Date: 26 Sep 2001 15:20:14 -0700 From: swear@blarg.net (Gary W. Swearingen) To: Jamie Norwood <mistwolf@mushhaven.net> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: 127/8 continued Message-ID: <i5vgi5tx0h.gi5@localhost.localdomain> In-Reply-To: <20010926134253.A65444@mushhaven.net> References: <20010924094048.X5906-100000@coredump.scriptkiddie.org> <3BB0A0A2.6CCC454B@chrisland.net> <j2lmj2vjmy.mj2@localhost.localdomain> <20010926103827.S37693@buffoon.automagic.org> <f18zf1vq79.zf1@localhost.localdomain> <20010926133747.Y37693@buffoon.automagic.org> <20010926134253.A65444@mushhaven.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Jamie Norwood <mistwolf@mushhaven.net> writes: > On Wed, Sep 26, 2001 at 01:37:48PM -0400, Joe Abley wrote: > > > > If you'd like to describe in as simple terms as possible what you're > > trying to achieve, I'd be happy to work through it with you. Maybe > > off-list, unless you think there is some general issue that needs > > publicising. > > I'd be interested in keeping in on this, I am curious as to the > situation and how it is being handled. I do networking for a living, > so love being in on odd things. Two gluttons for punishment, I guess. I don't want to take the time right now to rerun tests so I can accurately explain the problems I have had and don't want to waste your kindly-offered time further with any more general discussion at this time. (I want to get a web site back on line at its new non-ISP domain after my ISP shut down, etc.) But here's the basic situation if you'd care to suggest something for me to experiment with later: My firewall talks to a DSL router, a DMZ server, and a workstation over three network segments (crossover Tbase10) - no hubs or switches. I've got a /29 subnet so there's one address for each of the six host interfaces, should they be needed. I don't want to do NAT because I don't see the need for it (and it's problematical and I'm headstrong). oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo That's it, but rambling on... I considered doing a bridging firewall so all segments could be on one (sub)network but meagerness of documentation discouraged an attempt. AFAIK, to do "correct" networking, my three network segments separated by a routing firewall require three separate networks while my ISP-assigned subnet supports only two sub-subnets. I also tried setting it all up on 10.x addresses with public IPs aliased on the server and workstation; I might have just messed up. Should that work? I currently have addresses assigned like this: a.b.c.0 subnetwork (ISP-assigned) a.b.c.1 DSL router (ISP-assigned; not sure why I couldn't choose) a.b.c.2 firewall's workstation interface a.b.c.3 workstation a.b.c.4 firewall's server interface a.b.c.5 server a.b.c.6 firewall's DSL router interface a.b.c.7 subnetwork broadcast (ISP-assigned) The following is the only thing I've blundered upon which works on the workstation (and server). (It's considerably worse on the firewall.) $ netstat -nr Destination Gateway Flags Refs Use Netif Expire 127.0.0.1 127.0.0.1 UH 0 334 lo0 $ ifconfig xl0 a.b.c.3/29 [IIRC, /30 works too; 31 or 32 don't] $ netstat -nr Destination Gateway Flags Refs Use Netif Expire default a.b.c.2 UGSc 0 0 xl0 127.0.0.1 127.0.0.1 UH 0 334 lo0 a.b.c.0/29 link#2 UC 1 0 xl0 => At which point I can ping firewall but no further. I wish it didn't auto-add the route, but, oh well; it makes some sense. Then I delete the subnet route and add one for a.b.c.2/31: Using "route add a.b.c.2/31 -interface xl0" gives: a.b.c.2/31 link#2 UCSc 0 0 xl0 => which routes as desired. (Using "route add a.b.c.2 -interface xl0" gives: a.b.c.2 <xl0's MAC> UHLS 0 0 lo0 which is hardly what I want and doesn't route as desired.) Unfortunately, doing "ifconfig xl0 down; go fishing; ifconfig xl0 up" puts back the a.b.c.0/29 route, breaking my routing. If I start with: ifconfig xl0 a.b.c.2/31 I get from netstat: Destination Gateway Flags Refs Use Netif Expire default a.b.c.2 UGSc 0 0 xl0 127.0.0.1 127.0.0.1 UH 0 334 lo0 a.b.c.2/31 link#2 UC 1 0 xl0 => which looks pretty good (except Flags), but doesn't ping past the firewall. Thanks again for your interest. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?i5vgi5tx0h.gi5>