific- than the default, thus ANY IP that has a prefix that matches this subnet will follow the more specific route, and be routed out of the interface. This is a fundamental property of any host. You aren't saying how your 'turning on' the GW interface. If you have NOT defined gateway_enable="YES" in the /etc/rc.conf file then it might be possible to get funny behavior like this if you have multiple interfaces active in the system. Or, if you turn on the firewall with a restricted set of access lists, same thing. > Obviously I'll need NAT'ing from the GW to H1 and H2 if I want packets > from other hosts on my private network to see the "public" servers. Incorrect. All you need is a route in the 10.20.30.1 router for 123.456.789.0/24 pointing back to 10.20.30.40. Since all the hosts on 123.456.789.0/24 know to use 123.456.789.1 as their default gateway, and that machine knows where 10.20.30.0/24 is, routing works normally. > What I can't figure out is how to tell my GW machine that packets > destined for the 123.456.789.0/24 network are to go through my other > NIC, not out through the GW's default router. > It is more useful to stand this question on it's head. As yourself, how can you PREVENT packets from just naturally going out the 123.456.789.1 interface that have a destination prefix of 123.456.789 ? > I hope I've explained the situation clearly. Googling and reading the > friendly manuals has not revealed a solution to me. Well, what your trying to do is, as they say, pointless, which is why nobody does it, which is why it's not documented. Why don't you tell us what you REALLY are trying to accomplish? What exactly does a 'public space' have that you need to test on that a 'private space' doesen't, and why are you under the impression that it will continue to remain a 'public space' the second you isolate it? Ted