From owner-freebsd-hackers  Mon Oct 16 16:27:11 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from homer.softweyr.com (mail.dobox.com [208.187.122.44])
	by hub.freebsd.org (Postfix) with ESMTP id 2B4B837B66C
	for <hackers@freebsd.org>; Mon, 16 Oct 2000 16:27:07 -0700 (PDT)
Received: from localhost
	([127.0.0.1] helo=softweyr.com ident=Fools trust ident!)
	by homer.softweyr.com with esmtp (Exim 3.16 #1)
	id 13ktdr-0000Px-00; Sun, 15 Oct 2000 13:40:19 -0600
Message-ID: <39EA0823.D9D353D8@softweyr.com>
Date: Sun, 15 Oct 2000 13:40:19 -0600
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Thierry Herbelot <herbelot@cybercable.fr>
Cc: Gregory Sutter <gsutter@zer0.org>, hackers@FreeBSD.ORG
Subject: Re: Routing issues
References: <20001014233212.H3444@klapaucius.zer0.org> <39E95406.8F1C0717@cybercable.fr>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Thierry Herbelot wrote:
> 
> Gregory Sutter wrote:
> >
> > I'm setting up a network that looks like this:
> >
> > --Internet----Router---Firewall
> >                           |
> >                           |               /--- host
> >                        Switch----NAT-----<----- host
> >                           |               \----- host
> >                           |                \----- etc...
> >                      ---------
> >                      |       |
> >                    email     ns
> >
> > In other words, a fairly typical small network.  I've got an 8-IP
> > subnet; all hosts outside the NAT have real IPs:
> >
> > router: 1.2.3.193
> > firewall: 1.2.3.196  fxp0
> >           1.2.3.197  fxp1
> > nat:      1.2.3.198
> > email:    1.2.3.194
> > ns:       1.2.3.195
> >
> > The problem I'm having is with my routing.  Surprise.  Here is
> > the routing table for the firewall:
> >
> > default                 1.2.3.193 fxp0
> > 1.2.3.193               link#1 fxp0
> > 1.2.3.192/29            link#2 fxp1
> > 1.2.3.196               lo0
> > 1.2.3.197               lo0
> >
> > The gateway_enable (net.inet.ip.forwarding) is also enabled on
> > the firewall.
> 
> with a *routing* firewall, like the one you are using, you must have two
> different IP subnets, one for each physical interface (or else, the
> kernel will not know which interface to use to send a packet).

You can handle it by using host routes to the interior computers, but that
is messy.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message