From owner-freebsd-isp  Wed May 29 11: 9:12 2002
Delivered-To: freebsd-isp@freebsd.org
Received: from smtp.kka.com (smtp.kka.com [63.141.65.2])
	by hub.freebsd.org (Postfix) with ESMTP id 6583D37B403
	for <freebsd-isp@freebsd.org>; Wed, 29 May 2002 11:09:04 -0700 (PDT)
Subject: Re: Firewall Setup
To: freebsd-isp@freebsd.org
X-Mailer: Lotus Notes Release 5.0.8  June 18, 2001
Message-ID: <OF91800E1C.D2BF2CC6-ON86256BC8.00631F41@kka.com>
From: Eric_Stanfield@kenokozie.com
Date: Wed, 29 May 2002 13:04:06 -0500
X-MIMETrack: Serialize by Router on Notes1st/Keno(Release 5.0.4 |June 8, 2000) at 05/29/2002
 01:04:08 PM
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org


Assuming the router in question is a Cisco, you can accomplish what you
want by putting a route-map on the default router which sets the packets
next hop to the 'other' router based on the source address of the outbound
traffic.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Eric Stanfield, K2Access
Keno Kozie Associates
222 N LaSalle #1500
Chicago, IL 60606
(312) 332-3000




                                                                                              
                    "Chris Knipe"                                                             
                    <savage@savage.za.o        To:     "Max" <max@ecotech.com.lr>,            
                    rg>                        <freebsd-isp@freebsd.org>                      
                    Sent by:                   cc:                                            
                    owner-freebsd-isp@F        Subject:     Re: Firewall Setup                
                    reeBSD.ORG                                                                
                                                                                              
                                                                                              
                    05/29/2002 12:25 PM                                                       
                                                                                              
                                                                                              



> My network has other routers hardware and software. I want just few
machines
> to use this new router instead of the whole network so that even if a
client
> sets this
> router has his default gateway, he will not be able to access the
Internet!

Isn't this more of a static-routing option rather than a firewall?  A
firewall will block the packets, meaning that the clients which use the
"wrong" router, will have *no* internet access, rather than be directed
towards the right router.

You can most probably redirect the packets from one firewall to another,
but
that's limited to a per port basis.  I think the simplest solution would
just be to re-route certain data from the "wrong" router, to the "right"
router

route add <network> <mask> <gateway>   if I'm not mistaken.

So, if you have 10.0.0.0/255.0.0.0 and want 10.0.1.0/24 to be assigned to
router 1, on your 2, you'll add a static route for that network, routing it
back to router 1.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message