From owner-freebsd-questions@FreeBSD.ORG Mon Mar 8 13:42:17 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B679B16A4CE for ; Mon, 8 Mar 2004 13:42:17 -0800 (PST) Received: from smtp.mailbox.co.uk (smtp.mailbox.net.uk [195.82.125.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 053F043D1F for ; Mon, 8 Mar 2004 13:42:17 -0800 (PST) (envelope-from waynep@smtp.penguinpowered.org) Received: from [212.18.250.170] (helo=smtp.penguinpowered.org) by smtp.mailbox.co.uk with esmtp (Exim 3.36 #1) id 1B0SVo-00051h-00; Mon, 08 Mar 2004 21:42:12 +0000 Received: from waynep by smtp.penguinpowered.org with local (Exim 4.30; FreeBSD) id 1B0SXV-0005Jy-6W; Mon, 08 Mar 2004 21:43:57 +0000 Date: Mon, 8 Mar 2004 21:43:57 +0000 From: Wayne Pascoe To: Micheal Patterson Message-ID: <20040308214357.GA20398@marvin.penguinpowered.org> References: <20040308180221.GA19486@marvin.penguinpowered.org> <284001c40547$0af4d190$4df24243@tsgincorporated.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <284001c40547$0af4d190$4df24243@tsgincorporated.com> User-Agent: Mutt/1.4.1i X-System: FreeBSD i386 with kernel 5.1-RELEASE-p10 Sender: Wayne Pascoe cc: Wayne Pascoe cc: freebsd-questions@freebsd.org Subject: Re: Alias in different subnet on card X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2004 21:42:17 -0000 On Mon, Mar 08, 2004 at 01:53:33PM -0600, Micheal Patterson wrote: > You have 3 networks in a firewall, and since we don't know the full > topology, I'll use these network ranges for my example: 192.168.1.0, > 192.168.2.0, and 192.168.3.0. You now want to add a 4th range, let's say, > 192.168.4.0. Sorry about that... Let me be more specific about that... I will use 172.16.1.0 in place of my real IP range though. My real range is a /24 that has been subnetted for various companies that share our building. xl0 - Interface that my workstation network connects to and is natted out from xl1 - Interface that my servers all connect to, from both networks (eventually, I hope :) ) xl2 - Connection to router xl0 - 192.168.2.1 netmask 255.255.255.0 (/24) xl1 - 172.16.1.1 netmask 255.255.255.128 (/25) xl2 - 172.16.1.243 netmask 255.255.255.248 (/29) I am now trying to the network 172.16.1.192 netmask 255.255.255.240 (/28) to the firewall. The reserved router IP address for this range is 172.16.1.193. This is the address I was trying to add as an alias. > ipconfig_xl1_alias0="inet 192.168.2.1 netmask 255.255.255.128" So in my case, the correct line will be ifconfig_xl1_alias0="inet 172.16.1.193 netmask 255.255.255.240" This would be my first alias, as all the other networks have their own card in the firewall... This is a temporary firewall though, and I've now run out of slots for another network card. In the final configuration, this network will have it's own network card. > The only time you would use a netmask of 255.255.255.255 is if the aliased > IP is a member of a subnet that is already assigned on the interface. That's what I thought, but I got stumped when the machine wouldn't forward packets coming in to this IP. > Then you will need to add the appropriate firewall rules to allow those > networks to either talk / no talk to the remaining network segments. The machines in 172.16.1.192/28 can talk to the machines in 172.16.1.0/25 without any problems, and vice versa. They just don't talk to machines beyond the firewall / on the internet. -- Wayne Pascoe I haven't lost my mind... It's backed up on tape somewhere.