From owner-freebsd-questions@FreeBSD.ORG Tue Jun 21 13:10:12 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3886F106566B for ; Tue, 21 Jun 2011 13:10:12 +0000 (UTC) (envelope-from jon@radel.com) Received: from wave.radel.com (wave.radel.com [216.143.151.4]) by mx1.freebsd.org (Postfix) with ESMTP id E969D8FC27 for ; Tue, 21 Jun 2011 13:10:11 +0000 (UTC) Received: by wave.radel.com (CommuniGate Pro PIPE 4.1.6) with PIPE id 10228307; Tue, 21 Jun 2011 09:10:11 -0400 Received: from [192.168.43.232] (account jon@radel.com HELO gravenstein.local) by wave.radel.com (CommuniGate Pro SMTP 4.1.6) with ESMTP-TLS id 10228305 for freebsd-questions@freebsd.org; Tue, 21 Jun 2011 09:09:58 -0400 Message-ID: <4E00981B.3070102@radel.com> Date: Tue, 21 Jun 2011 09:09:47 -0400 From: Jon Radel User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <201106211128.p5LBSvCe095130@x.it.okstate.edu> In-Reply-To: <201106211128.p5LBSvCe095130@x.it.okstate.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Radel.com-MailScanner-Information: Please contact Jon for more information X-Radel.com-MailScanner: Found to be clean X-Mailer: CommuniGate Pro CLI mailer Subject: Re: Two Networks on one System X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2011 13:10:12 -0000 On 6/21/11 7:28 AM, Martin McCormick wrote: > The problem I have, probably due to a misunderstanding > of what I need to do, is easy to describe. > > The defaultrouter statement in rc.conf or > > route add default x.x.x.x > > from the command line sets an interface to know that packets > whose destinations or sources that are outside the subnet go to > that default gateway. There is only one default gateway per FreeBSD machine. > > When I set up the secondary interface, I have not been > able to come up with a statement or statements that tell fxp1 > that it's default router is y.y.y.y so you can't ever reach it > from outside the new subnet. > This, in of itself, doesn't follow. In the absence of stateful firewalls and anti-spoofing filtering (blocking packets that don't have a source IP address on the "expected" list), or a complete disconnect between your networks, any packet coming in fxp1 can have a reply go out fxp0, to the default gateway, and get where it's going just fine. We can quibble over the finer details of the evils of asymmetrical routing some other day, but fundamentally an IP network doesn't care in the SLIGHTEST which route a packet takes to get where it's going. > I have tried both a second physical connection and an > alias and have ended up with the same behavior each time. Since > we have the second NIC active, I prefer to use it if I can ever > get it to use its router just like the primary interface does. As hinted at above, this is possibly not a FreeBSD issue at all. Without knowledge of how your network actually works, there's not too much more to be said, but one of the following should be true: 1) You don't have stateful firewalling and anti-spoofing filtering in the way, and something on your network is broken, as the default FreeBSD behavior should simply work if you've got a network that is simply transitioning from one set of addresses to another. 2) If you really can't reply to the same default gateway for everything, you'll need to do either policy-based routing or add more specific routes, depending on whether outgoing traffic can be segregated by source address, destination address, etc. However, since it appears that you don't actually have 2 networks at all, given your clarification that you've tried an interface alias, I'm left with one key question: Are your two gateways two different interfaces, or one interface with two different IP addresses? If the former, I'd try policy-based routing. If the latter, I'd check my firewall rules really carefully. Next step in any case should probably be to do some packet sniffing to confirm that packets from the outside world to the new address actually get to you in the first place. Or have you confirmed this from DNS logs or something else? --Jon Radel jon@radel.com