Date: Tue, 21 Jun 2011 09:09:47 -0400 From: Jon Radel <jon@radel.com> To: freebsd-questions@freebsd.org Subject: Re: Two Networks on one System Message-ID: <4E00981B.3070102@radel.com> In-Reply-To: <201106211128.p5LBSvCe095130@x.it.okstate.edu> References: <201106211128.p5LBSvCe095130@x.it.okstate.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/21/11 7:28 AM, Martin McCormick wrote: > The problem I have, probably due to a misunderstanding > of what I need to do, is easy to describe. > > The defaultrouter statement in rc.conf or > > route add default x.x.x.x > > from the command line sets an interface to know that packets > whose destinations or sources that are outside the subnet go to > that default gateway. There is only one default gateway per FreeBSD machine. > > When I set up the secondary interface, I have not been > able to come up with a statement or statements that tell fxp1 > that it's default router is y.y.y.y so you can't ever reach it > from outside the new subnet. > This, in of itself, doesn't follow. In the absence of stateful firewalls and anti-spoofing filtering (blocking packets that don't have a source IP address on the "expected" list), or a complete disconnect between your networks, any packet coming in fxp1 can have a reply go out fxp0, to the default gateway, and get where it's going just fine. We can quibble over the finer details of the evils of asymmetrical routing some other day, but fundamentally an IP network doesn't care in the SLIGHTEST which route a packet takes to get where it's going. > I have tried both a second physical connection and an > alias and have ended up with the same behavior each time. Since > we have the second NIC active, I prefer to use it if I can ever > get it to use its router just like the primary interface does. As hinted at above, this is possibly not a FreeBSD issue at all. Without knowledge of how your network actually works, there's not too much more to be said, but one of the following should be true: 1) You don't have stateful firewalling and anti-spoofing filtering in the way, and something on your network is broken, as the default FreeBSD behavior should simply work if you've got a network that is simply transitioning from one set of addresses to another. 2) If you really can't reply to the same default gateway for everything, you'll need to do either policy-based routing or add more specific routes, depending on whether outgoing traffic can be segregated by source address, destination address, etc. However, since it appears that you don't actually have 2 networks at all, given your clarification that you've tried an interface alias, I'm left with one key question: Are your two gateways two different interfaces, or one interface with two different IP addresses? If the former, I'd try policy-based routing. If the latter, I'd check my firewall rules really carefully. Next step in any case should probably be to do some packet sniffing to confirm that packets from the outside world to the new address actually get to you in the first place. Or have you confirmed this from DNS logs or something else? --Jon Radel jon@radel.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E00981B.3070102>