From owner-freebsd-net@FreeBSD.ORG Tue Mar 23 14:53:02 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06A4616A4CF for ; Tue, 23 Mar 2004 14:53:02 -0800 (PST) Received: from mail.numachi.com (meisai.numachi.com [198.175.254.6]) by mx1.FreeBSD.org (Postfix) with SMTP id 1E4AD43D2D for ; Tue, 23 Mar 2004 14:53:01 -0800 (PST) (envelope-from reichert@numachi.com) Received: (qmail 95934 invoked from network); 23 Mar 2004 22:32:26 -0000 Received: from natto.numachi.com (198.175.254.216) by meisai.numachi.com with SMTP; 23 Mar 2004 22:32:26 -0000 Received: (qmail 66496 invoked by uid 1001); 23 Mar 2004 22:32:25 -0000 Date: Tue, 23 Mar 2004 17:32:25 -0500 From: Brian Reichert To: Barney Wolff Message-ID: <20040323223225.GK29783@numachi.com> References: <20040323203045.GI29783@numachi.com> <20040323214723.GA20982@pit.databus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040323214723.GA20982@pit.databus.com> User-Agent: Mutt/1.5.6i cc: freebsd-net@freebsd.org Subject: Re: tricking myself w/ multihoming X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Mar 2004 22:53:02 -0000 On Tue, Mar 23, 2004 at 04:47:23PM -0500, Barney Wolff wrote: > First question, probably irrelevant - how did you get 255.255.255.255 as > the broadcast addr on rl1? Good question. Said interface is set via dhclient, and values are provided by my cable company. > If 198.175.254.1 is really your external gateway, why is the default > route heading inside? Are there so many inside nets that you can't > list them as explicit routes? It's not 'inside', it's out my second pipe (the cable modem). This box has been my secondary MX, NS, and my squid cache (outgoing). My public IP is routed over my DSL line. This box, though, is my 'back door'; I vector higher-bandwidth traffic out over it (via NAT and otherwise), and maintain some incoming TCP tunnels, so I can crawl into my net when my primary ISP is having issues. > Try adding 00045 fwd 198.175.254.1 tcp from 198.175.254.8 25 to any . Ok, I'll give that a shot. Hmm, nope, no effect. > But really, the problem is better solved by setting your default > route to 198.175.254.1 rather than playing ipfw games. True enough, but then how to I route squid queries, etc. out that interface? What I want. magically, is 'replies to packets from not-my-net in via rl0 to go out via 198.175.254.1'. I'm having trouble phrasing that in an ipfw-flavored way. > How is DNS > working? Well. :) I have two internal caches (one available on each pipe), and two servers (again, one on each pipe). I also run a pair of keyed NTP servers. Bear in mind, I've gots scads of machines on my net. This is the only dual-homed box, and hence some of my confusion. > Oh, and please do put some more secure rules in if you're really > Internet connected. Oh, 198.175.254.1 is a far more fully developed firewall, no worries there. > > Tcpdump on this box shows me the incoming packets coming to > > 198.175.254.8, but I'm not seeing these replies to these packets > > going out at all, much less to 198.175.254.1. > > Probably going out rl1. Then tcpdump should show that, shouldn't it? # tcpdump -nl host 198.175.254.8 I see packets coming in: 17:19:06.120189 205.206.231.27.45785 > 198.175.254.8.25: S 1457712783:1457712783(0) win 5840 (DF) But no packets going out from 198.175.254.8, on either interface... Is natd rewriting them before tcpdump gets to see them? How do I prevent these packets from being diverted? Thanks for the feedback, BTW... > -- > Barney Wolff http://www.databus.com/bwresume.pdf > I'm available by contract or FT, in the NYC metro area or via the 'Net. -- Brian Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA BSD admin/developer at large