From owner-freebsd-hackers Mon Oct 16 16:36:34 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from klapaucius.zer0.org (klapaucius.zer0.org [204.152.186.45]) by hub.freebsd.org (Postfix) with ESMTP id 5740237B66E for ; Mon, 16 Oct 2000 16:36:30 -0700 (PDT) Received: by klapaucius.zer0.org (Postfix, from userid 1001) id 59AD0239AB1; Mon, 16 Oct 2000 16:36:30 -0700 (PDT) Date: Mon, 16 Oct 2000 16:36:30 -0700 From: Gregory Sutter To: Wes Peters Cc: Thierry Herbelot , hackers@FreeBSD.ORG Subject: Re: Routing issues Message-ID: <20001016163630.B98214@klapaucius.zer0.org> References: <20001014233212.H3444@klapaucius.zer0.org> <39E95406.8F1C0717@cybercable.fr> <39EA0823.D9D353D8@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <39EA0823.D9D353D8@softweyr.com>; from wes@softweyr.com on Sun, Oct 15, 2000 at 01:40:19PM -0600 Organization: Zer0 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 2000-10-15 13:40 -0600, Wes Peters wrote: > Thierry Herbelot wrote: > > Gregory Sutter wrote: > > > > > > I'm setting up a network that looks like this: > > > > > > --Internet----Router---Firewall > > > | > > > | /--- host > > > Switch----NAT-----<----- host > > > | \----- host > > > | \----- etc... > > > --------- > > > | | > > > email ns > > > > > > In other words, a fairly typical small network. I've got an 8-IP > > > subnet; all hosts outside the NAT have real IPs: > > > > > > router: 1.2.3.193 > > > firewall: 1.2.3.196 fxp0 > > > 1.2.3.197 fxp1 > > > nat: 1.2.3.198 > > > email: 1.2.3.194 > > > ns: 1.2.3.195 > > > > > > The problem I'm having is with my routing. Surprise. Here is > > > the routing table for the firewall: > > > > > > default 1.2.3.193 fxp0 > > > 1.2.3.193 link#1 fxp0 > > > 1.2.3.192/29 link#2 fxp1 > > > 1.2.3.196 lo0 > > > 1.2.3.197 lo0 > > > > > > The gateway_enable (net.inet.ip.forwarding) is also enabled on > > > the firewall. > > > > with a *routing* firewall, like the one you are using, you must have two > > different IP subnets, one for each physical interface (or else, the > > kernel will not know which interface to use to send a packet). > > You can handle it by using host routes to the interior computers, but that > is messy. The bridging was the key that I was missing. Turning it on instantly resulted in a working network with the configuration described above. The default route, since it's a host route anyway, is entered with interface fxp0, and the rest of the 1.2.3.192/29 network is routed with interface fxp1. Destination Gateway Flags Refs Use Netif Expire default 1.2.3.193 UGSc 1 163304 fxp0 127.0.0.1 127.0.0.1 UH 0 0 lo0 1.2.3.192/29 link#2 UCSc 3 0 fxp1 => 1.2.3.193 0:f:cf:7f:ff:f4 UHLW 1 32 fxp0 1032 1.2.3.196 0:df:f7:f6:1f:f6 UHLW 0 106 lo0 1.2.3.197 0:f:bf:f:df:f1 UHLS 0 2 lo0 net.inet.ip.forwarding: 1 net.link.ether.bridge_cfg: fxp0:1,fxp1:1, net.link.ether.bridge: 1 net.link.ether.bridge_ipfw: 1 Thanks to all who replied! Greg -- Gregory S. Sutter "How do I read this file?" mailto:gsutter@zer0.org "You uudecode it." http://www.zer0.org/~gsutter/ "I I I decode it?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message