From owner-freebsd-hackers Sun Oct 15 11:34:35 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from pebkac.owp.csus.edu (pebkac.owp.csus.edu [130.86.232.245]) by hub.freebsd.org (Postfix) with ESMTP id 1FA5137B66C for ; Sun, 15 Oct 2000 11:34:32 -0700 (PDT) Received: from localhost (scottj@localhost) by pebkac.owp.csus.edu (8.9.3/8.9.3) with ESMTP id LAA62045; Sun, 15 Oct 2000 11:34:31 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Date: Sun, 15 Oct 2000 11:34:31 -0700 (PDT) From: Joseph Scott X-Sender: scottj@pebkac.owp.csus.edu To: Gregory Sutter Cc: hackers@FreeBSD.ORG Subject: Re: Routing issues In-Reply-To: <20001014233212.H3444@klapaucius.zer0.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 14 Oct 2000, Gregory Sutter wrote: > I'm setting up a network that looks like this: > > > --Internet----Router---Firewall > | > | /--- host > Switch----NAT-----<----- host > | \----- host > | \----- etc... > --------- > | | > email ns When I first looked at this, is there a reason why it isn't something like this instead : ---Internet---Router---| | | Firewall---Nat (Many Hosts) | | | (Multiple Servers) You have to have a hub/switch between the firewall and each network (the NAT and the server). You end up with a firewall with three nics. One the surface what I'd probably do with something like this is actually NAT both the many hosts and the servers network, but on the servers use a 1:1 IP mapping (bimap if you are using IPFilter). The thing that would interest me is if you could use bridging between the outside firewall nic and the servers network in conjuction with NAT'ing the many hosts network. This is something I've wondered about but never tried. If if it's doable I'm not sure it would be a good idea. Having the three nics would allow you to filter based on that entire network based on which nic the traffic is coming from or heading to. > > In other words, a fairly typical small network. I've got an 8-IP > subnet; all hosts outside the NAT have real IPs: > > router: 1.2.3.193 > firewall: 1.2.3.196 fxp0 > 1.2.3.197 fxp1 > nat: 1.2.3.198 > email: 1.2.3.194 > ns: 1.2.3.195 > > The problem I'm having is with my routing. Surprise. Here is > the routing table for the firewall: > > default 1.2.3.193 fxp0 > 1.2.3.193 link#1 fxp0 > 1.2.3.192/29 link#2 fxp1 > 1.2.3.196 lo0 > 1.2.3.197 lo0 > > The gateway_enable (net.inet.ip.forwarding) is also enabled on > the firewall. > > >From the firewall, I can reach any host with no problems. However, > from hosts inside the firewall, I cannot reach outside, and vice > versa. I feel I must be missing something obvious, but have played > with routes for hours to no avail. > > Does anyone see a problem with the routing of this network? > > Greg > -- > Gregory S. Sutter Computing is a terminal addiction. > mailto:gsutter@zer0.org > http://www.zer0.org/~gsutter/ > PGP DSS public key 0x40AE3052 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > --- Joseph Scott joseph.scott@owp.csus.edu The Office Of Water Programs - CSU Sacramento To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message