Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 4 Feb 2001 08:28:29 -0800 
From:      "DINKEY,GENE (HP-Loveland,ex1)" <gene_dinkey@hp.com>
To:        "'Mark B. Withers'" <mwithers@one.net>, Robert Hough <rch@solveinteractive.com>
Cc:        freebsd-questions <freebsd-questions@FreeBSD.ORG>
Subject:   RE: Internal gateway/firewall
Message-ID:  <F341E03C8ED6D311805E00902761278C531560@xfc04.fc.hp.com>

next in thread | raw e-mail | index | archive | help
> -----Original Message-----
> From: Mark B. Withers [mailto:mwithers@one.net]
> Sent: Sunday, February 04, 2001 8:42 AM
> To: Robert Hough
> Cc: freebsd-questions
> Subject: Internal gateway/firewall
> 
> 
> Robert,
> 
> Thanks for your reply.
> 
> I did some experimenting last night with the two interfaces (had them
> both plugged into a hub) and found that indeed each interface
> responds independantly when called upon by it's ip address.
> 
> This is good news.
> 
> I am attempting to configure my FreeBSD box as a firewall/gateway. I
> have 2 ISA 3-com 509 nics.
> 
> The first device ep0 is connected to my DSL "router/modem" and I want
> my second interface (ep1) to be connected to my internal lan which
> consists of one Win95 machine and the FreeBSD machine ("Foobar").
> 
> Here is an equivalent scheme of what it looks like (ips have been
> altered to protect the innocent as well):
> 
> Also note, ep0 is configured through DHCP
> 
> DSL router/modem = 10.255.23.161
> ep0 = 10.255.23.164
> netmask = 255.255.255.248
> broadcast = 10.255.23.167
> windows machine = 10.255.23.162 (same netmask and broadcast as ep0)
> 
> Proposed ip scheme for ep1:
> 
> ep1 = 192.0.0.1
> subnetmask 255.255.255.248 (thought there was no need for more than 8)
> broadcast 192.0.0.7
> 
> Whenever I configured and bring ep1 up, I receive the following error
> message (ip's changed to match above example):
> 
> The bottom line of this posted error messages is that I don't yet know
> how to manually configure my routing table nor do I currently know how
> to configured /etc/rc.conf for this yet. I need to recompile the
> kernel first. Any information you can provide as far as routing goes
> to the diagram at the bottom (Network Diagram) would be helpful.
> 
> I just included this information for reference in case it is needed.
> 
> Feb  3 19:00:51 foobar /kernel: arp: 10.255.23.161 is on ep0 but got
> reply from ** mac address of dsl router/modem ** on ep1
> 
> ** ip addrss belongs to the router/modem and the mac address also, but
> the system somehow ties or links it to device ep0 and states that the
> reply is from ep1 **
> 
> Feb  3 19:05:21 foobar /kernel: arp: 10.255.23.162 is on ep0 but got
> reply from ** mac address from windows machine ** on ep1
> 
> ** ip address belongs to windows machine. somehow links to ep0 and
> gets reply from (mac address of windows machine) on ep1. ** 
> 
> Feb  3 19:05:21 foobar /kernel: arp: 10.255.23.161 is on ep0 but got
> reply from ** mac address of dsl router/modem **  on ep1
> 
> ** IP address is from windows machine on ep0, but got reply from mac
> address of windows machine on ep1 **
> 
> Feb  3 19:09:23 foobar /kernel: arp: 10.255.23.164 is on lo0 but got 
> reply from ** mac address for ep0 ** on ep1
> 
> ** here we have the ip address for ep0 along with the mac address for
> ep0, but the kernel called it "ep1" at the end of the line ?? **
> 
> Feb  3 19:09:23 foobar /kernel: arp: 10.255.23.161 is on ep0 but got 
> reply from ** mac address of dsl router/modem ?? **  on ep1
> 
> ** here we have the ip address of the dsl router/modem saying it's on
> ep0 but received a reply from the mac address of the dsl router/modem.
> **
> 
> Here is the output of ipconfig -a on my system:
> 
> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> 	inet 10.255.23.164 netmask 0xfffffff8 broadcast 10.255.23.167
> 	ether ** mac address of ep0 **
> 	media: 10baseT/UTP
> 	supported media: 10baseT/UTP
> ep1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> 	inet 192.0.0.1 netmask 0xfffffff8 broadcast 192.0.0.7
> 	ether ** mac address of ep1 **
> 	media: 10baseT/UTP
> 	supported media: 10base2/BNC 10baseT/UTP
> 
> Here is the output from netstat :
> 
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags      Netif Expire
> default            10.255.23.161      UGSc        ep0
> 10.255.23.160/29   link#2             UC          ep0 =>
> 10.255.23.161      *router mac addr*  UHLW        ep0   1198
> 10.255.23.164      *mac of ep0*       UHLW        lo0
> 127.0.0.1          127.0.0.1          UH          lo0
> 
> ** I omitted ipv6 info here. **
> 
> That's about all the info I can give. I've saved this information as a
> reference so that I can further analyse it. 
> 
> Everything's not hooked up correctly right now so I am not surprised
> that it's behaving strangely.
> 
> I wish to have the following format:
> 
> (Network Diagram)
> 
> DSL router/Modem
> 	|
>       ep0
> 	|
>       Foobar --> FreeBSD machine w/2 ISA nics
> 	|
>       ep1   --> Would bridging be necessary to separate this?
> 	|
>        Hub
> 	|
>      Windows machine
> 
> I'll probably have to reset the ip address configuration/routing
> information on the windows box after I figure out my new kernel
> configuration. Recompiling the kernel is necessary for this.

I can't see in here if you've looked at natd, but thats what you want to do
what your asking.

Just take a look at the man page, it has steps for setting everything up.
If you follow those you will have a basic configuration running in no
time...

It's a matter of choice but for my internal network i went with 10. since a)
it's reserved for internal use, and, b) it happened to be used in the natd
setup guide  :).  It's also very easy to remember...

Good luck - it's not too hard and the man page should set you on the right
path.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F341E03C8ED6D311805E00902761278C531560>