Date: Mon, 15 May 2000 13:36:55 -0700 (PDT) From: Dean Brundage <brundage@ha1mil.Ebay.Sun.COM> To: freebsd-questions@freebsd.org Subject: FreeBSD w/2 interfaces on the same subnet Message-ID: <200005152036.NAA16416@ha1mil.EBay.Sun.COM>
index | next in thread | raw e-mail
Hello all,
Please cc me in any replies as I am not on this alias. Thanks.
Here's my situation:
I will be getting DSL at home and want to run a packet filter on my
incoming/outgoing traffic and since I can't seem to convince my provider to put
the filters on their router, I'm going to have to do it myself. I'm getting 6
static IP addresses and am planning to use two of these for a FreeBSD firewall.
To further complicate matters, I'm using PicoBSD from the -stable line. Now, I
have a custom PicoBSD built and working using the router line as my guide. The
packet filter will be ipf and I have verified that it is completely open right
now.
To be able to examine all the traffic on the network, I know I will have
to put the PicoBSD machine "in front of" the others. Something like this:
+-+ ed0 +-+ ed1 +---- +-+
|R| ------- |P| --------+-----------|A|
+-+ +-+ +---- +-+
ISP PicoBSD Rest of the subnet
Router
{ ------------ Same subnet ---------------- }
In my test case, R has IP 10.0.0.1/24 and A has IP 10.0.0.201/24. The
rc script for PicoBSD goes like this:
ifconfig ed0 10.0.0.101 netmask 0xffffff00
route delete -net 10.0.0
ifconfig ed1 10.0.0.102 netmask 0xffffff00
route delete -net 10.0.0
No matter which way I add routes, I can't get the machine to come up on one of
the nets. For example,
route add -net 10.0.0 -interface 10.0.0.101
route add -host 10.0.0.202 -interface 10.0.0.102
and
route add -host 10.0.0.1 -interface 10.0.0.101
route add -net 10.0.0 -interface 10.0.0.101
returns an error but adds the routes seemingly correctly ("... already exists" I
think). netstat and 'route get' both show that the routes are in the table and
on the correct interface.
From the PicoBSD box, I can ping the host that uses the -net route, but not the
host that is on the -host route. I get an "arpresolve: can't allocate llinfo
for 10.0.0.1rc".
It seems like this can be done and will be a working solution with proxy arp and
packet forwarding, but I can't get the routes to work out correctly. From
http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=771334+775066+/usr/local/www/db/text
/1996/freebsd-questions/19960211.freebsd-questions
it looks like I shoul be able to do what I want here but I can't find any more
details on it in the mailing list archives.
The trick is to have the FreeBSD router have one IP
address from the first subnet and the other one from
the second. Now you tell to the FreeBSD router and
the hosts on the second subnet the real subnet and
broadcast address, enable proxy arp on the FreeBSD
router and don't tell the hosts/routers on the
first subnet anything about the changes - if one
of them want's to talk to a host on the second one,
it just asks for it's ethernet address, it does so
and the FreeBSD router proxy answers and fowards the
packet.
If I set up PicoBSD on different subnets, I can ping and forward IP across it
with no problems.
Thanks for any suggestions.
--Dean
Unscrambler of eggs.
IT Ops aka ITPS aka SunIT aka SunIR aka ENS aka Desktop Support
--------------------------------------------------------------------------------
Some men like the fishing, and some men like the fowling.
Some men like to hear the cannon balls roaring.
Me, I like sleeping, especially in my Adie's chamber. -- Old Irsh folk song
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005152036.NAA16416>