From owner-freebsd-questions@FreeBSD.ORG Sat Jun 9 13:50:43 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B7AC816A400 for ; Sat, 9 Jun 2007 13:50:43 +0000 (UTC) (envelope-from dzalewski@open-craft.com) Received: from zeus.lunarpages.com (zeus.lunarpages.com [216.193.211.2]) by mx1.freebsd.org (Postfix) with ESMTP id A299313C447 for ; Sat, 9 Jun 2007 13:50:43 +0000 (UTC) (envelope-from dzalewski@open-craft.com) Received: from [196.218.234.98] (helo=polonium.opencraft.local) by zeus.lunarpages.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1Hx1L0-0003gI-Oc; Sat, 09 Jun 2007 06:50:43 -0700 From: Dominik Zalewski Organization: OpenCraft To: freebsd-questions@freebsd.org Date: Sat, 9 Jun 2007 16:50:37 +0300 User-Agent: KMail/1.9.7 References: <200706091556.53631.dzalewski@open-craft.com> <466AAC9D.6090001@infracaninophile.co.uk> In-Reply-To: <466AAC9D.6090001@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200706091650.37735.dzalewski@open-craft.com> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - zeus.lunarpages.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - open-craft.com X-Source: X-Source-Args: X-Source-Dir: Cc: Subject: Re: FreeBSD arp proxy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dzalewski@open-craft.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jun 2007 13:50:43 -0000 On Saturday 09 June 2007 04:35:25 pm Matthew Seaman wrote: > Dominik Zalewski wrote: > > Dear All, > > > > I have a problem configuring routing. Here is how my setup looks: > > > > Internet - - - ADSL modem (bridge mode) - - - FreeBSD BOX - - - - - - - > > Switch - - - - - - - Server 1 IPOA: 196.218.x.97 vr1: 196.218.x.98 > > | bge0: 196.218.x.100 > > > > > > > > > > Server 2 eth0: 196.218.x.101 > > > > > > > > > > The idea is to give public IPs to servers behind FreeBSD firewall. I > > don't want to assagin IP addresses to FreeBSD BOX and use binat. I > > want to servers have IP assigned to their interfaces so I can reach > > them directly from internet. > > > > Someone told me that I have to use arp proxy. As I know FreeBSD has > > builtin arp proxy using userland arp utillity. > > > > When I added arp -s 196.218.x.100 mac_address_of_server1 perm pub . I > > still couldn't reach 196.218.x.100 . > > > > Ofcoure I will have to add: no nat on $ext_if from { 10.0.0.3, > > 10.0.0.7 } to any . > > The usual solution to this sort of problem is to divide up your > allocated range of IP numbers into subnets and set up your firewall > to route one or more of those subnets to the machines behind it. > > However, given the numbers you quote I suspect that your network > allocation is 196.218.x.96/29 -- which gives you a network address > (.96), 6 host addresses (.97 -- .102) and a broadcast address (.103) > As you'ld need to sacrifice two more of those addresses to divide the > range into two /30 blocks, and you need three host IPs for your back end > network, so that isn't going to be feasible. > > It might be possible to reduce this idea to its ultimate level and > set up individual host routes to each of the back-end servers on the > FreeBSD firewall: > > route add -host 196.218.x.101 -interface 12.34.56.78 > > where 12.34.56.78 should be replaced by the IP of the interface > plugged into your back-end switch. '12.34.56.78' should be on a > different network than 192.218.x.96/29 -- so just grab something out > of the RFC1918 address space. While you're about it, you will > probably find it helps to give your back-end servers all RFC1918 > addresses with the routable 192.218.x.96/29 addresses as aliases on > the interfaces. > > You'ld need to generate equivalent host routes for each of your back > end hosts, and you'ld need an equivalent host route on the back-end > machines to reach the firewall: > > route add -host 192.168.x.97 12.34.56.78 > > as well as setting 12.34.56.78 as the 'defaultrouter' in /etc/rc.conf. > > Warning: completely untested. Should work in theory, but... > > Cheers, > > Matthew I bridged vr1 and rl1. Everything seems to work fine:) Thanks anyway, Dominik