From owner-freebsd-hackers Mon Apr 30 8: 0:23 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from ewey.excite.com (ewey-rwcmta.excite.com [198.3.99.191]) by hub.freebsd.org (Postfix) with ESMTP id 1AA4537B423 for ; Mon, 30 Apr 2001 08:00:20 -0700 (PDT) (envelope-from john_wilson100@excite.com) Received: from almond.excite.com ([199.172.148.82]) by ewey.excite.com (InterMail vM.4.01.02.39 201-229-119-122) with ESMTP id <20010430150019.YTAR20552.ewey.excite.com@almond.excite.com> for ; Mon, 30 Apr 2001 08:00:19 -0700 Message-ID: <12354766.988642819102.JavaMail.imail@almond.excite.com> Date: Mon, 30 Apr 2001 08:00:18 -0700 (PDT) From: John Wilson To: freebsd-hackers@freebsd.org Subject: ipfw routing/netmask problem Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Excite Inbox X-Sender-Ip: 192.116.157.233 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm trying to set up a FreeBSD firewall for ~100 PCs and ~10 servers, and I'm having some trouble with routing/netmasks. I have 30 IP addresses assigned to me by my ISP, for the sake of this example let's say I've got 90.91.92.0/27. The FreeBSD box has 2 interface cards, fxp0 and fxp1, fxp0 connected to the router, fxp1 to the ethernet switch. The router is 90.91.92.1, fxp0 is 90.91.92.2, netmask 255.255.255.252 (broadcast 90.91.92.3) fxp1 is bound to several IPs, 192.168.1.254 and 192.168.2.254 for two different types of NAT clients, and 90.91.92.4 for the DMZ. The intention is that NAT clients use 192.168.1.254 (or 192.168.2.254) as their default gateway, and DMZ clients use 90.91.92.4. The question is how to choose a netmask for fxp1 that would exclude the default gateway (90.91.92.1), so the machine would route via fxp0. Unfortunately, when I choose a netmask such as 255.255.255.227 (11100011), I'm left with only 6 IPs for the DMZ: 90.91.92.8 (binary 1000) 90.91.92.12 (binary 1100) 90.91.92.16 (binary 10000) 90.91.92.20 (binary 10100) 90.91.92.24 (binary 11000) 90.91.92.28 (binary 11100) This seems like a huge waste of IPs. If I choose any other mask, the machine refuses to route via fxp0, because it thinks the default gateway is accessible via fxp1. Is there a way to save IPs (I need at least 12 DMZ IPs), while achieving the same goal? Thanks John Wilson _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message