From owner-freebsd-questions  Sat Jan 19 22:53:42 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from rfnj.org (rfnj.org [216.239.237.194])
	by hub.freebsd.org (Postfix) with ESMTP id 1F74737B405
	for <freebsd-questions@freebsd.org>; Sat, 19 Jan 2002 22:53:40 -0800 (PST)
Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200])
	by rfnj.org (Postfix) with ESMTP id 7FE3B13674
	for <freebsd-questions@freebsd.org>; Sun, 20 Jan 2002 01:53:42 -0500 (EST)
Message-Id: <5.1.0.14.0.20020120013959.00aaaff8@rfnj.org>
X-Sender: asym@rfnj.org
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Sun, 20 Jan 2002 01:52:55 -0500
To: freebsd-questions@freebsd.org
From: Allen Landsidel <all@biosys.net>
Subject: multihomed routing woes..
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

[please reply off-list.. not subscribed.]

Ok.. for several hours I've been banging my head against the proverbial 
brick wall, trying to resolve an issue that's been a nuisance for some time.

To start from the begining.. my network looks like this :

[LAN] <--> [firewall] <--> [router] <--> [internet]

The lan side has a public /28 block.
The firewall has one address from that block on the interior interface, and 
an address in the 10/8 block on the exterior.
The router has an address on the 10/8 block on the interior, the ISP 
assigned address on the WAN interface, and a static route to the firewall 
10/8 for my IP block.

The problem is simple : All outgoing traffic that *originates* on the 
firewall attempts to use the 10/8 address.  I'm looking for some easy way 
to force it to use it's internal address for traffic destined to go out the 
exterior interface, but so far to no avail.

My brain can't seem to think of a way to do this via route, and natd + my 
current stateful IPFW appears to be a no-go.. searching the lists and 
usenet have turned up others with the same problems, but no real solutions 
using these tools.  Apparently my only options are:
   1) ditch the stateful ipfw configuration in favor of a simple 
'established' rule (ick)
   2) (maybe?) switch to ipf/ipnat.
   3) Set up a proxy on one of the internal machines and have the firewall 
go through that to get out (ick)
   4) Probably other silly hacks like 1,3 that are no more elegant.

Any help is appreciated.. I'm going nuts here.

-Allen


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message