Date: Sun, 15 Oct 2000 08:51:50 +0200 From: Thierry Herbelot <herbelot@cybercable.fr> To: Gregory Sutter <gsutter@zer0.org> Cc: hackers@FreeBSD.ORG Subject: Re: Routing issues Message-ID: <39E95406.8F1C0717@cybercable.fr> References: <20001014233212.H3444@klapaucius.zer0.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Gregory Sutter wrote: > > I'm setting up a network that looks like this: > > --Internet----Router---Firewall > | > | /--- host > Switch----NAT-----<----- host > | \----- host > | \----- etc... > --------- > | | > email ns > > In other words, a fairly typical small network. I've got an 8-IP > subnet; all hosts outside the NAT have real IPs: > > router: 1.2.3.193 > firewall: 1.2.3.196 fxp0 > 1.2.3.197 fxp1 > nat: 1.2.3.198 > email: 1.2.3.194 > ns: 1.2.3.195 > > The problem I'm having is with my routing. Surprise. Here is > the routing table for the firewall: > > default 1.2.3.193 fxp0 > 1.2.3.193 link#1 fxp0 > 1.2.3.192/29 link#2 fxp1 > 1.2.3.196 lo0 > 1.2.3.197 lo0 > > The gateway_enable (net.inet.ip.forwarding) is also enabled on > the firewall. with a *routing* firewall, like the one you are using, you must have two different IP subnets, one for each physical interface (or else, the kernel will not know which interface to use to send a packet). In your case, you should use a "bridging" firewall, where ony one of the ethernet interfaces has an IP address (you can then set up your firewall in a "stealth" config, where it does not touch the TTL in the IP packets) TfH -- Thierry Herbelot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39E95406.8F1C0717>