Date: Wed, 9 Oct 2002 15:01:34 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Bill Moran <wmoran@potentialtech.com> Cc: Paul te Bokkel <paul@tebokkel.com>, Thomas Quinot <thomas@cuivre.fr.eu.org>, freebsd-stable@FreeBSD.ORG Subject: Re: Setup routing entry for host with a non-local IP address Message-ID: <200210092201.g99M1YTA007964@apollo.backplane.com> References: <20021009151733.GA15162@melusine.cuivre.fr.eu.org> <20021009210242.GA34352@tebokkel.com> <3DA49D72.6070205@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yes, you can put multiple subnets or multiple addresses on the same subnet on the same physical interface. I do it all the time: fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 216.240.41.17 netmask 0xffffffc0 broadcast 216.240.41.63 inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255 inet 216.240.41.21 netmask 0xffffffff broadcast 216.240.41.21 ether 00:b0:d0:f0:67:cb media: Ethernet autoselect (100baseTX <full-duplex>) status: active # in /etc/rc.conf: ifconfig_fxp0="inet 216.240.41.17 netmask 255.255.255.192" ifconfig_fxp0_alias0="inet 10.0.0.2 netmask 255.255.255.0" ifconfig_fxp0_alias1="inet 216.240.41.21 netmask 255.255.255.255" There a couple of issues here. First, you have to think of the physical interface as being two physical interfaces even though there is really just one. For example, if you have some other machine X at 216.240.41.10 which has no knowledge of 10.* you have to give that machine a gateway route for 10.* that points to, say, 216.240.41.17 (the above machine), or the gateway handling its default route must know about 10.*. That machine may just echo the packet out the same interface it came in on if that is where the 10.* net is, which is fine. Second, services on the machine with the multiple IP aliases may get somewhat confused and care must be taken. For example, an NFS server may receive a UDP request on one IP address and reply from another IP address, confusing the client. Sendmail might initiate an outgoing connection using ip address A when talking to a machine on ip address B's subnet, and so forth. Those internal services, such as NFS, that you do not wish to route to the outside world, can be bound to your internal IP space. These issues can usually be resolved with careful configuration work. It is best to use IP aliases only on those machines that absolutely need them. Other machines should just use a single IP address and route appropriately. Finally, you need to be careful when mixing an internal non-internet-routable network such as 10.* with an internet routable network. If you want services running on the internal 10.* network to talk to services on the internet they have to be run through a NAT gateway. You *CAN* mix NAT and non-NAT traffic... that is, you have the NAT gateway intercept 10.* traffic that is being routed to the outside world while ignoring IPs that are already externally routable, depending on your situation. Finally #2, be sure that your border router is configured to prevent internal IP pollution from leaking to the outside world or vise versa. i.e. the border router should drop any packet coming from the outside world whos source or destination IP is 10.* and should drop any packet coming from the inside world whos source IP is 10.* and whos destination IP is external (or perhaps route it through NAT rather then drop it). If you do not filter your internal nets at your border router then outside entities can spoof internal addresses. See 'man firewall' for more information on border router configuration. -Matt Matthew Dillon <dillon@backplane.com> :Paul te Bokkel wrote: :> On Wed, Oct 09, 2002 at 05:17:33PM +0200, Thomas Quinot wrote: :> :>>Suppose that on a 4.6.2 machine (hostA), I have an interface xl0 :>>with address 10.10.1.2, netmask 255.255.255.0. :>> :>>On that ethernet, I have a host (hostB) that is set up as 10.10.0.1, :>>netmask 255.255.255.0. I need to send a packet from hostA to hostB, :>> :>>Am I trying to do something impossible, or am I just clueless enough :>>that I did not find the proper way of cajoling the kernel into :>>cooperation? : :Is it feasible to add an alias on xl0 that is in the 10.10.0.x network :space? That sounds like the easiest way to handle the issue to me. : :> :> Answer A, however, answer B sounds feasible.. ;) :> :> No x.y.1.q/24 host can reach x.y.0.z/24 on the same physical net :> without further provisions (like a gateway or aliassed IP's). :> Try putting hostB in the 10.10.0-net or use a netmask /16 (255.255.0.0). :> :> Regards, :> :> Paul : :-- :Bill Moran :Potential Technologies To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210092201.g99M1YTA007964>