From owner-freebsd-net@FreeBSD.ORG Sun Feb 13 10:42:08 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DDAC106566B for ; Sun, 13 Feb 2011 10:42:08 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta05.emeryville.ca.mail.comcast.net (qmta05.emeryville.ca.mail.comcast.net [76.96.30.48]) by mx1.freebsd.org (Postfix) with ESMTP id 51E2C8FC0C for ; Sun, 13 Feb 2011 10:42:08 +0000 (UTC) Received: from omta02.emeryville.ca.mail.comcast.net ([76.96.30.19]) by qmta05.emeryville.ca.mail.comcast.net with comcast id 7Ni71g0080QkzPwA5Ni7cP; Sun, 13 Feb 2011 10:42:07 +0000 Received: from koitsu.dyndns.org ([98.248.33.18]) by omta02.emeryville.ca.mail.comcast.net with comcast id 7Ni61g00P0PUQVN8NNi7LJ; Sun, 13 Feb 2011 10:42:07 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id B86B19B422; Sun, 13 Feb 2011 02:42:06 -0800 (PST) Date: Sun, 13 Feb 2011 02:42:06 -0800 From: Jeremy Chadwick To: freebsd-net@freebsd.org Message-ID: <20110213104206.GA2524@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Routing between two physical networks X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Feb 2011 10:42:08 -0000 (Please keep me CC'd, as I'm not subscribed to freebsd-net) I'm having some complexity handling 3 separate networks on the same physical box, which also acts as a gateway. NAT (pf) is involved, but only for packets going out the external interface (em0). The simple version is that two of the local (physical) networks can't talk. Before I provide details, please keep in mind I *do not* want to use bridge(4) to solve this problem. I have tried it -- yes it works as expected -- but I'm trying hard to avoid use of it. OS: amd64 FreeBSD 8.2-PRERELEASE #0: Sat Feb 12 06:13:55 PST 2011 Physical topology and physical interfaces: +-------------+ | |== em0 <---> cable modem <---> Internet | FreeBSD Box |== em1 <---> switch <---> PC#1 | |== wlan0 <---> printer +-------------+ FreeBSD em0 = public Internet IP address FreeBSD em1 = 192.168.1.1 netmask 0xffffff00 FreeBSD wlan0 = 192.168.200.1 netmask 0xffffff00 PC#1 = 192.168.1.50 netmask 0xffffff00 gateway 192.168.1.1 printer = 192.168.200.101 netmask 0xffffff00 gateway 192.168.1.1 Situation: - PC#1 can talk to the FreeBSD box (as 192.168.1.1 or 192.168.200.1) - printer can talk to the FreeBSD box (as 192.168.200.1 or 192.168.1.1) - PC#1 can reach the Internet - PC#1 **cannot** talk to printer, nor vice-versa The last item is what I'm trying to fix. Packets from PC#1 -> Internet are NAT'd using the following pf statements: ext_if="em0" int_if="em1" nat on $ext_if from $int_if:network to any -> ($ext_if) gateway_enable="yes" is obviously set in rc.conf. traceroute from PC#1 to printer shows hop #1 as 192.168.1.1, then indefinite timeouts. When PC#1 pings the printer, "tcpdump -p -i em1 -l -n icmp" from the FreeBSD box shows ICMP ECHO requests from 192.168.1.50 to 192.168.200.101, but no reply. When doing "tcpdump -p -i wlan0 -l -n icmp", the exact same packets as above are seen. I'd love for someone to explain this to me. :-) When doing "tcpdump -p -i em0 -l -n icmp", nothing is seen, so I imagine the packets destined for 192.168.200.101 aren't going out the Internet. I've tried changing the printer's gateway to 192.168.200.1 but that has no effect either. My pf.conf has "set skip on wlan0" and "set skip on em1", so I'm not exactly sure where the packets are disappearing, and am inclined to think it's a routing table issue. I can put up my configuration bits (rc.conf, pf.conf) as well as "ifconfig -a", "netstat -rn", etc. if someone would like to see them (I imagine so), just let me know. -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP 4BD6C0CB |