From owner-freebsd-questions@FreeBSD.ORG Tue Jun 21 10:34:08 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BEAF9106566B for ; Tue, 21 Jun 2011 10:34:08 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5A1168FC13 for ; Tue, 21 Jun 2011 10:34:06 +0000 (UTC) Received: by fxm11 with SMTP id 11so3005029fxm.13 for ; Tue, 21 Jun 2011 03:34:05 -0700 (PDT) Received: by 10.223.5.28 with SMTP id 28mr3168352fat.103.1308652445345; Tue, 21 Jun 2011 03:34:05 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id e16sm3307765fak.41.2011.06.21.03.34.03 (version=SSLv3 cipher=OTHER); Tue, 21 Jun 2011 03:34:03 -0700 (PDT) Message-ID: <4E00739A.1070409@my.gd> Date: Tue, 21 Jun 2011 12:34:02 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <201106202107.p5KL7PW0091851@x.it.okstate.edu> <4DFFC61B.2080201@radel.com> <27899_1308609017_4DFFC9F9_27899_767_1_D9B37353831173459FDAA836D3B43499BF89C588@WADPMBXV0.waddell.com> In-Reply-To: <27899_1308609017_4DFFC9F9_27899_767_1_D9B37353831173459FDAA836D3B43499BF89C588@WADPMBXV0.waddell.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Two Networks on one System X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2011 10:34:08 -0000 On 6/21/11 12:30 AM, Gary Gatten wrote: > On 6/20/11 5:07 PM, Martin McCormick wrote: > > I was kinda going this route as well - policy based routing type thing, but, is there an "easier" way? > > 1.) Temporarily enable ipforwarding - not my favorite > 2.) Instead of a second NIC, bind the new IP to the org nic (alias). > > man ifconfig specifically mentions using alias during ip renumbering: > > " alias Establish an additional network address for this interface. This > is sometimes useful when changing network numbers, and one wishes to accept packets addressed to the old interface. If the address is on the same subnet as the first network address for this interface, a non-conflicting netmask must be given. Usually 0xffffffff is most appropriate." > > Once everything is transitioned, you may reconfigure the interface with the "permanent" config. > > G > > Alias lets your interface have multiple IP addresses, however it will not address your routing issue. Find below the configuration we're using on firewalls both in the 195.158.0.0/16 network and 46.182.0.0/16 network. In the case of a simple access rule: # PASS quick SSH from trusted IPs pass in quick on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_195) inet proto tcp from to port 22 pass in quick on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_46) inet proto tcp from to port 22 In the case of a RDR , where we redirect traffic to another host: First we tag the packets in the RDR rule, then we make our access rule only match the tagged packets. # To VPN backoffice on both IP ranges rdr on $ifvlan13 inet proto tcp from any to port 1195 tag rdr_195_1195 -> 10.104.10.244 port 1195 rdr on $ifvlan13 inet proto tcp from any to port 1195 tag rdr_46_1195 -> 10.104.10.244 port 1195 # PASS in openvpn backoffice pass in log on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_195) inet proto tcp from any to port 1195 tagged rdr_195_1195 keep state label "PASS in openvpn_bo_195" pass in log on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_46) inet proto tcp from any to port 1195 tagged rdr_46_1195 keep state label "PASS in openvpn_bo_46"