From owner-freebsd-questions@FreeBSD.ORG Sat Jun 9 13:35:42 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B867416A41F for ; Sat, 9 Jun 2007 13:35:42 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.freebsd.org (Postfix) with ESMTP id 322B413C43E for ; Sat, 9 Jun 2007 13:35:41 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.14.1/8.14.1) with ESMTP id l59DZPq4057846; Sat, 9 Jun 2007 14:35:26 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk from=m.seaman@infracaninophile.co.uk; sender-id=permerror; spf=permerror X-SenderID: Sendmail Sender-ID Filter v0.2.14 smtp.infracaninophile.co.uk l59DZPq4057846 Message-ID: <466AAC9D.6090001@infracaninophile.co.uk> Date: Sat, 09 Jun 2007 14:35:25 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.0 (X11/20070521) MIME-Version: 1.0 To: dzalewski@open-craft.com References: <200706091556.53631.dzalewski@open-craft.com> In-Reply-To: <200706091556.53631.dzalewski@open-craft.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Sat, 09 Jun 2007 14:35:36 +0100 (BST) X-Virus-Scanned: ClamAV 0.90.3/3390/Sat Jun 9 13:57:16 2007 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, DKIM_POLICY_SIGNSOME, DKIM_POLICY_TESTING,NO_RELAYS autolearn=no version=3.2.0 X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD arp proxy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2007 13:35:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dominik Zalewski wrote: > Dear All, > > I have a problem configuring routing. Here is how my setup looks: > > Internet - - - ADSL modem (bridge mode) - - - FreeBSD BOX - - - - - - - Switch - - - - - - - Server 1 > IPOA: 196.218.x.97 vr1: 196.218.x.98 | bge0: 196.218.x.100 > | > | > | > Server 2 > eth0: 196.218.x.101 > > > > > The idea is to give public IPs to servers behind FreeBSD firewall. I > don't want to assagin IP addresses to FreeBSD BOX and use binat. I > want to servers have IP assigned to their interfaces so I can reach > them directly from internet. > > Someone told me that I have to use arp proxy. As I know FreeBSD has > builtin arp proxy using userland arp utillity. > > When I added arp -s 196.218.x.100 mac_address_of_server1 perm pub . I > still couldn't reach 196.218.x.100 . > > Ofcoure I will have to add: no nat on $ext_if from { 10.0.0.3, > 10.0.0.7 } to any . The usual solution to this sort of problem is to divide up your allocated range of IP numbers into subnets and set up your firewall to route one or more of those subnets to the machines behind it. However, given the numbers you quote I suspect that your network allocation is 196.218.x.96/29 -- which gives you a network address (.96), 6 host addresses (.97 -- .102) and a broadcast address (.103) As you'ld need to sacrifice two more of those addresses to divide the range into two /30 blocks, and you need three host IPs for your back end network, so that isn't going to be feasible. It might be possible to reduce this idea to its ultimate level and set up individual host routes to each of the back-end servers on the FreeBSD firewall: route add -host 196.218.x.101 -interface 12.34.56.78 where 12.34.56.78 should be replaced by the IP of the interface plugged into your back-end switch. '12.34.56.78' should be on a different network than 192.218.x.96/29 -- so just grab something out of the RFC1918 address space. While you're about it, you will probably find it helps to give your back-end servers all RFC1918 addresses with the routable 192.218.x.96/29 addresses as aliases on the interfaces. You'ld need to generate equivalent host routes for each of your back end hosts, and you'ld need an equivalent host route on the back-end machines to reach the firewall: route add -host 192.168.x.97 12.34.56.78 as well as setting 12.34.56.78 as the 'defaultrouter' in /etc/rc.conf. Warning: completely untested. Should work in theory, but... Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGaqyd8Mjk52CukIwRCEpeAJ47a6oAGRcm49i05/MBVM73vSrVgACfXB+1 C0HnSuhr5lVG4eb7AmaT6/g= =3LJ0 -----END PGP SIGNATURE-----