----- Original Message ----- 
From: "Wayne Pascoe" <[EMAIL PROTECTED]>
Sent: Monday, March 08, 2004 12:02 PM
Subject: Alias in different subnet on card

> Hi all,
> I'm running a firewall at the moment using FreeBSD 5.2.1 and IPFW. I
> have 3 interfaces in the machine.
> I need to be able to firewall a 4th range of IP's. I have tried to do
> this by adding an alias to xl1, but this hasn't worked. If I add the
> alias with a mask of, no other machine can ping the
> alias. I also see the following in /var/log/messages
> Mar  8 18:02:13 styx-tmp kernel: arplookup 19x.xxx.xxx.196 failed: host
> is not on local network
> The primary IP on xl 1 is currently 19x.xxx.xxx.1 and the mask on there is
> (/25)
> If I add the alias with a mask of (/28) which is the
> correct mask for this subnet, and the mask that all other machines use,
> then I am able to ping this address. However, at this point, no
> forwarding appears to take place for machines using this IP address as
> their default route.
> Is there any way to use an alias to do firewalling like this or do I
> have to get another network card? The problem with another network card
> is that will mean a whole new machine as I'm out of slots in this one.
> Thanks in advance ?
> -- 
> Wayne Pascoe
> Microsoft complaining about the source
> license used by Linux is like the event
> horizon calling the kettle black - adamba on k5

You have 3 networks in a firewall, and since we don't know the full
topology, I'll use these network ranges for my example:,, and You now want to add a 4th range, let's say,

ipconfig_xl1="inet netmask"
ipconfig_xl1_alias0="inet netmask"
ipconfig_xl1_alias1="inet netmask"
ipconfig_xl1_alias2="inet netmask"

The only time you would use a netmask of is if the aliased
IP is a member of a subnet that is already assigned on the interface.

ipconfig_xl1_alias3="inet netmask"

Then you will need to add the appropriate firewall rules to allow those
networks to either talk / no talk to the remaining network segments.

It would help to have all of the ip information that you're using and your
current alias maps to see just what's going on. Although, I'd guess that the
first problem may be a subnetting issue.


Micheal Patterson
TSG Network Administration

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to