Hello, I'm working on a router that acts as a captive portal and transparent http proxy for unregistered or disabled hosts that plug in to our network.
The router has a public administrative interface on em0, 192.168.100.10/24. The router has a physically seperate interface, 192.168.200.10/24 on vlan200 using em1, for the NAT clients. The router also has the interface vlan100 on em1 with the address 10.100.0.1/16. The "captured" machines are assigned addresses on the 10.100/16 subnet. The router's firewall allows certain http traffic through the NAT, such as windows updates. All other http requests are forwarded through an instance of squid to an apache instance. The system's default route is configured on the administrative interface, via 192.168.100.1. My firewall includes the rule: $cmd 0013 divert natd ip from not me to any via vlan200 The NAT does not work. From a "captured" machine, I am able to ping both 192.168.200.10 and the gateway 192.168.200.1, but nothing off-subnet. We suspect the packets leaving the NAT, tagged with source-address 192.168.200.10 are being routed via the system's default route at 192.168.100.1. The router is dropping these packets on the floor, because the source address doesn't match the subnet it's routing. Is it possible to tell the system to use a different default route based on the source address of the packet? We want to keep the administrative interface on a separate subnet from the client traffic. I tried using an ipfw fwd rule: $cmd 0014 fwd 192.168.200.1 ip from 192.168.200.10 to not \ 192.168.200.10/24 But this had no effect. Any suggestions would be greatly appreciated. Thanks, -- Chris Cowart Unix Systems Administrator Residential Computing, UC Berkeley "May all your pushes be popped"
Description: Digital signature