Short version: I am running an application that receives traffic on ranges of ports that are already mapped from the current external interface to machines on my network.
I was advised by the vendor that my options were to: 1) connect my workstation directly to the internet or 2) See option #1 The vendor modifying the app is not an option. So.. as I see it, if I had another external interface I could direct these ports coming into to the second external IP address (along with pretty much all other network traffic destined for this workstation), to my workstation. As I would like my workstation to access resources from other machines within my lan, directly connecting it would cause some SERIOUS headaches.. especially considering this particular workstation is Windoze. I won't touch the "s" word on this one... Long version: Convenience. At least I'd hoped there would be an easy answer to the question. I would prefer to not have rules to direct traffic for specific ranges of ports to multiple machines via NAT as this would require (most likely) several dozen extra rules. It would also be very nice to have an external interface directly mapped to this workstation. ... One way to accomplish what I'm trying to do, would be to configure another dual homed machine. The end result is more costly and time consuming than I had hoped, but it would work. Or I suppose I could reload linux on the current box. (And of course learn the goofy quirks of a particular distro.). This option would definitely be time consuming. Linux is only free if your time has no value. Much lower on the list of possible resolutions... but it is another method to make this work. But... In my fantasy world.. I guess I had hoped that rather than be asked why I wanted to do something, I might hear from someone who has shared similar experience in making something like this work. I do appreciate your feedback. And I'm sure there is possibly a workaround, a hundred or so IPNAT rules that could be written, a script or two, or some other hack for it... but before taking that route, I ask again... Any thoughts or suggestions as to how to get FreeBSD to simply allow for 2 interfaces on the same subnet??? Thanks, John ----- Original Message ----- From: "Bill Moran" <[EMAIL PROTECTED]> To: "John" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, January 13, 2003 6:21 PM Subject: Re: Multiple network cards with IP addresses in the same network > John wrote: > > I'm going to jump in here, because this question was my reason for having > > joined the Freebsd-questions list in the first place. Of all the time I've > > been running FreeBSD, this is my first post to this list... :P > > Welcome. > > > I have a similar situation. Firewall/NAT machine with 3 nics. Only rather > > than using the two external interfaces for different services, I would like > > to use two nic's on the external subnet (using the FreeBSD machine as a > > NAT/Firewall) for the following purpose: > > --I would like one interface to be used for external IPF/NAT connectivity > > for my network computers, allowing my network connectivity to my ISP. > > --I would like a second interface to acquire a SECOND ip address to be set > > up as bimap in NAT, to allow a second machine (my workstation) to be the > > only machine to utilize the second external IP. Similar to being in a DMZ, > > but it would still use an internal address, as well as be subject to the > > firewall rules in IPF. > > I don't understand: > a) Why you need 3 NICs to do this? > b) Why you need 3 IPs to do this? > Just put an internal and external IP (2 NICs) and if you have a specific > machine within the network that you want treated specially, write special > ipfw rules for it. Why the need for 3 IPs/NICs? > > > Again, I have read that this is available on Linux. My searches have shown > > that there are ways to do this on RedHat w/ ipchains (etc.).. ... but I > > digress... > > That's fine. I'm sure there are lots of systems that have spiffy (or maybe > not so spiffy) things that you can do that you can't in FreeBSD (or other > spiffy system). > > My only question I have is why do you need it? There are other ways to get > the end result. > > > I have tried putting two nics in and having dhclient obtain addresses for > > both on the same subnet. dhclient will get both addresses (shown in > > dhclient.leases), but fails to assign an ip to the second interface, failing > > with the error "file already exists". I'm sure this is a different (but > > related) issue. > > Sounds very related. > > > In my situation, another solution might be to use an alias on a single > > external interface.. only I'm not sure how to get dhclient to obtain the > > second IP address and assign it to the alias, nor how to get IPF to > > recognize the alias'd interface properly. > > That sure seems to be beyond what the software was designed to do. You > could probably write some fancy scripts or something, but I ask my original > question: What are you trying to accomplish in the end? Because it sure > seems like you're trying to use a wrench to hammer nails. > > > Bridging also comes to mind, but I'm not certain that if I bridge the > > interface to my workstation computer it would correctly handle having an > > internal as well as external address (other software application > > complications would arise as well, I'm sure). That's not my intent anyway, > > so I have not and likely will not persue bridging as an option. > > If you need NAT to get out, then bridging won't work. > > > Maybe I should have posted this on a diff. thread? :P But I believe the > > resolution to this issue is the same as the originally posted issue. > > Hopefully something will come out of it. > > I could be wrong, but I suspect the "resolution" of your problem is to determine > what you want to accomplish, and then use FreeBSD in the manner it was intended > to achieve your goal. > > > Thanks, > > John > > Addtn'l info: I have a FreeBSD 4.7 Stable #2 (updated yesterday). > > ---Previous messages snipped--- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message