Re: Routing issue
On Mon, Jul 19, 2004 at 04:31:36AM -0500, Web Walrus (Robert Wall) wrote: ifconfig_dc0 inet 1.2.3.4 netmask 255.255.255.248 ifconfig_dc0_alias0 inet 2.3.4.5 netmask 255.255.255.248 defaultrouter=1.2.3.1 You need to change your netmask for the alias to 255.255.255.255 if it's on the same network. It's not on the same network; that's the problem. Two complete separate networks, same interface card. The issue is that one of the networks works, and the other doesn't, depending on what network the default router happens to be on. Yes -- the OP's configuration is correct as far as it goes. However the problem he's facing is rather more intractable than it first appears. In general, you're going to need a mechanism for dynamically routing packets in order to make this sort of setup work. For most setups, you'ld need the co-operation of your ISP to make things work as well. There's two areas where you can use this dual setup profitably. The first is failover -- should one of the connections go down, you'll automatically switch to using the other. About the simplest way of doing something like that is to run a script periodically (say once every 5 minutes) that sends a ping down the active channel, and if there's no response, it switches the default route to the other channel. This means that normally all your traffic will go down one of the connections, and there won't be any bandwidth advantages but you will get increased resilience. The second is 'policy based routing' -- which is a good term to google for. Under FreeBSD this is implemented using the ipfw(8) 'fwd' command which lets you dynamically redirect packets down one channel or the other. That means you can do things like select out HTTP traffic and send it via one channel, leaving all of the other traffic to go by the other. That lets you share out your bandwidth between available channels, but doesn't give you any advantages in terms of resilience. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpbVdI29YXTM.pgp Description: PGP signature
Re: Routing issue
ifconfig_dc0 inet 1.2.3.4 netmask 255.255.255.248 ifconfig_dc0_alias0 inet 2.3.4.5 netmask 255.255.255.248 defaultrouter=1.2.3.1 It's not on the same network; that's the problem. Two complete separate networks, same interface card. The issue is that one of the networks works, and the other doesn't, depending on what network the default router happens to be on. In general, you're going to need a mechanism for dynamically routing packets in order to make this sort of setup work. For most setups, you'ld need the co-operation of your ISP to make things work as well. The situation is this - there are 4 servers that are on one network. I'm trying to switch them over to another network, but I need to do it without downtime. Therefore, I need to have both IPs completely active and functional simultaneously. Would the situation be any easier if I put one of the networks on a separate NIC? Is there any way to determine what IP/interface a connection came in on, and continue to use that IP/interface for the outbound packets? Maybe with static routes or something of that nature? The thing is, I used this exact setup (albeit on two different network cards) on a FreeBSD 2.x box quite a ways back, for the same purpose (switching networks), and it was working fine. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing issue
On Mon, Jul 19, 2004 at 12:55:45PM -0500, Web Walrus (Robert Wall) wrote: ifconfig_dc0 inet 1.2.3.4 netmask 255.255.255.248 ifconfig_dc0_alias0 inet 2.3.4.5 netmask 255.255.255.248 defaultrouter=1.2.3.1 It's not on the same network; that's the problem. Two complete separate networks, same interface card. The issue is that one of the networks works, and the other doesn't, depending on what network the default router happens to be on. In general, you're going to need a mechanism for dynamically routing packets in order to make this sort of setup work. For most setups, you'ld need the co-operation of your ISP to make things work as well. The situation is this - there are 4 servers that are on one network. I'm trying to switch them over to another network, but I need to do it without downtime. Therefore, I need to have both IPs completely active and functional simultaneously. Right -- in which case, you've actually done everything right, Is there any way to determine what IP/interface a connection came in on, and continue to use that IP/interface for the outbound packets? Maybe with static routes or something of that nature? That should happen automatically whenever anyone connects to one or other of those addresses. It's setting the origin address on outgoing connections that's usually the difficult bit, but in this case, that shouldn't be a problem. Really all you need to do is at some point change the default route to point to the new gateway, and then wait until any traffic to the old addressess dies away. Then edit /etc/rc.conf to make the new ip address the only one configured on the interface and whatever else needs fiddling with similarly, a quick reboot and you're done. Cheers Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgprKTSAyFxbr.pgp Description: PGP signature
Routing Training Books Please!!
After many years of waiting my company has a position opening up that I can fill. I spoke with the Net Admin and asked if there were any one skill that would be of a great benefit to my company and his response was Routing, IP and subnetting (ok so more then one. But I swear he can count). So here I am with maybe a month before they make a decision and I am thinking I should beef up on my skills. I am hoping someone out there may know of some GREAT (free, I am a poor slob) resources for Routing. I have exactly 0 experience in Routing. I do however have a Cisco 1700 at home to practice with. I could use some IP and subnetting refreshers so I am open to suggestions there too. I am sorry to bother everyone. I have had such great help from the FreeBSD community since I started running it at home I thought maybe someone out there may know of a good place for me to start. Thank you, Joshua Lewis ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing Training Books Please!!
Here are a couple of books I have read and would suggest. They are not free but they are worth it... Routing TCP/IP Volume I (CCIE Professional Development) http://www.amazon.com/exec/obidos/tg/detail/-/1578700418/qid=1089749604/sr=1 -1/ref=sr_1_1/104-0916091-2402328?v=glances=books Routing TCP/IP Volume II (CCIE Professional Development) http://www.amazon.com/exec/obidos/tg/detail/-/1578700892/qid=1089749604/sr=1 -3/ref=sr_1_3/104-0916091-2402328?v=glances=books Thomas G. Knight ADP - Data Center Team [EMAIL PROTECTED] (801) 956-7449 Home computers are being called upon to perform many new functions, including the consumption of homework formerly eaten by the dog. -- Doug Larson -Original Message- From: Joshua Lewis [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 2:08 PM To: [EMAIL PROTECTED] Subject: Routing Training Books Please!! After many years of waiting my company has a position opening up that I can fill. I spoke with the Net Admin and asked if there were any one skill that would be of a great benefit to my company and his response was Routing, IP and subnetting (ok so more then one. But I swear he can count). So here I am with maybe a month before they make a decision and I am thinking I should beef up on my skills. I am hoping someone out there may know of some GREAT (free, I am a poor slob) resources for Routing. I have exactly 0 experience in Routing. I do however have a Cisco 1700 at home to practice with. I could use some IP and subnetting refreshers so I am open to suggestions there too. I am sorry to bother everyone. I have had such great help from the FreeBSD community since I started running it at home I thought maybe someone out there may know of a good place for me to start. Thank you, Joshua Lewis ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing Training Books Please!!
After many years of waiting my company has a position opening up that I can fill. I spoke with the Net Admin and asked if there were any one skill that would be of a great benefit to my company and his response was Routing, IP and subnetting (ok so more then one. But I swear he can count). So here I am with maybe a month before they make a decision and I am thinking I should beef up on my skills. I am hoping someone out there may know of some GREAT (free, I am a poor slob) resources for Routing. I have exactly 0 experience in Routing. I do however have a Cisco 1700 at home to practice with. I could use some IP and subnetting refreshers so I am open to suggestions there too. I am sorry to bother everyone. I have had such great help from the FreeBSD community since I started running it at home I thought maybe someone out there may know of a good place for me to start. Here are a few... http://www.cisco.com/warp/public/779/smbiz/community/routing_to.html This one covers the OSI model, media and others...looks interesting: http://www.ictglobal.com/ICT009/network_basics.html and this to due with subnetting etc...subnetting is the most confusing, so if you use it extensively in your environment, it may be a valuable asset to have: http://www.ralphb.net/IPSubnet/ HTH, Cheers, Steve Thank you, Joshua Lewis ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing Training Books Please!!
Thank you Jimi this is going to be a perfect start. My family thanks you. Well they will when I get home and tell them the good news. Thank you, Joshua Lewis Thompson, Jimi Josh, I found several on google that look sensible. See if these don't help you. Your employer should probably be willing to purchase a reference book or two. I'm not sure what kind of gear you're running at work, but you can get a good feel for how things work by playing with routed on your FreeBSD box. Subnetting Tutorial - http://www.ralphb.net/IPSubnet/ Basic Routing - http://www.sangoma.com/fguide.htm OSPF - http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ospf.htm RIP - http://tutorials.beginners.co.uk/read/category/90/id/285/p/2 BGP - http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/icsbgp4.htm Thanks, Ms. Jimi Thompson, CISSP Manager, Web Operations Cox School of Business Southern Methodist University If we want women to do the same work as men, we must teach them the same things. - Plato -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Lewis Sent: Tuesday, July 13, 2004 3:08 PM To: [EMAIL PROTECTED] Subject: Routing Training Books Please!! After many years of waiting my company has a position opening up that I can fill. I spoke with the Net Admin and asked if there were any one skill that would be of a great benefit to my company and his response was Routing, IP and subnetting (ok so more then one. But I swear he can count). So here I am with maybe a month before they make a decision and I am thinking I should beef up on my skills. I am hoping someone out there may know of some GREAT (free, I am a poor slob) resources for Routing. I have exactly 0 experience in Routing. I do however have a Cisco 1700 at home to practice with. I could use some IP and subnetting refreshers so I am open to suggestions there too. I am sorry to bother everyone. I have had such great help from the FreeBSD community since I started running it at home I thought maybe someone out there may know of a good place for me to start. Thank you, Joshua Lewis ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing Training Books Please!!
On Tue, 13 Jul 2004 16:24:36 -0400 (EDT) Steve Bertrand [EMAIL PROTECTED] wrote: After many years of waiting my company has a position opening up that I can fill. I spoke with the Net Admin and asked if there were any one skill that would be of a great benefit to my company and his response was Routing, IP and subnetting (ok so more then one. But I swear he can count). So here I am with maybe a month before they make a decision and I am thinking I should beef up on my skills. I am hoping someone out there may know of some GREAT (free, I am a poor slob) resources for Routing. I have exactly 0 experience in Routing. I do however have a Cisco 1700 at home to practice with. I could use some IP and subnetting refreshers so I am open to suggestions there too. I am sorry to bother everyone. I have had such great help from the FreeBSD community since I started running it at home I thought maybe someone out there may know of a good place for me to start. i found this document to be both particularly helpful and extremely free. the ideas are clearly expressed and the text thoughtfully written. it was one component of the training given to internet technicians at a canadian telco for which i once worked. http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf you can get through this document in 1-2 days, if you apply yourself. it also includes several exercises, which i highly recommend doing (and more than once). what is it again, adult learners tend to retain: 10% of what they read 20% of what they hear 30% of what they see 50% of what they see and hear 70% of what they talk over with others 80% of what they use and do in real life 95% of what they teach someone else to do whatever. hope this helps. cheers, epi Here are a few... http://www.cisco.com/warp/public/779/smbiz/community/routing_to.html This one covers the OSI model, media and others...looks interesting: http://www.ictglobal.com/ICT009/network_basics.html and this to due with subnetting etc...subnetting is the most confusing, so if you use it extensively in your environment, it may be a valuable asset to have: http://www.ralphb.net/IPSubnet/ HTH, Cheers, Steve Thank you, Joshua Lewis ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Routing problem in IPv4/IPSec VPN environment
As a personal favor, I am building a VPN for a small business. I have chosen FreeBSD for this due to my greater familiarity. The project will consist of linking four sites, each with a FreeBSD system providing DHCP, NAT, and VPN services. I have built DHCP and NAT servers before, but the IPSec and VPN is new to me. Right now, the first two systems are nearly complete. The two machines are named goldengate and waltwhitman. Here's the IP config, currently: goldengate: external 192.168.1.101 internal 10.1.1.1 waltwhitman: external 192.168.1.102 internal 10.1.2.1 The external interfaces are in the reserved space because testing is taking place behind a cable/DSL router providing NAT services. The output of gifconfig -a; ifconfig -a; netstat -rn for each will be provided at the end of this message. IPSec, with Racoon, is properly exchanging keys. From goldengate, I can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1. If a Windows computer is connected behind either system, they receive an IP (10.1.x.254, where x is the network number). The problem is, if behind the 10.1.2.1 firewall, I cannot ping 10.1.1.1 and vice-versa. I assume, at this point, this is some type of routing issue and not a problem with IPSec. This seems to be confirmed by the fact tracerouting to the local internal interface goes through the *other* internal interface first: waltwhitman$ ifconfig bge1; traceroute 10.1.2.1 bge1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3RXCSUM,TXCSUM inet 10.1.2.1 netmask 0xff00 broadcast 10.1.2.255 inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2 ether 00:09:5b:60:e5:08 media: Ethernet autoselect (10baseT/UTP half-duplex) status: active traceroute to 10.1.2.1 (10.1.2.1), 64 hops max, 44 byte packets 1 10.1.1.1 (10.1.1.1) 0.848 ms 0.736 ms 0.783 ms 2 10.1.2.1 (10.1.2.1) 1.173 ms 1.262 ms 1.247 ms The other machine behaves identically, except the numbers are reversed. At this point, I have reached the limits of my knowledge. Any help would be appreciated. Thank you, James Notes on the output: IPv6 info removed from netstat output. There is a third interface in WALTWHITMAN which may break off to a DMZ in the future. No descision has been made and won't be for some time. The interface was given the IP 172.16.1.1. GOLDENGATE: goldengate$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 inet 10.1.1.1 -- 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 physical address inet 192.168.1.101 -- 192.168.1.102 bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3RXCSUM,TXCSUM inet 10.1.1.1 netmask 0xff00 broadcast 10.1.1.255 inet6 fe80::209:5bff:fe62:714e%bge0 prefixlen 64 scopeid 0x1 ether 00:09:5b:62:71:4e media: Ethernet autoselect (100baseTX full-duplex) status: active xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=1RXCSUM inet6 fe80::2b0:d0ff:fe23:5b8d%xl0 prefixlen 64 scopeid 0x2 inet 192.168.1.101 netmask 0xff00 broadcast 192.168.1.255 ether 00:b0:d0:23:5b:8d media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 tunnel inet 192.168.1.101 -- 192.168.1.102 inet 10.1.1.1 -- 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 scopeid 0x6 Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGSc3 6082xl0 10.1.1/24 link#1 UC 20 bge0 10.1.1.1 00:09:5b:62:71:4e UHLW0 306lo0 10.1.1.254 link#1 UHLW214933 bge0 10.1.2/24 10.1.2.0 UGSc015578xl0 10.1.2.1 10.1.1.1 UH 0 2060 gif0 127.0.0.1 127.0.0.1 UH 1 48lo0 192.168.1 link#2 UC 30xl0 192.168.1.100:0c:41:7f:8a:6e UHLW42xl0 1042 192.168.1.100 00:30:65:2e:ae:f7 UHLW00xl0 1100 192.168.1.101 127.0.0.1 UGHS00lo0 192.168.1.102 00:b0:d0:a1:81:09 UHLW313842xl0 1054 WALTWHITMAN: waltwhitman$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 inet 10.1.2.1 -- 10.1.1.1 netmask 0x inet6 fe80
Re: Routing problem in IPv4/IPSec VPN environment
- Original Message - From: James P. Howard, II [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 29, 2004 2:57 PM Subject: Routing problem in IPv4/IPSec VPN environment As a personal favor, I am building a VPN for a small business. I have chosen FreeBSD for this due to my greater familiarity. The project will consist of linking four sites, each with a FreeBSD system providing DHCP, NAT, and VPN services. I have built DHCP and NAT servers before, but the IPSec and VPN is new to me. Right now, the first two systems are nearly complete. The two machines are named goldengate and waltwhitman. Here's the IP config, currently: goldengate: external 192.168.1.101 internal 10.1.1.1 waltwhitman: external 192.168.1.102 internal 10.1.2.1 The external interfaces are in the reserved space because testing is taking place behind a cable/DSL router providing NAT services. The output of gifconfig -a; ifconfig -a; netstat -rn for each will be provided at the end of this message. IPSec, with Racoon, is properly exchanging keys. From goldengate, I can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1. If a Windows computer is connected behind either system, they receive an IP (10.1.x.254, where x is the network number). The problem is, if behind the 10.1.2.1 firewall, I cannot ping 10.1.1.1 and vice-versa. I assume, at this point, this is some type of routing issue and not a problem with IPSec. This seems to be confirmed by the fact tracerouting to the local internal interface goes through the *other* internal interface first: snip Not to be disrespectful, but did you do what I've done in the past and forget to enable forwarding so the systems can route traffic? [EMAIL PROTECTED]/sysctl -a |grep forward net.inet.ip.forwarding: 1 If not, make sure that gateway_enable=YES in rc.conf and reboot, or sysctl net.inet.ip.forwarding=1 from command line to enable it without a reboot. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing problem in IPv4/IPSec VPN environment
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html Essentially, once the gif tunnel has been established you just need to add an additional route for the specific gif interface from each server to the other's remote subnet using the external IP of the remote subnet as the gateway. I also found that gateway_enable sysctl option was be turned on for the packet traversal from behind a natted server. Hope this helps T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James P. Howard, II Sent: Tuesday, June 29, 2004 12:57 PM To: [EMAIL PROTECTED] Subject: Routing problem in IPv4/IPSec VPN environment As a personal favor, I am building a VPN for a small business. I have chosen FreeBSD for this due to my greater familiarity. The project will consist of linking four sites, each with a FreeBSD system providing DHCP, NAT, and VPN services. I have built DHCP and NAT servers before, but the IPSec and VPN is new to me. Right now, the first two systems are nearly complete. The two machines are named goldengate and waltwhitman. Here's the IP config, currently: goldengate: external 192.168.1.101 internal 10.1.1.1 waltwhitman: external 192.168.1.102 internal 10.1.2.1 The external interfaces are in the reserved space because testing is taking place behind a cable/DSL router providing NAT services. The output of gifconfig -a; ifconfig -a; netstat -rn for each will be provided at the end of this message. IPSec, with Racoon, is properly exchanging keys. From goldengate, I can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1. If a Windows computer is connected behind either system, they receive an IP (10.1.x.254, where x is the network number). The problem is, if behind the 10.1.2.1 firewall, I cannot ping 10.1.1.1 and vice-versa. I assume, at this point, this is some type of routing issue and not a problem with IPSec. This seems to be confirmed by the fact tracerouting to the local internal interface goes through the *other* internal interface first: waltwhitman$ ifconfig bge1; traceroute 10.1.2.1 bge1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3RXCSUM,TXCSUM inet 10.1.2.1 netmask 0xff00 broadcast 10.1.2.255 inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2 ether 00:09:5b:60:e5:08 media: Ethernet autoselect (10baseT/UTP half-duplex) status: active traceroute to 10.1.2.1 (10.1.2.1), 64 hops max, 44 byte packets 1 10.1.1.1 (10.1.1.1) 0.848 ms 0.736 ms 0.783 ms 2 10.1.2.1 (10.1.2.1) 1.173 ms 1.262 ms 1.247 ms The other machine behaves identically, except the numbers are reversed. At this point, I have reached the limits of my knowledge. Any help would be appreciated. Thank you, James Notes on the output: IPv6 info removed from netstat output. There is a third interface in WALTWHITMAN which may break off to a DMZ in the future. No descision has been made and won't be for some time. The interface was given the IP 172.16.1.1. GOLDENGATE: goldengate$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 inet 10.1.1.1 -- 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 physical address inet 192.168.1.101 -- 192.168.1.102 bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3RXCSUM,TXCSUM inet 10.1.1.1 netmask 0xff00 broadcast 10.1.1.255 inet6 fe80::209:5bff:fe62:714e%bge0 prefixlen 64 scopeid 0x1 ether 00:09:5b:62:71:4e media: Ethernet autoselect (100baseTX full-duplex) status: active xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=1RXCSUM inet6 fe80::2b0:d0ff:fe23:5b8d%xl0 prefixlen 64 scopeid 0x2 inet 192.168.1.101 netmask 0xff00 broadcast 192.168.1.255 ether 00:b0:d0:23:5b:8d media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 tunnel inet 192.168.1.101 -- 192.168.1.102 inet 10.1.1.1 -- 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 scopeid 0x6 Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGSc3 6082xl0 10.1.1/24 link#1 UC 20 bge0 10.1.1.1 00:09:5b:62:71:4e UHLW0 306lo0 10.1.1.254 link#1 UHLW214933 bge0 10.1.2/24 10.1.2.0 UGSc015578xl0 10.1.2.1
Routing problem in IPv4/IPSec VPN environment
(This message may reappear in the future, it was rejected by the lists from my webhost.) As a personal favor, I am building a VPN for a small business. I have chosen FreeBSD for this due to my greater familiarity. The project will consist of linking four sites, each with a FreeBSD system providing DHCP, NAT, and VPN services. I have built DHCP and NAT servers before, but the IPSec and VPN is new to me. Right now, the first two systems are nearly complete. The two machines are named goldengate and waltwhitman. Here's the IP config, currently: goldengate: external 192.168.1.101 internal 10.1.1.1 waltwhitman: external 192.168.1.102 internal 10.1.2.1 The external interfaces are in the reserved space because testing is taking place behind a cable/DSL router providing NAT services. The output of gifconfig -a; ifconfig -a; netstat -rn for each will be provided at the end of this message. IPSec, with Racoon, is properly exchanging keys. From goldengate, I can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1. If a Windows computer is connected behind either system, they receive an IP (10.1.x.254, where x is the network number). The problem is, if behind the 10.1.2.1 firewall, I cannot ping 10.1.1.1 and vice-versa. I assume, at this point, this is some type of routing issue and not a problem with IPSec. This seems to be confirmed by the fact tracerouting to the local internal interface goes through the *other* internal interface first: waltwhitman$ ifconfig bge1; traceroute 10.1.2.1 bge1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3RXCSUM,TXCSUM inet 10.1.2.1 netmask 0xff00 broadcast 10.1.2.255 inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2 ether 00:09:5b:60:e5:08 media: Ethernet autoselect (10baseT/UTP half-duplex) status: active traceroute to 10.1.2.1 (10.1.2.1), 64 hops max, 44 byte packets 1 10.1.1.1 (10.1.1.1) 0.848 ms 0.736 ms 0.783 ms 2 10.1.2.1 (10.1.2.1) 1.173 ms 1.262 ms 1.247 ms The other machine behaves identically, except the numbers are reversed. At this point, I have reached the limits of my knowledge. Any help would be appreciated. Thank you, James Notes on the output: IPv6 info removed from netstat output. There is a third interface in WALTWHITMAN which may break off to a DMZ in the future. No descision has been made and won't be for some time. The interface was given the IP 172.16.1.1. GOLDENGATE: goldengate$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 inet 10.1.1.1 -- 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 physical address inet 192.168.1.101 -- 192.168.1.102 bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3RXCSUM,TXCSUM inet 10.1.1.1 netmask 0xff00 broadcast 10.1.1.255 inet6 fe80::209:5bff:fe62:714e%bge0 prefixlen 64 scopeid 0x1 ether 00:09:5b:62:71:4e media: Ethernet autoselect (100baseTX full-duplex) status: active xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=1RXCSUM inet6 fe80::2b0:d0ff:fe23:5b8d%xl0 prefixlen 64 scopeid 0x2 inet 192.168.1.101 netmask 0xff00 broadcast 192.168.1.255 ether 00:b0:d0:23:5b:8d media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 tunnel inet 192.168.1.101 -- 192.168.1.102 inet 10.1.1.1 -- 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 scopeid 0x6 Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGSc3 6082xl0 10.1.1/24 link#1 UC 20 bge0 10.1.1.1 00:09:5b:62:71:4e UHLW0 306lo0 10.1.1.254 link#1 UHLW214933 bge0 10.1.2/24 10.1.2.0 UGSc015578xl0 10.1.2.1 10.1.1.1 UH 0 2060 gif0 127.0.0.1 127.0.0.1 UH 1 48lo0 192.168.1 link#2 UC 30xl0 192.168.1.100:0c:41:7f:8a:6e UHLW42xl0 1042 192.168.1.100 00:30:65:2e:ae:f7 UHLW00xl0 1100 192.168.1.101 127.0.0.1 UGHS00lo0 192.168.1.102 00:b0:d0:a1:81:09 UHLW313842xl0 1054 WALTWHITMAN: waltwhitman$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051UP,POINTOPOINT,RUNNING
Re: IPSec Routing and Interfaces, ping problem (solved!?)
On Fri, 18 Jun 2004, Andre Rein wrote: I'm able to ping 10.0.0.1 now from my vpnclient and ping the vpnclient from 10.0.0.1 without any trouble. The only problem I get, is to ping the vpnclient from the vpnserver. It won't work. So how should I setup the server to ping the client? Am I just blind and don't see my mistake? think I found a workaround. I tried: ifconfig gif1 create ifconfig gif1 inet 10.0.0.124 192.168.10.1 netmask 255.255.255.252 Without the gifconfig officialip officialip thing Now i can add my route: route add -net 192.168.10/30 192.168.1.1 and pinging from the VPN Server to the other network works fine. don't know if it's a awesome solution, but it works ... gruss/regards Andre -- And some greetings from the Toaster Plata Verata Nectu ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPSec Routing and Interfaces, ping problem (long)
Hi Ml, got a little understanding problem with my VPN connection. I set up isakmpd. Connected from a static client ip. Everything works fine. 10.0.1.0---195.226.x.98[INTERNET]195.226.x.124---10.0.0.0 gif0: flags=8050POINTOPOINT,RUNNING,MULTICAST mtu 1280 tunnel inet 195.226.x.124 -- 195.226.x.98 inet 10.0.0.124 -- 10.0.1.1 netmask 0xff00 inet6 fe80::250:baff:fede:bb73%gif0 prefixlen 64 scopeid 0x9 the gif0 Interface i created myself with: gifconfig gif0 195.226.65.124 195.226.65.98 ifconfig gif0 inet 10.0.0.124 10.0.1.1 netmask 255.255.255.0 setkey -FP setkey -F setkey -c EOF spdadd 10.0.0.0/24 10.0.1.0/24 any -P out ipsec esp/tunnel/195.226.x.124-195.226.x.98/require; spdadd 10.0.1.0/24 10.0.0.0/24 any -P in ipsec esp/tunnel/195.226.x.98-195.226.x.124/require; EOF First I tried racoon, so do I need gif0 Interface when using isakmpd? Anyway, heres my setkey -D output: 195.226.x.124 195.226.x.98 esp mode=any spi=115684691(0x06e53553) reqid=0(0x) E: 3des-cbc f69579f2 ccee42f3 e046f2d3 ea44eaf0 0111da98 cf79ee9d A: hmac-md5 f7f015ab 8200c964 13332790 8fdc3591 seq=0x002e replay=0 flags=0x state=mature created: Jun 17 16:54:38 2004 current: Jun 17 16:55:38 2004 diff: 60(s) hard: 90(s) soft: 81(s) last: Jun 17 16:55:38 2004 hard: 0(s) soft: 0(s) current: 6256(bytes)hard: 0(bytes) soft: 0(bytes) allocated: 46 hard: 0 soft: 0 sadb_seq=1 pid=79990 refcnt=2 195.226.x.98 195.226.x.124 esp mode=any spi=542689727(0x2058c9bf) reqid=0(0x) E: 3des-cbc 935381d8 a9ccfc65 b82ab59d 4c2201fa c41adfc5 077cab63 A: hmac-md5 be01afa0 884cb945 0d561298 d17b5fbf seq=0x002e replay=0 flags=0x state=mature created: Jun 17 16:54:38 2004 current: Jun 17 16:55:38 2004 diff: 60(s) hard: 90(s) soft: 81(s) last: Jun 17 16:55:38 2004 hard: 0(s) soft: 0(s) current: 3864(bytes)hard: 0(bytes) soft: 0(bytes) allocated: 46 hard: 0 soft: 0 sadb_seq=0 pid=79990 refcnt=1 I added a route to the 10.0.1/24 net: 10.0.1/24 10.0.1.1 UGSc0 2736 gif0 Now I set up a connection from a dynamic client. 192.168.10/30--Dynamic-IP[INTERNET]195.226.x.124---10.0.0.0 setkey -D: 195.226.x.124 217.236.140.95 esp mode=any spi=1631512562(0x613ee7f2) reqid=0(0x) E: rijndael-cbc ae65af22 6256a79a d37eb700 c7cd9917 A: hmac-md5 3e378bc3 f7abd982 67d838d9 b678d18d seq=0x01c6 replay=0 flags=0x state=mature created: Jun 17 16:57:06 2004 current: Jun 17 17:04:52 2004 diff: 466(s)hard: 2000(s) soft: 1800(s) last: Jun 17 17:04:51 2004 hard: 0(s) soft: 0(s) current: 69008(bytes) hard: 20480(bytes) soft: 18432(bytes) allocated: 454 hard: 0 soft: 0 sadb_seq=3 pid=80022 refcnt=2 217.236.140.95 195.226.x.124 esp mode=any spi=1382069086(0x5260b35e) reqid=0(0x) E: rijndael-cbc 3e52567a 51306d35 e2333684 55b64a40 A: hmac-md5 695a1b0a fb962e83 b38ff954 a2b4b4aa seq=0x01c5 replay=0 flags=0x state=mature created: Jun 17 16:57:06 2004 current: Jun 17 17:04:52 2004 diff: 466(s)hard: 2000(s) soft: 1800(s) last: Jun 17 17:04:51 2004 hard: 0(s) soft: 0(s) current: 38052(bytes) hard: 20480(bytes) soft: 18432(bytes) allocated: 453 hard: 0 soft: 0 sadb_seq=2 pid=80022 refcnt=1 From the client I can ping 10.0.0.124. So I tried another host in this net(10.0.0.1). I gave 10.0.0.1 a route to the 192.168.10/30 net 192.168.10/30 10.0.0.124 UGSc0 341rl0 I'm able to ping 10.0.0.1 now from my vpnclient and ping the vpnclient from 10.0.0.1 without any trouble. The only problem I get, is to ping the vpnclient from the vpnserver. It won't work. So how should I setup the server to ping the client? Am I just blind and don't see my mistake? gruss/regards Andre -- And some greetings from the Toaster Plata Verata Nectu ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing question
Well the reason is that our dsl connections are limited to a max speed of 512K in this country. So I thought of splitting the load between two dsl lines. If the box is able to do that dynamically then great. My question is how? -Original Message- From: Ben Timby [mailto:[EMAIL PROTECTED] Sent: 11 June 2004 18:16 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Routing question Perhaps if you post more info, we can come up with creative solutions for you. My big question is why? AFAIK, you cannot have more than one default gateway, unless you are using netgraph to balance between network interfaces. However, you could NAT C D to their respective public interfaces. If E is a real IP, then the NATed traffic should flow to that interface. I would suggest using pf, as it is a most excellent firewall package. Here is the section of a PF guide regarding NAT. http://www.openbsd.org/faq/pf/nat.html Your rules would look like this (these are from memory, so sanity check them): -- #define your interfaces as macros: A = fxp0 B = fxp1 C = fxp2 D = fxp3 E = fxp4 #define your NAT translations using our macros: nat on $A from ($C:network) to any - $A nat on $B from ($D:network) to any - $B #define your filtering rules: ... -- However, you will find that route add will not allow multiple default routes. You must use another package to allow for that, or at least it is beyond my knowledge. Let me know if you figure it out, I would be very interested. Leon Botes wrote: I have a box with 5 nics. Cal them A,B,C,D,E. A B are different internet connections. E is a connection to a mail server on a public /29 C D are connections for 2 differnet client networks. Is it possible to have all traffic coming in via C sent to a default gateway on A's network and all traffic coming in via D sent to a default gateway on B's network. And secondly will both client networks be able to see the E/29? If so how? Thanks Leon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing question
Greed the static route for E is best. But how do you add a route that applies only to connections coming into C or D Route add (if source from net C then use interface A) ?? Adding failover would be an even bigger bonus. -Original Message- From: Thompson, Jimi [mailto:[EMAIL PROTECTED] Sent: 11 June 2004 18:12 To: [EMAIL PROTECTED] Subject: RE: Routing question Leon, This is possible, but will require you to run static routes so that you can manually manage the connections. You should be able to set the routing metrics so that all your traffic from client D goes to B and if they want email, B will have to have the appropriate records to send them back to E, which is a remarkably BAD idea. Your better bet would be put in a static route with a lower routing metric than the Internet connection (say 2) from D to E for a specific IP/range so that they can get to the mail server without going out to the Internet to do so. Give the Internet connection a routing metric of 3. The same applies for C. This way, for the IP/range that you specify for the mail server(s), your email traffic from these guys will go straight to the mail server without traversing the Internet first. The next part depends on how you want to manage the Internet connections. Do you want Customer C to use D's Internet connection if Customer C's connection fails and vice versa? If so then you put a route in your routing table and give that a really high metric (like 90) from C to B and the same for D to A. Give their normal connection a really low metric (like 3) and their traffic will go out the preferred connection unless that connection fails or becomes really congested. If you don't want them to be able to use each other's connections EVER, just don't add a route for it at all. HTH, Jimi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leon Botes Sent: Friday, June 11, 2004 10:15 AM To: [EMAIL PROTECTED] Subject: Routing question I have a box with 5 nics. Cal them A,B,C,D,E. A B are different internet connections. E is a connection to a mail server on a public /29 C D are connections for 2 differnet client networks. Is it possible to have all traffic coming in via C sent to a default gateway on A's network and all traffic coming in via D sent to a default gateway on B's network. And secondly will both client networks be able to see the E/29? If so how? Thanks Leon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Routing question
I have a box with 5 nics. Cal them A,B,C,D,E. A B are different internet connections. E is a connection to a mail server on a public /29 C D are connections for 2 differnet client networks. Is it possible to have all traffic coming in via C sent to a default gateway on A's network and all traffic coming in via D sent to a default gateway on B's network. And secondly will both client networks be able to see the E/29? If so how? Thanks Leon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing question
Perhaps if you post more info, we can come up with creative solutions for you. My big question is why? AFAIK, you cannot have more than one default gateway, unless you are using netgraph to balance between network interfaces. However, you could NAT C D to their respective public interfaces. If E is a real IP, then the NATed traffic should flow to that interface. I would suggest using pf, as it is a most excellent firewall package. Here is the section of a PF guide regarding NAT. http://www.openbsd.org/faq/pf/nat.html Your rules would look like this (these are from memory, so sanity check them): -- #define your interfaces as macros: A = fxp0 B = fxp1 C = fxp2 D = fxp3 E = fxp4 #define your NAT translations using our macros: nat on $A from ($C:network) to any - $A nat on $B from ($D:network) to any - $B #define your filtering rules: ... -- However, you will find that route add will not allow multiple default routes. You must use another package to allow for that, or at least it is beyond my knowledge. Let me know if you figure it out, I would be very interested. Leon Botes wrote: I have a box with 5 nics. Cal them A,B,C,D,E. A B are different internet connections. E is a connection to a mail server on a public /29 C D are connections for 2 differnet client networks. Is it possible to have all traffic coming in via C sent to a default gateway on A's network and all traffic coming in via D sent to a default gateway on B's network. And secondly will both client networks be able to see the E/29? If so how? Thanks Leon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: routing question
thank you On Sat, 5 Jun 2004, Eric Crist wrote: You need to kill all the running dhclient processes, then try again. Usually, this can be done with: #killall -9 dhclient HTH Eric F Crist President AdTech Integrated Systems, Inc (612) 998-3588 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, June 05, 2004 11:29 AM To: [EMAIL PROTECTED] Subject: routing question I am trying to configure a wireless router so I am redefining routes and IP address of my system. After booting dhclient ep0 works fine. After messing around with the wireless router I was just going back to my ethernet connection so I did: ifconfig ep0 192.168.0.3 remove arp -da route flush dhclient ep0 This returned immediatly without assigning an IP or route so I just connected manually using ifconfig and route. There must be something I did not clear out, but I can not figure it out. Thanks for any ideas. This is on 4.10 if that makes any difference. _ Douglas Denault http://www.safeport.com [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/free bsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] _ Douglas Denault http://www.safeport.com [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
routing question
I am trying to configure a wireless router so I am redefining routes and IP address of my system. After booting dhclient ep0 works fine. After messing around with the wireless router I was just going back to my ethernet connection so I did: ifconfig ep0 192.168.0.3 remove arp -da route flush dhclient ep0 This returned immediatly without assigning an IP or route so I just connected manually using ifconfig and route. There must be something I did not clear out, but I can not figure it out. Thanks for any ideas. This is on 4.10 if that makes any difference. _ Douglas Denault http://www.safeport.com [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: routing question
You need to kill all the running dhclient processes, then try again. Usually, this can be done with: #killall -9 dhclient HTH Eric F Crist President AdTech Integrated Systems, Inc (612) 998-3588 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, June 05, 2004 11:29 AM To: [EMAIL PROTECTED] Subject: routing question I am trying to configure a wireless router so I am redefining routes and IP address of my system. After booting dhclient ep0 works fine. After messing around with the wireless router I was just going back to my ethernet connection so I did: ifconfig ep0 192.168.0.3 remove arp -da route flush dhclient ep0 This returned immediatly without assigning an IP or route so I just connected manually using ifconfig and route. There must be something I did not clear out, but I can not figure it out. Thanks for any ideas. This is on 4.10 if that makes any difference. _ Douglas Denault http://www.safeport.com [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/free bsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: routing for 1000 users and 10Mbit internet.
BM hugle wrote: BM hugle wrote: BM hugle wrote: FG On Mon, 31 May 2004, hugle wrote: dammit.. why then my users eats so much CPU? look: CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free I have only 61% idle ? usualy i have ~50 idle.. now I have P4 2.4GHZ maybe my setup is bad (kernel I mean)? FG My guess is either cheap hardware (NIC) or bad tuning. What NICs are you FG using? I'm using Intel cards (fxp) at the moment. But from reading the posts I've decided to buy GBIT NIC. Now the dilema is what brand name.. INTEL or 3COM ? maybe you guys could advice? BM I've always had good results with fxp cards. how much users do you have? and what model? BM Never more than 100 ... it's been a year or two, so I don't remember the model. And yes, my PC is dealing with lots of network traffic.. It's a gateway + shaping. It deals with almost 1000 users.. Will this PC (p4 2.4GHZ) deal with 10mbit internet? as a gateway + shaper ? with one GBIT NIC connected to 100Mbit swith? BM A gbit NIC isn't going to run at gbit speed on a 100mbit switch. I know, but as I know it'll have more memory, buffer or smth like that. which somehow will help to deal with the problem, right? BM Probably. It just seems like a lot of $$$ to drop when you haven't BM tried polling yet. Keep in mind, that if you try polling and it BM doesn't work, you can just turn it back off, and you haven't spent BM any $$$ on hardware that didn't help. BM I would look elsewhere than the NIC. Intel NICs are good units (in my experience, BM if someone knows of problems with them, please speak up) from systam -v: 481 fxp0 irq12 226 fxp1 irq3 317 fxp2 irq7 I think it is quite high? right? BM I guess. I would expect numbers like that considering the load it's BM under. BM I'll ask _again_ ... is the machine's performance poor? Fact is, if BM you give it enough network traffic to shape, it's going to raise the BM CPU load, no matter what you do. now the main problem is.. that machine is shaping internet, right? I did shaping for my subnet, so users in /24 have 100kbits everybody. But they don't get such speed, they get about 70-80kbps . and if I try to skipt pipe rules for certain IPs, users get all available speed (which is left), it's about 500kbps.. so why machine can't pipe it normally ? Didn't had these problems in the past... BM Past when? What changed? BM Typically, only ~80% of available bandwidth is usable. I don't know if BM that applies to your situation, though, as that's usually referring to BM ethernet, and you claim the problem hasn't always been there. BM Try polling and see if the load reduces and the performance increases. BM If all that machine is doing is routing, you can configure it to be BM dedicated to routing. Hello all:) I'm here again.. so. I've purchased 3com nic, it recognises it as: bge0. Situation went a bit better.. (in first hours on last nics i had ~50% interrupt and here I had 30%) But after some time.. interrupts went up COmpiled in polling support But after enabling polling I don't see any changes.. Maybe bge NIC'a don't support pooling ? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Re[2]: routing for 1000 users and 10Mbit internet.
hugle [EMAIL PROTECTED] wrote: now the main problem is.. that machine is shaping internet, right? I did shaping for my subnet, so users in /24 have 100kbits everybody. But they don't get such speed, they get about 70-80kbps . and if I try to skipt pipe rules for certain IPs, users get all available speed (which is left), it's about 500kbps.. so why machine can't pipe it normally ? Didn't had these problems in the past... BM Past when? What changed? BM Typically, only ~80% of available bandwidth is usable. I don't know if BM that applies to your situation, though, as that's usually referring to BM ethernet, and you claim the problem hasn't always been there. BM Try polling and see if the load reduces and the performance increases. BM If all that machine is doing is routing, you can configure it to be BM dedicated to routing. Hello all:) I'm here again.. so. I've purchased 3com nic, it recognises it as: bge0. Situation went a bit better.. (in first hours on last nics i had ~50% interrupt and here I had 30%) But after some time.. interrupts went up I didn't expect it to change significantly. COmpiled in polling support But after enabling polling I don't see any changes.. Maybe bge NIC'a don't support pooling ? The man page for polling does not list the bge driver as supported, and the bge man page says nothing about polling that I can find. However, the fxp driver (for the Intel NIC) _does_ support polling. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: routing for 1000 users and 10Mbit internet.
BM hugle wrote: FG On Mon, 31 May 2004, hugle wrote: dammit.. why then my users eats so much CPU? look: CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free I have only 61% idle ? usualy i have ~50 idle.. now I have P4 2.4GHZ maybe my setup is bad (kernel I mean)? FG My guess is either cheap hardware (NIC) or bad tuning. What NICs are you FG using? I'm using Intel cards (fxp) at the moment. But from reading the posts I've decided to buy GBIT NIC. Now the dilema is what brand name.. INTEL or 3COM ? maybe you guys could advice? BM I've always had good results with fxp cards. how much users do you have? and what model? And yes, my PC is dealing with lots of network traffic.. It's a gateway + shaping. It deals with almost 1000 users.. Will this PC (p4 2.4GHZ) deal with 10mbit internet? as a gateway + shaper ? with one GBIT NIC connected to 100Mbit swith? BM A gbit NIC isn't going to run at gbit speed on a 100mbit switch. I know, but as I know it'll have more memory, buffer or smth like that. which somehow will help to deal with the problem, right? BM I would look elsewhere than the NIC. Intel NICs are good units (in my experience, BM if someone knows of problems with them, please speak up) from systam -v: 481 fxp0 irq12 226 fxp1 irq3 317 fxp2 irq7 I think it is quite high? right? BM Read the polling man page and see if it will help you. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing for 1000 users and 10Mbit internet.
hugle wrote: BM hugle wrote: FG On Mon, 31 May 2004, hugle wrote: dammit.. why then my users eats so much CPU? look: CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free I have only 61% idle ? usualy i have ~50 idle.. now I have P4 2.4GHZ maybe my setup is bad (kernel I mean)? FG My guess is either cheap hardware (NIC) or bad tuning. What NICs are you FG using? I'm using Intel cards (fxp) at the moment. But from reading the posts I've decided to buy GBIT NIC. Now the dilema is what brand name.. INTEL or 3COM ? maybe you guys could advice? BM I've always had good results with fxp cards. how much users do you have? and what model? Never more than 100 ... it's been a year or two, so I don't remember the model. And yes, my PC is dealing with lots of network traffic.. It's a gateway + shaping. It deals with almost 1000 users.. Will this PC (p4 2.4GHZ) deal with 10mbit internet? as a gateway + shaper ? with one GBIT NIC connected to 100Mbit swith? BM A gbit NIC isn't going to run at gbit speed on a 100mbit switch. I know, but as I know it'll have more memory, buffer or smth like that. which somehow will help to deal with the problem, right? Probably. It just seems like a lot of $$$ to drop when you haven't tried polling yet. Keep in mind, that if you try polling and it doesn't work, you can just turn it back off, and you haven't spent any $$$ on hardware that didn't help. BM I would look elsewhere than the NIC. Intel NICs are good units (in my experience, BM if someone knows of problems with them, please speak up) from systam -v: 481 fxp0 irq12 226 fxp1 irq3 317 fxp2 irq7 I think it is quite high? right? I guess. I would expect numbers like that considering the load it's under. I'll ask _again_ ... is the machine's performance poor? Fact is, if you give it enough network traffic to shape, it's going to raise the CPU load, no matter what you do. I guess, if you absolutely want to come up with a reason to buy new hardware, this is as good a reason as any. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: routing for 1000 users and 10Mbit internet.
BM hugle wrote: BM hugle wrote: FG On Mon, 31 May 2004, hugle wrote: dammit.. why then my users eats so much CPU? look: CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free I have only 61% idle ? usualy i have ~50 idle.. now I have P4 2.4GHZ maybe my setup is bad (kernel I mean)? FG My guess is either cheap hardware (NIC) or bad tuning. What NICs are you FG using? I'm using Intel cards (fxp) at the moment. But from reading the posts I've decided to buy GBIT NIC. Now the dilema is what brand name.. INTEL or 3COM ? maybe you guys could advice? BM I've always had good results with fxp cards. how much users do you have? and what model? BM Never more than 100 ... it's been a year or two, so I don't remember the model. And yes, my PC is dealing with lots of network traffic.. It's a gateway + shaping. It deals with almost 1000 users.. Will this PC (p4 2.4GHZ) deal with 10mbit internet? as a gateway + shaper ? with one GBIT NIC connected to 100Mbit swith? BM A gbit NIC isn't going to run at gbit speed on a 100mbit switch. I know, but as I know it'll have more memory, buffer or smth like that. which somehow will help to deal with the problem, right? BM Probably. It just seems like a lot of $$$ to drop when you haven't BM tried polling yet. Keep in mind, that if you try polling and it BM doesn't work, you can just turn it back off, and you haven't spent BM any $$$ on hardware that didn't help. BM I would look elsewhere than the NIC. Intel NICs are good units (in my experience, BM if someone knows of problems with them, please speak up) from systam -v: 481 fxp0 irq12 226 fxp1 irq3 317 fxp2 irq7 I think it is quite high? right? BM I guess. I would expect numbers like that considering the load it's BM under. BM I'll ask _again_ ... is the machine's performance poor? Fact is, if BM you give it enough network traffic to shape, it's going to raise the BM CPU load, no matter what you do. now the main problem is.. that machine is shaping internet, right? I did shaping for my subnet, so users in /24 have 100kbits everybody. But they don't get such speed, they get about 70-80kbps . and if I try to skipt pipe rules for certain IPs, users get all available speed (which is left), it's about 500kbps.. so why machine can't pipe it normally ? Didn't had these problems in the past... BM I guess, if you absolutely want to come up with a reason to buy new BM hardware, this is as good a reason as any. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing for 1000 users and 10Mbit internet.
hugle wrote: BM hugle wrote: BM hugle wrote: FG On Mon, 31 May 2004, hugle wrote: dammit.. why then my users eats so much CPU? look: CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free I have only 61% idle ? usualy i have ~50 idle.. now I have P4 2.4GHZ maybe my setup is bad (kernel I mean)? FG My guess is either cheap hardware (NIC) or bad tuning. What NICs are you FG using? I'm using Intel cards (fxp) at the moment. But from reading the posts I've decided to buy GBIT NIC. Now the dilema is what brand name.. INTEL or 3COM ? maybe you guys could advice? BM I've always had good results with fxp cards. how much users do you have? and what model? BM Never more than 100 ... it's been a year or two, so I don't remember the model. And yes, my PC is dealing with lots of network traffic.. It's a gateway + shaping. It deals with almost 1000 users.. Will this PC (p4 2.4GHZ) deal with 10mbit internet? as a gateway + shaper ? with one GBIT NIC connected to 100Mbit swith? BM A gbit NIC isn't going to run at gbit speed on a 100mbit switch. I know, but as I know it'll have more memory, buffer or smth like that. which somehow will help to deal with the problem, right? BM Probably. It just seems like a lot of $$$ to drop when you haven't BM tried polling yet. Keep in mind, that if you try polling and it BM doesn't work, you can just turn it back off, and you haven't spent BM any $$$ on hardware that didn't help. BM I would look elsewhere than the NIC. Intel NICs are good units (in my experience, BM if someone knows of problems with them, please speak up) from systam -v: 481 fxp0 irq12 226 fxp1 irq3 317 fxp2 irq7 I think it is quite high? right? BM I guess. I would expect numbers like that considering the load it's BM under. BM I'll ask _again_ ... is the machine's performance poor? Fact is, if BM you give it enough network traffic to shape, it's going to raise the BM CPU load, no matter what you do. now the main problem is.. that machine is shaping internet, right? I did shaping for my subnet, so users in /24 have 100kbits everybody. But they don't get such speed, they get about 70-80kbps . and if I try to skipt pipe rules for certain IPs, users get all available speed (which is left), it's about 500kbps.. so why machine can't pipe it normally ? Didn't had these problems in the past... Past when? What changed? Typically, only ~80% of available bandwidth is usable. I don't know if that applies to your situation, though, as that's usually referring to ethernet, and you claim the problem hasn't always been there. Try polling and see if the load reduces and the performance increases. If all that machine is doing is routing, you can configure it to be dedicated to routing. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: routing for 1000 users and 10Mbit internet.
BM hugle wrote: BM hugle wrote: BM hugle wrote: FG On Mon, 31 May 2004, hugle wrote: dammit.. why then my users eats so much CPU? look: CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free I have only 61% idle ? usualy i have ~50 idle.. now I have P4 2.4GHZ maybe my setup is bad (kernel I mean)? FG My guess is either cheap hardware (NIC) or bad tuning. What NICs are you FG using? I'm using Intel cards (fxp) at the moment. But from reading the posts I've decided to buy GBIT NIC. Now the dilema is what brand name.. INTEL or 3COM ? maybe you guys could advice? BM I've always had good results with fxp cards. how much users do you have? and what model? BM Never more than 100 ... it's been a year or two, so I don't remember the model. And yes, my PC is dealing with lots of network traffic.. It's a gateway + shaping. It deals with almost 1000 users.. Will this PC (p4 2.4GHZ) deal with 10mbit internet? as a gateway + shaper ? with one GBIT NIC connected to 100Mbit swith? BM A gbit NIC isn't going to run at gbit speed on a 100mbit switch. I know, but as I know it'll have more memory, buffer or smth like that. which somehow will help to deal with the problem, right? BM Probably. It just seems like a lot of $$$ to drop when you haven't BM tried polling yet. Keep in mind, that if you try polling and it BM doesn't work, you can just turn it back off, and you haven't spent BM any $$$ on hardware that didn't help. BM I would look elsewhere than the NIC. Intel NICs are good units (in my experience, BM if someone knows of problems with them, please speak up) from systam -v: 481 fxp0 irq12 226 fxp1 irq3 317 fxp2 irq7 I think it is quite high? right? BM I guess. I would expect numbers like that considering the load it's BM under. BM I'll ask _again_ ... is the machine's performance poor? Fact is, if BM you give it enough network traffic to shape, it's going to raise the BM CPU load, no matter what you do. now the main problem is.. that machine is shaping internet, right? I did shaping for my subnet, so users in /24 have 100kbits everybody. But they don't get such speed, they get about 70-80kbps . and if I try to skipt pipe rules for certain IPs, users get all available speed (which is left), it's about 500kbps.. so why machine can't pipe it normally ? Didn't had these problems in the past... BM Past when? What changed? actualy nothing... more users joint the LAN. BM Typically, only ~80% of available bandwidth is usable. I don't know if BM that applies to your situation, though, as that's usually referring to BM ethernet, and you claim the problem hasn't always been there. no.. for example if i start downlaoding without using pipes (no shaping) my total bandwith usage increases up to 98-99% BM Try polling and see if the load reduces and the performance increases. BM If all that machine is doing is routing, you can configure it to be BM dedicated to routing. I'll do it in ~10-12 hours.. I'll plug my server off, plug in new 3com gbit NIC. and boot my kernel with new options - device_POOLING. and see what is happening and so on.. PS. i think my PC has too less CPU. cause I think that NAT + shaper both eats much processor. and read somewhere, that: interrupts apper if CPU doesn't manage to deal with them. So, after changing NIC, i'll post my result here hugle ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
routing for 1000 users and 10Mbit internet.
Hello all. I run into some problem here Let's take, that I have 10mbit internet and 1000 users behind the router. All I want to do is to NAT internet over all of these users give some users external IPs (BIMAP in ipfilter) And olso do traffic shaping, like: Some IP groups (10.0.0.0/24) one pipe - 100kbits some IP groups (10.0.1.0/24 and 10.0.2.0/24) another pipe.. - 300 kbits for example some individual IPs individual pipes, like 10.10.10.10 has 400kbits The question in what machine do i need? What CPU and how much of ram ? dual or single processor ? or maybe there are any better suggestions ? thanks -- Best regards,Hugle ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing for 1000 users and 10Mbit internet.
On Mon, 31 May 2004, hugle wrote: The question in what machine do i need? What CPU and how much of ram ? I set up a firewall for more than 300 users, a DMZ with a public webserver, webmail and MX on a PII-350MHz with 128 MB RAM. On another client, I set up a firewall for 50 users with a Pentium 90MHz with 64MB RAM. dual or single processor ? One. Don't waste you money. A firewall isn't very CPU intensive. And given the fact that ipf works at the IP stack level, I don't think you can have more than one thread active at a time messing with the IP data structures. Fer ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: routing for 1000 users and 10Mbit internet.
FG On Mon, 31 May 2004, hugle wrote: The question in what machine do i need? What CPU and how much of ram ? FG I set up a firewall for more than 300 users, a DMZ with a public webserver, FG webmail and MX on a PII-350MHz with 128 MB RAM. dammit.. why then my users eats so much CPU? look: CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free I have only 61% idle ? usualy i have ~50 idle.. now I have P4 2.4GHZ maybe my setup is bad (kernel I mean)? ps. what those interrupt means? FG On another client, I set up a firewall for 50 users with a Pentium 90MHz FG with 64MB RAM. dual or single processor ? FG One. Don't waste you money. A firewall isn't very CPU intensive. And given FG the fact that ipf works at the IP stack level, I don't think you can have FG more than one thread active at a time messing with the IP data structures. FG Fer ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing for 1000 users and 10Mbit internet.
hugle wrote: FG On Mon, 31 May 2004, hugle wrote: The question in what machine do i need? What CPU and how much of ram ? FG I set up a firewall for more than 300 users, a DMZ with a public webserver, FG webmail and MX on a PII-350MHz with 128 MB RAM. dammit.. why then my users eats so much CPU? look: CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free I have only 61% idle ? usualy i have ~50 idle.. now I have P4 2.4GHZ maybe my setup is bad (kernel I mean)? ps. what those interrupt means? It probably means you have a cheapo network card and the OS has to work very hard to keep it moving data. The vmstat screen of systat will break down the interrupt usage per device, which will tell you if my guess is right or not. If I'm right, it would be worth your while to research the particular NIC you're using to see if there are known problems. Or, if you know it's a cheap NIC, you might want to just replace it. OTOH, if the machine is keeping up with the load, you might want to just leave that NIC in there and let the CPU do its job. There's also the option to switch to polling (if that NIC's drivers support it) See man polling for the gory detail. FG On another client, I set up a firewall for 50 users with a Pentium 90MHz FG with 64MB RAM. dual or single processor ? FG One. Don't waste you money. A firewall isn't very CPU intensive. And given FG the fact that ipf works at the IP stack level, I don't think you can have FG more than one thread active at a time messing with the IP data structures. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing for 1000 users and 10Mbit internet.
hugle wrote: [ ... ] why then my users eats so much CPU? look: CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free I have only 61% idle ? usualy i have ~50 idle.. now I have P4 2.4GHZ maybe my setup is bad (kernel I mean)? ps. what those interrupt means? English as a second language, hmm? Very well: Your network card generates a signal when it receives a network packet and wants the OS to pay attention. That signal is called an interupt, and has a strong correlation with the term IRQ. You are seeing lots of interrupts because your router is dealing with lots of packets. It is very likely that you can improve the way your system handles this load by tuning your system better, yes. Read man tuning, and consider rebuilding your kernel using HZ=1000 or so, and enabling DEVICE_POLLING. You should also make sure you've got good network cards in the machine... -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: routing for 1000 users and 10Mbit internet.
On Mon, 31 May 2004, hugle wrote: dammit.. why then my users eats so much CPU? look: CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free I have only 61% idle ? usualy i have ~50 idle.. now I have P4 2.4GHZ maybe my setup is bad (kernel I mean)? My guess is either cheap hardware (NIC) or bad tuning. What NICs are you using? Fer ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[3]: routing for 1000 users and 10Mbit internet.
FG On Mon, 31 May 2004, hugle wrote: dammit.. why then my users eats so much CPU? look: CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free I have only 61% idle ? usualy i have ~50 idle.. now I have P4 2.4GHZ maybe my setup is bad (kernel I mean)? FG My guess is either cheap hardware (NIC) or bad tuning. What NICs are you FG using? I'm using Intel cards (fxp) at the moment. But from reading the posts I've decided to buy GBIT NIC. Now the dilema is what brand name.. INTEL or 3COM ? maybe you guys could advice? And yes, my PC is dealing with lots of network traffic.. It's a gateway + shaping. It deals with almost 1000 users.. Will this PC (p4 2.4GHZ) deal with 10mbit internet? as a gateway + shaper ? with one GBIT NIC connected to 100Mbit swith? Thanks once more for your time guys, and thanks for your support FG Fer ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing for 1000 users and 10Mbit internet.
hugle wrote: FG On Mon, 31 May 2004, hugle wrote: dammit.. why then my users eats so much CPU? look: CPU states: 0.0% user, 0.0% nice, 0.8% system, 38.0% interrupt, 61.2% idle Mem: 21M Active, 177M Inact, 133M Wired, 1228K Cache, 199M Buf, 1677M Free I have only 61% idle ? usualy i have ~50 idle.. now I have P4 2.4GHZ maybe my setup is bad (kernel I mean)? FG My guess is either cheap hardware (NIC) or bad tuning. What NICs are you FG using? I'm using Intel cards (fxp) at the moment. But from reading the posts I've decided to buy GBIT NIC. Now the dilema is what brand name.. INTEL or 3COM ? maybe you guys could advice? I've always had good results with fxp cards. And yes, my PC is dealing with lots of network traffic.. It's a gateway + shaping. It deals with almost 1000 users.. Will this PC (p4 2.4GHZ) deal with 10mbit internet? as a gateway + shaper ? with one GBIT NIC connected to 100Mbit swith? A gbit NIC isn't going to run at gbit speed on a 100mbit switch. I would look elsewhere than the NIC. Intel NICs are good units (in my experience, if someone knows of problems with them, please speak up) Read the polling man page and see if it will help you. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Help with a routing issue
I have a freebsd 4.7 box at a client. The box has an ip of 192.168.254.22 The default gateway is 192.168.254.1 which is the inside interface of the gateway. The outside interface of the gateway is 196.25.37.18 and it also has an alias of 196.25.37.19. When i ping 196.25.37.18 from the clients box (192.168.254.22) i get this. mmrserver# ping 196.25.37.18 PING 196.25.37.18 (196.25.37.18): 56 data bytes 36 bytes from brandford.trusc.net (192.168.254.24): Redirect Host(New addr: 192.168.254.1) Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 08f4 0 40 01 c9ca 192.168.254.22 196.25.37.18 64 bytes from 196.25.37.18: icmp_seq=0 ttl=63 time=66.616 ms 36 bytes from brandford.trusc.net (192.168.254.24): Redirect Host(New addr: 192.168.254.1) Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 08f8 0 40 01 c9c6 192.168.254.22 196.25.37.18 When i ping 196.25.37.19 i get this. mmrserver# ping 196.25.37.19 PING 196.25.37.19 (196.25.37.19): 56 data bytes 64 bytes from 196.25.37.19: icmp_seq=0 ttl=64 time=5.445 ms 64 bytes from 196.25.37.19: icmp_seq=1 ttl=64 time=4.630 ms 64 bytes from 196.25.37.19: icmp_seq=2 ttl=64 time=5.226 ms That is correct the way it should be. My routes on the clients box look as follows: mmrserver# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.254.1 UGSc7 1952dc0 127.0.0.1 127.0.0.1 UH 00lo0 192.168.60 link#2 UC 110rl0 192.168.60.1 00:10:dc:f5:9c:9d UHLW0 10rl0972 192.168.60.11 00:0d:61:1b:f0:fc UHLW1 418rl0442 192.168.60.12 00:00:21:e2:8d:e1 UHLW02rl0642 192.168.60.15 00:90:f5:08:32:cb UHLW0 435rl0256 192.168.60.16 00:50:22:8c:ee:51 UHLW01rl0790 192.168.60.18 00:50:bf:97:e8:8a UHLW0 371rl0 1022 192.168.60.21 00:0c:76:25:74:fc UHLW1 1422rl0858 192.168.60.22 00:50:bf:ec:27:a3 UHLW1 10rl0 1032 192.168.60.33 00:0d:61:4d:5b:9e UHLW3 17rl0873 192.168.60.133 00:50:22:8d:ed:86 UHLW1 10rl0 1122 192.168.60.255 ff:ff:ff:ff:ff:ff UHLWb 2 49rl0 192.168.254link#1 UC 20dc0 192.168.254.1 00:02:6f:32:24:90 UHLW8 268dc0 1149 192.168.254.255ff:ff:ff:ff:ff:ff UHLWb 2 94dc0 Can anyone help me with why the 196.25.37.18 ip is being redirected via 192.168.254.24? PLEASE ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with a routing issue
On Wed, 26 May 2004, Leon Botes wrote: I have a freebsd 4.7 box at a client. The box has an ip of 192.168.254.22 The default gateway is 192.168.254.1 which is the inside interface of the gateway. The outside interface of the gateway is 196.25.37.18 and it also has an alias of 196.25.37.19. When i ping 196.25.37.18 from the clients box (192.168.254.22) i get this. mmrserver# ping 196.25.37.18 PING 196.25.37.18 (196.25.37.18): 56 data bytes 36 bytes from brandford.trusc.net (192.168.254.24): Redirect Host(New addr: 192.168.254.1) Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 08f4 0 40 01 c9ca 192.168.254.22 196.25.37.18 64 bytes from 196.25.37.18: icmp_seq=0 ttl=63 time=66.616 ms 36 bytes from brandford.trusc.net (192.168.254.24): Redirect Host(New addr: 192.168.254.1) Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 08f8 0 40 01 c9c6 192.168.254.22 196.25.37.18 When i ping 196.25.37.19 i get this. mmrserver# ping 196.25.37.19 PING 196.25.37.19 (196.25.37.19): 56 data bytes 64 bytes from 196.25.37.19: icmp_seq=0 ttl=64 time=5.445 ms 64 bytes from 196.25.37.19: icmp_seq=1 ttl=64 time=4.630 ms 64 bytes from 196.25.37.19: icmp_seq=2 ttl=64 time=5.226 ms That is correct the way it should be. Could you provide the output of ifconfig -a of the gateway box? Should shed some more light about the issues, also the parts of /etc/rc.conf, where the cards are configured, could be interesting. Olaf -- Olaf Hoyer[EMAIL PROTECTED] Fuerchterliche Erlebniss geben zu raten, ob der, welcher sie erlebt, nicht etwas Fuerchterliches ist. (Nietzsche, Jenseits von Gut und Boese) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Help with a routing issue
Could you provide the output of ifconfig -a of the gateway box? Should shed some more light about the issues, also the parts of /etc/rc.conf, where the cards are configured, could be interesting. Olaf -- Olaf Hoyer[EMAIL PROTECTED] Fuerchterliche Erlebniss geben zu raten, ob der, welcher sie erlebt, nicht etwas Fuerchterliches ist. (Nietzsche, Jenseits von Gut und Boese) FROM THE GATEWAY: ifconfig fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 196.25.37.18 netmask 0xfff8 broadcast 196.25.37.23 inet 196.25.37.19 netmask 0x broadcast 196.25.37.19 ether 00:20:ed:11:00:e8 media: Ethernet autoselect (100baseTX full-duplex) status: active fxp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.254.1 netmask 0xff00 broadcast 192.168.254.255 ether 00:20:ed:11:00:e9 media: Ethernet autoselect (100baseTX full-duplex) status: active rc.conf ifconfig_fxp0=inet 196.25.37.18 netmask 255.255.255.248 ifconfig_fxp0_alias0=inet 196.25.37.19 netmask 255.255.255.255 ifconfig_fxp1=inet 192.168.254.1 netmask 255.255.255.0 natd_enable=YES natd_interface=fxp0 natd_flags= gateway_enable=YES defaultrouter=196.25.37.17 Ipfw show 00300 22467 1425741 fwd 196.25.37.20 tcp from any to any 80 out xmit fxp0 01000 64432 13724943 divert 8668 ip from any to any via fxp0 01100 11754 6690334 allow ip from any to any via lo0 01200 00 deny ip from any to 127.0.0.0/8 01300 00 deny ip from 127.0.0.0/8 to any 01400 5223 533128 fwd 196.25.37.22 tcp from any to any 443 out xmit fxp0 01500 00 fwd 196.25.37.22 tcp from any to any 3306 out xmit fxp0 0160050027082 fwd 196.25.37.22 tcp from any to any 22 out xmit fxp0 01700193 9455 fwd 196.25.37.22 tcp from any to any 110 out xmit fxp0 01800 00 fwd 196.25.37.22 tcp from any to any 119 out xmit fxp0 01900 00 deny log logamount 2 tcp from any to any 445,2556,9996,5554 in recv fxp1 65000 171424 31989301 allow ip from any to any 65535 00 deny ip from any to any FROM THE CLIENT BOX: Ifconfig dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.254.22 netmask 0xff00 broadcast 192.168.254.255 ether 00:50:bf:97:e8:83 media: Ethernet autoselect (10baseT/UTP) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.60.2 netmask 0xff00 broadcast 192.168.60.255 ether 00:50:bf:43:37:c1 media: Ethernet autoselect (100baseTX full-duplex) status: active rc.conf ifconfig_rl0=inet 192.168.60.2 netmask 255.255.255.0 ifconfig_dc0=inet 192.168.254.22 netmask 255.255.255.0 gateway_enable=YES defaultrouter=192.168.254.1 nfs_client_enable=YES firewall_enable=YES firewall_type=open natd_enable=YES natd_interface=dc0 natd_flags= Ipfw show 00050 8360 3676585 divert 8668 ip from any to any via dc0 00100 00 allow ip from any to any via lo0 00200 00 deny ip from any to 127.0.0.0/8 00300 00 deny ip from 127.0.0.0/8 to any 65000 44744 16464427 allow ip from any to any 65535 00 deny ip from any to any ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Help with a routing issue
Can you show us the routing on the server please rather than the client ? What is the subnet mask of the alias 196.25.37.19 ? It should have a subnet of 255.255.255.255 as it's on the same network as 196.25.37.18. Cheers, -- Nelis Lamprecht PGP: http://www.8ball.co.za/pgpkey/nelis.asc Unix IS user friendly.. It's just selective about who its friends are. The below is only sections of the output. Most of the individual hosts have been removed. Just a few examples left. 10.5/16192.168.254.29 UGSc0 11 fxp1 10.6/16192.168.254.12 UGSc00 fxp1 10.7/16192.168.254.12 UGSc00 fxp1 10.8/16192.168.254.12 UGSc00 fxp1 10.9/16192.168.254.27 UGSc00 fxp1 10.11/16 192.168.254.28 UGSc00 fxp1 10.12/16 192.168.254.33 UGSc00 fxp1 10.13/16 192.168.254.34 UGSc00 fxp1 10.14/16 192.168.252.23 UGSc00 fxp1 127.0.0.1 127.0.0.1 UH 0 2214lo0 192.168.0 192.168.254.23 UGSc00 fxp1 192.168.2 192.168.254.24 UGSc00 fxp1 192.168.7 192.168.254.31 UGSc00 fxp1 192.168.60 192.168.254.22 UGSc00 fxp1 192.168.252192.168.254.12 UGSc8 161 fxp1 192.168.253192.168.254.12 UGSc 13 212 fxp1 192.168.254link#2 UC 340 fxp1 192.168.254.1 00:20:ed:11:00:e9 UHLW2 1425lo0 192.168.254.22 00:02:6f:32:27:6b UHLW1 1032 fxp1116 192.168.254.23 00:50:bf:97:e4:9d UHLW1 2292 fxp1777 192.168.254.24 00:50:bf:43:2c:16 UHLW3 3476 fxp1421 192.168.254.25 00:a0:cc:db:03:75 UHLW1 836 fxp1 1117 192.168.254.27 00:02:6f:07:86:5b UHLW1 224 fxp1878 192.168.254.28 link#2 UHLW10 fxp1 192.168.254.29 00:02:6f:07:86:57 UHLW1 139 fxp1924 192.168.254.30 00:02:6f:07:86:6a UHLW0 779 fxp1741 192.168.254.31 00:02:6f:08:9f:a6 UHLW1 161 fxp1936 192.168.254.32 00:02:6f:04:7a:1e UHLW0 165 fxp1 59 192.168.254.33 link#2 UHLW1 92 fxp1 192.168.255192.168.254.21 UGSc337107 fxp1 196.25.37.16/29link#1 UC 40 fxp0 196.25.37.17 00:e0:fc:0c:be:d9 UHLW 29 230 fxp0790 196.25.37.18 00:20:ed:11:00:e8 UHLW1 2127lo0 196.25.37.19 00:20:ed:11:00:e8 UHLW1 370lo0 = 196.25.37.19/32link#1 UC 10 fxp0 196.25.37.20 00:0c:f1:ae:c6:99 UHLW144305 fxp0908 196.25.37.22 00:09:5b:3f:2f:63 UHLW111942 fxp0910 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Help with a routing issue
On Wed, 2004-05-26 at 12:28, Leon Botes wrote: The below is only sections of the output. Most of the individual hosts have been removed. Just a few examples left. 10.5/16192.168.254.29 UGSc0 11 fxp1 10.6/16192.168.254.12 UGSc00 fxp1 10.7/16192.168.254.12 UGSc00 fxp1 10.8/16192.168.254.12 UGSc00 fxp1 10.9/16192.168.254.27 UGSc00 fxp1 10.11/16 192.168.254.28 UGSc00 fxp1 10.12/16 192.168.254.33 UGSc00 fxp1 10.13/16 192.168.254.34 UGSc00 fxp1 10.14/16 192.168.252.23 UGSc00 fxp1 127.0.0.1 127.0.0.1 UH 0 2214lo0 192.168.0 192.168.254.23 UGSc00 fxp1 192.168.2 192.168.254.24 UGSc00 fxp1 192.168.7 192.168.254.31 UGSc00 fxp1 192.168.60 192.168.254.22 UGSc00 fxp1 192.168.252192.168.254.12 UGSc8 161 fxp1 192.168.253192.168.254.12 UGSc 13 212 fxp1 192.168.254link#2 UC 340 fxp1 192.168.254.1 00:20:ed:11:00:e9 UHLW2 1425lo0 192.168.254.22 00:02:6f:32:27:6b UHLW1 1032 fxp1116 192.168.254.23 00:50:bf:97:e4:9d UHLW1 2292 fxp1777 192.168.254.24 00:50:bf:43:2c:16 UHLW3 3476 fxp1421 192.168.254.25 00:a0:cc:db:03:75 UHLW1 836 fxp1 1117 192.168.254.27 00:02:6f:07:86:5b UHLW1 224 fxp1878 192.168.254.28 link#2 UHLW10 fxp1 192.168.254.29 00:02:6f:07:86:57 UHLW1 139 fxp1924 192.168.254.30 00:02:6f:07:86:6a UHLW0 779 fxp1741 192.168.254.31 00:02:6f:08:9f:a6 UHLW1 161 fxp1936 192.168.254.32 00:02:6f:04:7a:1e UHLW0 165 fxp1 59 192.168.254.33 link#2 UHLW1 92 fxp1 192.168.255192.168.254.21 UGSc337107 fxp1 196.25.37.16/29link#1 UC 40 fxp0 196.25.37.17 00:e0:fc:0c:be:d9 UHLW 29 230 fxp0790 196.25.37.18 00:20:ed:11:00:e8 UHLW1 2127lo0 196.25.37.19 00:20:ed:11:00:e8 UHLW1 370lo0 = 196.25.37.19/32link#1 UC 10 fxp0 196.25.37.20 00:0c:f1:ae:c6:99 UHLW144305 fxp0908 196.25.37.22 00:09:5b:3f:2f:63 UHLW111942 fxp0910 Can't see any peculiarities. Try adding the following route on the client machine: route add -host 196.25.37.18 192.168.254.1 255.255.255.255 See if that helps. -- Nelis Lamprecht PGP: http://www.8ball.co.za/pgpkey/nelis.asc Unix IS user friendly.. It's just selective about who its friends are. signature.asc Description: This is a digitally signed message part
RE: Help with a routing issue
Set it to zero mmrserver# sysctl net | grep direct net.inet.ip.redirect: 0 net.inet.icmp.drop_redirect: 0 net.inet.icmp.log_redirect: 0 Results are the same. Also tried adding a fixed route as such: Route add -host 196.25.37.18 192.168.254.1 No luck. -Original Message- From: Nelis Lamprecht [mailto:[EMAIL PROTECTED] Sent: 26 May 2004 13:55 To: [EMAIL PROTECTED] Subject: RE: Help with a routing issue One other thing you can try. There is a sysctl variable net.inet.ip.redirect: 1 Try turning that off by setting it to 0 on the client machine. What happens ? Nelis On Wed, 2004-05-26 at 13:08, Leon Botes wrote: Tried that already - no luck. -Original Message- From: Nelis Lamprecht [mailto:[EMAIL PROTECTED] Sent: 26 May 2004 13:01 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Help with a routing issue On Wed, 2004-05-26 at 12:28, Leon Botes wrote: The below is only sections of the output. Most of the individual hosts have been removed. Just a few examples left. 10.5/16192.168.254.29 UGSc0 11 fxp1 10.6/16192.168.254.12 UGSc00 fxp1 10.7/16192.168.254.12 UGSc00 fxp1 10.8/16192.168.254.12 UGSc00 fxp1 10.9/16192.168.254.27 UGSc00 fxp1 10.11/16 192.168.254.28 UGSc00 fxp1 10.12/16 192.168.254.33 UGSc00 fxp1 10.13/16 192.168.254.34 UGSc00 fxp1 10.14/16 192.168.252.23 UGSc00 fxp1 127.0.0.1 127.0.0.1 UH 0 2214lo0 192.168.0 192.168.254.23 UGSc00 fxp1 192.168.2 192.168.254.24 UGSc00 fxp1 192.168.7 192.168.254.31 UGSc00 fxp1 192.168.60 192.168.254.22 UGSc00 fxp1 192.168.252192.168.254.12 UGSc8 161 fxp1 192.168.253192.168.254.12 UGSc 13 212 fxp1 192.168.254link#2 UC 340 fxp1 192.168.254.1 00:20:ed:11:00:e9 UHLW2 1425lo0 192.168.254.22 00:02:6f:32:27:6b UHLW1 1032 fxp1 116 192.168.254.23 00:50:bf:97:e4:9d UHLW1 2292 fxp1 777 192.168.254.24 00:50:bf:43:2c:16 UHLW3 3476 fxp1 421 192.168.254.25 00:a0:cc:db:03:75 UHLW1 836 fxp1 1117 192.168.254.27 00:02:6f:07:86:5b UHLW1 224 fxp1 878 192.168.254.28 link#2 UHLW10 fxp1 192.168.254.29 00:02:6f:07:86:57 UHLW1 139 fxp1 924 192.168.254.30 00:02:6f:07:86:6a UHLW0 779 fxp1 741 192.168.254.31 00:02:6f:08:9f:a6 UHLW1 161 fxp1 936 192.168.254.32 00:02:6f:04:7a:1e UHLW0 165 fxp1 59 192.168.254.33 link#2 UHLW1 92 fxp1 192.168.255192.168.254.21 UGSc337107 fxp1 196.25.37.16/29link#1 UC 40 fxp0 196.25.37.17 00:e0:fc:0c:be:d9 UHLW 29 230 fxp0 790 196.25.37.18 00:20:ed:11:00:e8 UHLW1 2127lo0 196.25.37.19 00:20:ed:11:00:e8 UHLW1 370lo0 = 196.25.37.19/32link#1 UC 10 fxp0 196.25.37.20 00:0c:f1:ae:c6:99 UHLW144305 fxp0 908 196.25.37.22 00:09:5b:3f:2f:63 UHLW111942 fxp0 910 Can't see any peculiarities. Try adding the following route on the client machine: route add -host 196.25.37.18 192.168.254.1 255.255.255.255 See if that helps. -- Nelis Lamprecht PGP: http://www.8ball.co.za/pgpkey/nelis.asc Unix IS user friendly.. It's just selective about who its friends are. -- Nelis Lamprecht PGP: http://www.8ball.co.za/pgpkey/nelis.asc Unix IS user friendly.. It's just selective about who its friends are. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Help with a routing issue
On Wednesday 26 May 2004 18:25, Leon Botes wrote: I have a freebsd 4.7 box at a client. The box has an ip of 192.168.254.22 The default gateway is 192.168.254.1 which is the inside interface of the gateway. The outside interface of the gateway is 196.25.37.18 and it also has an alias of 196.25.37.19. When i ping 196.25.37.18 from the clients box (192.168.254.22) i get this. mmrserver# ping 196.25.37.18 PING 196.25.37.18 (196.25.37.18): 56 data bytes 36 bytes from brandford.trusc.net (192.168.254.24): Redirect Host(New addr: 192.168.254.1) I don't know whether it has any relevance to your problem; but I find the symbolic address 'brandford.trusc.net' is being reported on the public network: beta:209 host brandford.trusc.net brandford.trusc.net has address 192.168.254.24 Which I don't believe should be the case. A misconfigured DNS ? Malcolm ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Dummynet, routing and firewalls - crazy idea
Problem: When downloading huge files from the server we can't use the client webbrowser. Setup: One firewall/DHCP/Gateway which all clients and the server routes through. The clients goes via no router when connecting to the server. The server is equipped with double NIC, however only one is used. The firewall is a hardware box meaning no software can be altered. Crazy idea: I have an idea about routing traffic through the server and then to the firewall. This would make it possible for the server to see that there's traffic on port 80 which should be prioritized over traffic on port 21, this part shouldn't be too hard I guess - lots of how-tos on the net for this. BUT, I would like the clients to go directly to the firewall without passing the server if they want to, this will mostly be the case when the server is down for maintenance or similar. This must mean that the servers both NICs actually must be on the same network, is that possible at all and how do I setup such an environment? It's 10:45pm and this idea just came out of my tired brain, if someone can give a better solution to the problem I would be very glad. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
network routing, strange issue
Hello, I've got three FreeBSD machines, a 4.9, and two 4.7 boxes. They're on a small local network with a hub. Each is given an IP statically via dhcp based on their nic mac address. All machines obtain a dhcp lease, machines a and c can ssh and ping each other and have no issues. My problem is machine a can not ping or ssh to machine b, from machine a's point of view it's as if machine b doesn't exist, yet machine c has no difficulties interacting with machine b. I hope the above made sense. Any help appreciated. Thanks. Dave. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: network routing, strange issue
Hello, and c can ssh and ping each other and have no issues. My problem is machine a can not ping or ssh to machine b, from machine a's point of view it's as if machine b doesn't exist, yet machine c has no difficulties interacting with machine b. I hope the above made sense. Any help appreciated. You're not providing enough information - this could have tons of reasons. For a start, it would be helpful to see the intetface configuration and the routing tables from the hosts in question. Also, did you make sure you don't simply have packet filtering applied to one or more of the boxes which interferes with the intended communication? Cheers, J. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Routing and mpd as pptp client on FeeeBSD 5.2
Hi, I have a problem using mpd as a PPTP client on FreeBSD 5.2. The connection is successfully established but I can't do anything with it. Using tcpdump I can see that GRE packets are sent through the rl0 interface during the connection establishing but later they are sent over the ng0. If I connect from a box that's behind the FreeBSD one and cut an open connection, clear NAT state and connect from the FreeBSD box I can see using tcpdump the reply packets for that connection on the ng0 interface. If I try to ping the other end - the PPTP server I get: PING 82.147.153.3 (82.147.153.3): 56 data bytes ping: sendto: Resource deadlock avoided ping: sendto: No buffer space available ping: sendto: No buffer space available ping: sendto: No buffer space available rl0 is 192.168.20.30, ng0 is 192.168.120.30 - 192.168.3.37 netstat -rn DestinationGatewayFlagsRefs Use Netif Expire default192.168.3.37 UGS 04ng0 192.168.3.37 192.168.120.30 UH 12ng0 192.168.0/16 192.168.20.1 UGS 069442rl0 192.168.16/21 link#1 UC 00rl0 192.168.20.1 00:c0:26:25:a6:18 UHLW10rl0 1143 192.168.20.30 127.0.0.1 UGHS00lo0 192.168.120.30 lo0UHS 00lo0 I also have captured this using tcpdump on the ng0 interface: 23:02:57.637259 192.168.120.30 82.147.153.3: icmp: echo request 23:02:57.667220 192.168.20.30.49490 192.168.3.37.1723: P 0:16(16) ack 1 win 65535: pptp CTRL_MSGTYPE=ECHORQ ID(1) (DF) 23:03:06.946714 62.73.99.35.6667 192.168.120.30.33639: P 0:21(21) ack 1 win 8192 nop,nop,timestamp 570915101 3117573 (DF) [tos 0x50] 23:03:06.957383 192.168.20.30 192.168.3.37: gre [KAv1] ID: A:11 [|gre] 23:03:09.227401 192.168.20.30.49490 192.168.3.37.1723: P 0:16(16) ack 1 win 65535: pptp CTRL_MSGTYPE=ECHORQ ID(1) (DF) 23:03:19.667567 192.168.20.30.49490 192.168.3.37.1723: P 0:16(16) ack 1 win 65535: pptp CTRL_MSGTYPE=ECHORQ ID(1) (DF) 23:03:38.094932 62.73.99.35.6667 192.168.120.30.33639: P 0:21(21) ack 1 win 8192 nop,nop,timestamp 570918273 3117573 (DF) [tos 0x50] 23:03:38.107868 192.168.20.30 192.168.3.37: gre [KAv1] ID: A:12 [|gre] tcpdump: pcap_loop: read: Device not configured ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
routing weirdness
hi! i have a notebook connected to a wlan router, which is in turn connected to my gateway to internet notebook - wlan - gw - ... internet ... when i (192.168.1.4) am connected via cable (dc0) to the wlan router(192.168.1.1) everything works fine. but then, when i want to switch to wlan (ath0), i shut down the dc0 interface (ifconfig dc0 down), enable the wlan card, (ifconfig ath0 inet 192.168.1.3 ssid daemon ifconfig ath0 up). then i flush my routing table (route flush) and add default gateway (route add default 192.168.1.1). now i can ping my wlan router (192.168.1.1) but i do not get outside anymore (192.168.0.1) for example, because, as route get 192.168.0.1 reveals, the system still uses dc0 for getting outside. how can i force the system to do not use the deactivated device anymore? -josef -- Josef El-Rayes (__) Email:[EMAIL PROTECTED] \\\'',) Web: http://daemon.li/ \/ \ ^ FreeBSD: [EMAIL PROTECTED] .\._/_) pgp0.pgp Description: PGP signature
Routing without real Inet address?
How can i route packets from Internet to my private network without exposed Internet address? Inet | NAT - ISP - 192.168/16 with Gateway 192.168.0.1 | My FreeBSD Router on ISP Net 192.168.6.18 My FreeBSD Router on Private Net - 10.0.0.1 | My private network - 10.0.0/24 Pls reply to me private, i am not registered on mailing list. Thanks in advance. - WIN FREE WORLDWIDE FLIGHTS - nominate a cafe in the Yahoo! Mail Internet Cafe Awards ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing without real Inet address?
On Apr 2, 2004, at 6:30 AM, Ivailo Bonev wrote: How can i route packets from Internet to my private network without exposed Internet address? People cannot route traffic to your network unless you've got a publicly routable IP address available for them to talk to. Talk to your ISP, that is who you are paying to provide you with connectivity... -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Recommendation for Dual T1 Routing/Firewalling
Sorry to cross-post this question, but I wanted to make sure my thinking is on track regarding a FreeBSD box I am going to use for routing/firewalling. A wireless project I am working on is getting 2 T1's from Global Crossing that I want to bring into a Sangoma dual CSU/DSU card (using their software called WANPIPE to configure) in a FreeBSD box. I am considering using one of my left-over VIA mini-itx machines running at 533 MHz (512MB of RAM and a 40 GB IDE drive). Basically, I want to build a dual-homed machine that provides firewalling and NAT to the wireless network (both of the T1's are bundled by GC, so actual throughput should be around 3Mbps). There are segments of the network that I want to do NAT for and other segments where I simply want the clients to have real world addressable IP's. I have built a number of dual-homed machines before, but nothing that was critical like the system that I am about to build. Plus, I would like to test out bandwidth controls for some ranges of IP's. The questions are: a) does anyone have anything bad or good to say about Sangoma CSU/DSU cards? b) is the processor I am using more than capable of handling the bandwidth I am bringing in (considering there may be upwards of 60 machines behind the firewall either surfing via NAT or directly via their real-world IP's)? The machine is a great choice from the standpoint that there is no cooling fan and it is extremely small, so I don't have to be so concerned with mechanical failure outside of the HD. I am concerned, however, that the processor is going to be too slow and will add too much latency to the network. Like I said before, I have built dual-homed gateways before (using nothing more than a P 150 and a P II 233) and didn't have any issues with those machines, but I also wasn't dealing with the amount of bandwidth and/or clients that I am looking at for this new network. So, I am concerned about reliability and latency... Any comments or suggestions would be very much appreciated. Thanks, Steve Fettig ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
network routing and vpn connectivity
I have a strange network question. I finally found the vpn client that actually manages to open a connection to the Cisco vpn appliance my employer uses with a minimum of pain (security/vpnc). The problem I'm having is making it possible for my FreeBSD desktop at work to retain access to my FreeBSD desktop at home while the vpn connection is active - in other words, I can only get one way access. This is why: With the vpn connection established, the only way the home machine can connect to the work machine (via ssh, for example) is if I route the work IP through the vpn device (tun1 in my case). Problem is that when work tries to connect, home tries to route the response through the vpn. Is it possible to set up two way connectivity through this kind of vpn? TIA Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Chemistry professors never die, they just fail to react. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing, 2 nics, and a default gateways
You wrote: I have 2 nics. The first has about 30 ips assigned to it and working correctly. The other was a backup nic for the ISP backup network, but its now I was asked to assign ips and a default gateway specification to it,because we ran out of usable ips on the 1st nic, so we have a new netblock ready for assignment. Hello! It sounds strange to me, that you got 30 IPs assigned to 1 NIC and you ran out of usable ones. Didn't you think about changing size of your subnet assigned to that NIC? If you'll assign a subnet mask of 255.255.255.0 you'll get 254 usable IPs. Now you can forget about your 2nd NIC. All you have to do (after changing the subnet mask on server) is to change mask on hosts in your network (you can leave other settings unchanged). Hope it will work for you. Greetz Grzegorz Burzyski There are 10 kinds of people those who understand binary and those who don't. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
routing, 2 nics, and a default gateways
Hi list, I need help on this problem: I have 2 nics. The first has about 30 ips assigned to it and working correctly. The other was a backup nic for the ISP backup network, but its now I was asked to assign ips and a default gateway specification to it,because we ran out of usable ips on the 1st nic, so we have a new netblock ready for assignment. The trouble is, I don't know how to this remotely without cutting the internet access from this server. I thought on adding the ips to the 2nd nic (about 60 of them), but I don't know how I can make the default route for this nic to work. As far as i know, as soon as I type route add default gateway-of-2nd-nick ,the internet connection will be dropped. I don't know, have never tried this kind of setup. Any help would be appreciated! -- http://www.6s-gaming.com - your online store! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing, 2 nics, and a default gateways
On Thu, 12 Feb 2004, SixthSense Server Admin wrote: Hi list, I need help on this problem: I have 2 nics. The first has about 30 ips assigned to it and working correctly. The other was a backup nic for the ISP backup network, but its now I was asked to assign ips and a default gateway specification to it,because we ran out of usable ips on the 1st nic, so we have a new netblock ready for assignment. Ok, you have 30 ips assigned by your ISP on your external nic. Gotcha. You have lets say one ?private IP? on your internal nic. The trouble is, I don't know how to this remotely without cutting the internet access from this server. I thought on adding the ips to the 2nd nic (about 60 of them), but I don't know how I can make the default route for this nic to work. As far as i know, as soon as I type route add default gateway-of-2nd-nick ,the internet connection will be dropped. I don't know, have never tried this kind of setup. Any help would be appreciated! Are these new ips all public ips assigned from your ISP? Will some of these public ips be used on machines behind the internal backup nic? Since you have 30 ips on one nic you are well aware of ifconfig fxp0 alias 192.168.1.100 netmask 255.255.255.255 type of usage... How about describing your goals better and maybe I can help. m -- http://www.6s-gaming.com - your online store! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Routing question -- Samba
I have a 4.9 box that's on a public IP and I want to configure Samba so it only accepts connections from the private network (192.168.1). My question is, can I do that with only 1 NIC card or do I have to add a second NIC for the private LAN? ---Marius ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing question -- Samba
You can do that within the smb.conf Use SWAT, advanced options, I think just for the share... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marius Kirschner Sent: Monday, 9 February 2004 12:40 To: [EMAIL PROTECTED] Subject: Routing question -- Samba I have a 4.9 box that's on a public IP and I want to configure Samba so it only accepts connections from the private network (192.168.1). My question is, can I do that with only 1 NIC card or do I have to add a second NIC for the private LAN? ---Marius ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing question -- Samba
Look in the Samba config for the following setting, it is IP based so you should be OK with what you want. # This option is important for security. It allows you to restrict hosts allow = 192.168.1. 127. HTH, Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marius Kirschner Sent: Monday, February 09, 2004 3:40 PM To: [EMAIL PROTECTED] Subject: Routing question -- Samba I have a 4.9 box that's on a public IP and I want to configure Samba so it only accepts connections from the private network (192.168.1). My question is, can I do that with only 1 NIC card or do I have to add a second NIC for the private LAN? ---Marius ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing question -- Samba
On Mon, Feb 09, 2004 at 03:40:04PM -0500, Marius Kirschner wrote: I have a 4.9 box that's on a public IP and I want to configure Samba so it only accepts connections from the private network (192.168.1). My question is, can I do that with only 1 NIC card or do I have to add a second NIC for the private LAN? You can do make samba accept only on the 192.168.1.0/24 network by specifying the hosts allow directive on smb.conf. However, if you have the public IP and private network on the same NIC, people can spoof your `private' network and get onto your box. -- Jonathan Chen [EMAIL PROTECTED] -- Experience is a hard teacher because she gives the test first, the lesson afterwards ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing 4 network cards
Roland Wells [EMAIL PROTECTED] writes: I guess this is more a question (that could be a possible solution); Could you just Bridge all the seperate physical networks, and leave firewalling and NAT to be done by the router, or lets say, on another FreeBSD box connected to the dsl modem? In principle, yes. However, all of those networks are wireless, so my guess would be that they are in different places. Or there might be some gain from logical isolation. Or some combination of the two. -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password public ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Routing 4 network cards
Wireless USERS Wireless USERS W W W W W W W W W W W W |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| 192.168.3.2-254192.168.4.2-254 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ W 192.168.3.1 W 192.168.4.1 |-| || 8Mbit |--| WIRELESS | | || INTERNET ==| A |WW|FreeBSD1 |WW|FreeBSD2| |--| 192.168.0.1 | |192.168.2.1 || |192.168.0.138 |-| 192.168.2.2|| | | | | |192.168.1.1 |192.168.5.1 | | | | | | 192.168.0.150| | | |--| |--| |--| |HOME | |HOME 1| |HOME 2| |--| |--| |--| A = Router Acatel DSL W = Antene |-| |-| = Wireless User (20 Wireless users) I hoop the drawing is readable ! The Facts : OS FreeBSD 5.2 (is it stable for this problem or better to use 4.x) With 4 nic's inside RL0 = 192.168.0.1 RL1 = 192.168.1.1 RL2 = 192.168.2.1 RL4 = 192.168.3.1 I like to connect RL1/2/3 to RL0 (internet) HOME1 and HOME2 are the system administrators and need to manage the whole network include the users Everybody need access to the internet I like to have a start how to setup FreeBSD 1 I like to use dummynet(compiled and works very nice) to manage traffic let's say 192.168.3.1/26 100Kb/s 192.168.3.64/26 200Kb/s 192.168.3.128/26 300Kb/s 192.168.3.192/26 400Kb/s Count every user with ipfw count --- #!/usr/local/bin/bash for ((a=2; a=254; a++)) do IPCOUNT = 10$a0 add count tcp from 192.168.3.$a to any ipfw $IPCOUNT done And now the question about FreeBSD 1 (forget FreeBSD2). Give me a good hint how to set this up with ipfw and NAT I googled many but ther's not that much about information about 3 or more nic with freeBSD. I think I have to use NAT, but can i use it in combination with ipfw to dummynet out/ingoing traffic over the nic RL1/2/3 And how can i HOME1 go accross the whole network RL0/2/3 Sorry for my English and I hope I give anough explanation about my plan. Thanks anyway for looking at my problem. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing 4 network cards
Sjaak Nabuurs [EMAIL PROTECTED] writes: Wireless USERS Wireless USERS W W W W W W W W W W W W |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| 192.168.3.2-254192.168.4.2-254 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ W 192.168.3.1 W 192.168.4.1 |-| || 8Mbit |--| WIRELESS | | || INTERNET ==| A |WW|FreeBSD1 |WW|FreeBSD2| |--| 192.168.0.1 | |192.168.2.1 || |192.168.0.138 |-| 192.168.2.2|| | | | | |192.168.1.1 |192.168.5.1 | | | | | | 192.168.0.150| | | |--| |--| |--| |HOME | |HOME 1| |HOME 2| |--| |--| |--| A = Router Acatel DSL W = Antene |-| |-| = Wireless User (20 Wireless users) I hoop the drawing is readable ! Superb. And it's a *big* help in this situation. The Facts : OS FreeBSD 5.2 (is it stable for this problem or better to use 4.x) Try it and see. If 5.2 installs and seems to run nicely on *your* particular hardware, it's probably good for your purposes. With 4 nic's inside RL0 = 192.168.0.1 RL1 = 192.168.1.1 RL2 = 192.168.2.1 RL4 = 192.168.3.1 I like to connect RL1/2/3 to RL0 (internet) HOME1 and HOME2 are the system administrators and need to manage the whole network include the users Everybody need access to the internet I like to have a start how to setup FreeBSD 1 I like to use dummynet(compiled and works very nice) to manage traffic let's say 192.168.3.1/26 100Kb/s 192.168.3.64/26 200Kb/s 192.168.3.128/26 300Kb/s 192.168.3.192/26 400Kb/s Count every user with ipfw count --- #!/usr/local/bin/bash for ((a=2; a=254; a++)) do IPCOUNT = 10$a0 add count tcp from 192.168.3.$a to any ipfw $IPCOUNT done Okay... And now the question about FreeBSD 1 (forget FreeBSD2). Give me a good hint how to set this up with ipfw and NAT I googled many but ther's not that much about information about 3 or more nic with freeBSD. In this case, all of the interfaces on FreeBSD1 are handled the same way as the inside interface in the typical example where the FreeBSD box is the router to the outside world. I think I have to use NAT, but can i use it in combination with ipfw to dummynet out/ingoing traffic over the nic RL1/2/3 No, in this case NAT has to be done by the Internet router, machine A. FreeBSD1 doesn't need to worry about it. And how can i HOME1 go accross the whole network RL0/2/3 You need to give FreeBSD1 routes for the networks off the other routers. For example route add -net 192.168.5.1/24 192.168.2.2 to access HOME 2. Sorry for my English and I hope I give anough explanation about my plan. I hope you got enough explanation in return... -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password public ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing 4 network cards
Sjaak Nabuurs [EMAIL PROTECTED] writes: Wireless USERS Wireless USERS W W W W W W W W W W W W |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| |-| 192.168.3.2-254 192.168.4.2-254 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ W 192.168.3.1 W 192.168.4.1 |-| || 8Mbit |--| WIRELESS | | || INTERNET ==| A |WW|FreeBSD1 |WW|FreeBSD2| |--| 192.168.0.1 | |192.168.2.1 || |192.168.0.138 |-| 192.168.2.2|| | | | | |192.168.1.1 |192.168.5.1 | | | | | | 192.168.0.150| | | |--| |--| |--| |HOME | |HOME 1| |HOME 2| |--| |--| |--| A = Router Acatel DSL W = Antene |-| |-| = Wireless User (20 Wireless users) I hoop the drawing is readable ! Superb. And it's a *big* help in this situation. The Facts : OS FreeBSD 5.2 (is it stable for this problem or better to use 4.x) Try it and see. If 5.2 installs and seems to run nicely on *your* particular hardware, it's probably good for your purposes. With 4 nic's inside RL0 = 192.168.0.1 RL1 = 192.168.1.1 RL2 = 192.168.2.1 RL4 = 192.168.3.1 I like to connect RL1/2/3 to RL0 (internet) HOME1 and HOME2 are the system administrators and need to manage the whole network include the users Everybody need access to the internet I like to have a start how to setup FreeBSD 1 I like to use dummynet(compiled and works very nice) to manage traffic let's say 192.168.3.1/26 100Kb/s 192.168.3.64/26 200Kb/s 192.168.3.128/26 300Kb/s 192.168.3.192/26 400Kb/s Count every user with ipfw count --- #!/usr/local/bin/bash for ((a=2; a=254; a++)) do IPCOUNT = 10$a0 add count tcp from 192.168.3.$a to any ipfw $IPCOUNT done Okay... And now the question about FreeBSD 1 (forget FreeBSD2). Give me a good hint how to set this up with ipfw and NAT I googled many but ther's not that much about information about 3 or more nic with freeBSD. In this case, all of the interfaces on FreeBSD1 are handled the same way as the inside interface in the typical example where the FreeBSD box is the router to the outside world. I think I have to use NAT, but can i use it in combination with ipfw to dummynet out/ingoing traffic over the nic RL1/2/3 No, in this case NAT has to be done by the Internet router, machine A. FreeBSD1 doesn't need to worry about it. And how can i HOME1 go accross the whole network RL0/2/3 You need to give FreeBSD1 routes for the networks off the other routers. For example route add -net 192.168.5.1/24 192.168.2.2 to access HOME 2. Sorry for my English and I hope I give anough explanation about my plan. I hope you got enough explanation in return... -- Lowell Gilbert, embedded/networking software engineer, Boston area: resume/CV at http://be-well.ilk.org:8088/~lowell/resume/ username/password public Lowell, Sjaak and everyone ;}... I guess this is more a question (that could be a possible solution); Could you just Bridge all the seperate physical networks, and leave firewalling and NAT to be done by the router, or lets say, on another FreeBSD box connected to the dsl modem? Roland Wells ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Routing problem 2 cable modems on 1 PC
Dear all I have a cable modem hooked up as my default gateway and runing natd for my clients on XL0 I have another modem is I want to put on the same box on a diffrent nic sis0 the problem is the remote gateway is the same for both IP's address and we get msgs saying that xxx is on sis0 but got reply from xl0 xxx on xl0 etc Any ideas Thanks ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Routing problem 2 cable modems on 1 PC
Dear all I have a cable modem hooked up as my default gateway and running natd for my clients on XL0 I have another modem is I want to put on the same box on a different nic sis0 Problem is the remote gateway is the same for both IP's address due to the fact its the same ISP I get messages saying that xxx is on sis0 but got reply from xl0 xxx on xl0 etc Any ideas Thanks ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
source routing and dynamic @ip
Hi :) Allright, so, I've been trying to build a routing setup for some weeks now, and after looking everywhere and asking for help, I still cannot find the answer. Here is what I want to do: source routing to 2 internet connections. Basically, I want net1 to go on the Internet using gateway connection1 and net2 to go on the internet using gateway connection2. You have to know that both internet connections have dynamic IPs and I need NAT on both. So far, these are my not working config files (defaut gateway is ip1/connection1). em0 = inside interface tun0 = pppoe DSL connection1 (default route) tun1 = pppoe DSL connection2 -- /etc/ipfw.conf #!/bin/sh fwcmd=/sbin/ipfw -q ip1=`/sbin/ifconfig tun0 | /usr/bin/awk '/inet / { print $2 }'` ip2=`/sbin/ifconfig tun1 | /usr/bin/awk '/inet / { print $2 }'` lan1=192.168.0.0/24 lan2=192.168.1.0/24 ${fwcmd} -f flush ${fwcmd} add 100 fwd $ip2 all from $lan2 to any out recv em0 xmit tun0 ${fwcmd} add 200 divert 8669 all from $lan2 to any via tun1 ${fwcmd} add 300 divert 8668 all from any to any via tun0 ${fwcmd} add 400 allow all from any to any -- /etc/natd_tun0.conf interface tun0 port 8668 log_denied yes log_facility security use_sockets yes same_ports yes unregistered_only yes punch_fw 1:1 dynamic yes -- /etc/natd_tun1.conf interface tun1 port 8669 log_denied yes log_facility security use_sockets yes same_ports yes unregistered_only yes punch_fw 1:1 dynamic yes I am really really looking for help here. If you know how to make such a setup working, I would appreciate a hand. Thanks in advance. Regards, Antoine ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Routing Networks
Hi all, I need some help routing or making Nat on a LAN. I have something like this: I N T E R N E T - ^ ^ | | fxp0 public IP public IP | | FreeBSD server LINUX server | | dc0 192.168.10.1| dc1 192.168.1.1 ^ 192.168.1.3 ^ | ^ | | | | | | | Switch/Hub | | | -- - | LAN A | | LAN B | | 192.168.10.2-254 | | 192.168.1.4-100 | -- - I have running a FreeBSD server as a gateway and DHCP, the server share the Internet to all the computers on LAN A (192.168.10.0/24). The server have 3 network cards: fxp0 is public IP. dc0 is the gateway for the LAN A 192.168.10.1. dc1 has IP 192.168.1.1 ( need help with this ). Right now i am just using fxp0 and dc0 so any computer on the LAN A 192.168.10.2-254 can have Internet, my ipnat.rules file looks like this: -- map fxp0 192.168.10.1/24 - 0/32 portmap tcp/udp auto map fxp0 192.168.10.1/24 - 0/32 -- until that point everything just work OK. There is another network, I will call it LAN B, this LAN make the same thing that i am doing with the FreeBSD Server, but instead it uses LINUX, the m achine have 2 network cars. eth0 has a public IP. eth1 is the gateway for the LAN B 192.168.1.3 Both networks are connected to the same switch/hub, but now i need that the computers of LAN A can see ping computers on LAN B. If I configure the third nick dc1 on the FreeBSD server to have an IP on the range of LAN B for example with ip 192.168.1.1, then I can see all the computers from both LAN's, I can ping, telnet, ssh etc. to both 192.168.10.X and 192.168.1.X. networks standing on the FreeBSD server. What i want to do is that a computer on LAN A with an IP on the range of 192.168.10.2-254 can ping, telnet, ssh, etc. to a computer on LAN B 192.168.1.X. How can i solve this problem, is this is a route or Nat problem ? There is one more issue, I can't touch the LINUX SERVER I can just be a client or join the LAN by configure a nic with a IP on the range of 192.168.1.0/24. I have been trying to fix this with static routes but i am not having luck. Any help will be apreciated. regards. -- [EMAIL PROTECTED] key ID 1EF56FDC ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Solution to Routing Networks
Hi all thanks for all your answers. The solution that i found was to add to my ipnat.rules this lines: map dc1 192.168.10.0/24 - 0/32 portmap tcp/udp auto map dc1 192.168.10.0/24 - 0/32 and to my rc.conf this : static_routes=linux route_linux=192.168.0.0/16 192.168.1.3 regards. Hi all, I need some help routing or making Nat on a LAN. I have something like this: I N T E R N E T - ^ ^ | | fxp0 public IP public IP | | FreeBSD server LINUX server | | dc0 192.168.10.1| dc1 192.168.1.1 ^ 192.168.1.3 ^ | ^ | | | | | | | Switch/Hub | | | -- - | LAN A | | LAN B | | 192.168.10.2-254 | | 192.168.1.4-100 | -- - I have running a FreeBSD server as a gateway and DHCP, the server share the Internet to all the computers on LAN A (192.168.10.0/24). The server have 3 network cards: fxp0 is public IP. dc0 is the gateway for the LAN A 192.168.10.1. dc1 has IP 192.168.1.1 ( need help with this ). Right now i am just using fxp0 and dc0 so any computer on the LAN A 192.168.10.2-254 can have Internet, my ipnat.rules file looks like this: -- map fxp0 192.168.10.1/24 - 0/32 portmap tcp/udp auto map fxp0 192.168.10.1/24 - 0/32 -- until that point everything just work OK. There is another network, I will call it LAN B, this LAN make the same thing that i am doing with the FreeBSD Server, but instead it uses LINUX, the m achine have 2 network cars. eth0 has a public IP. eth1 is the gateway for the LAN B 192.168.1.3 Both networks are connected to the same switch/hub, but now i need that the computers of LAN A can see ping computers on LAN B. If I configure the third nick dc1 on the FreeBSD server to have an IP on the range of LAN B for example with ip 192.168.1.1, then I can see all the computers from both LAN's, I can ping, telnet, ssh etc. to both 192.168.10.X and 192.168.1.X. networks standing on the FreeBSD server. What i want to do is that a computer on LAN A with an IP on the range of 192.168.10.2-254 can ping, telnet, ssh, etc. to a computer on LAN B 192.168.1.X. How can i solve this problem, is this is a route or Nat problem ? There is one more issue, I can't touch the LINUX SERVER I can just be a client or join the LAN by configure a nic with a IP on the range of 192.168.1.0/24. I have been trying to fix this with static routes but i am not having luck. Any help will be apreciated. regards. -- [EMAIL PROTECTED] key ID 1EF56FDC -- [EMAIL PROTECTED] key ID 1EF56FDC -- [EMAIL PROTECTED] key ID 1EF56FDC -- [EMAIL PROTECTED] key ID 1EF56FDC ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Solution to Routing Networks
Hi all thanks for all your answers. The solution that i found was to add to my ipnat.rules this lines: map dc1 192.168.10.0/24 - 0/32 portmap tcp/udp auto map dc1 192.168.10.0/24 - 0/32 and to my rc.conf this : static_routes=linux route_linux=192.168.0.0/16 192.168.1.3 regards. Hi all, I need some help routing or making Nat on a LAN. I have something like this: I N T E R N E T - ^ ^ | | fxp0 public IP public IP | | FreeBSD server LINUX server | | dc0 192.168.10.1| dc1 192.168.1.1 ^ 192.168.1.3 ^ | ^ | | | | | | | Switch/Hub | | | -- - | LAN A | | LAN B | | 192.168.10.2-254 | | 192.168.1.4-100 | -- - I have running a FreeBSD server as a gateway and DHCP, the server share the Internet to all the computers on LAN A (192.168.10.0/24). The server have 3 network cards: fxp0 is public IP. dc0 is the gateway for the LAN A 192.168.10.1. dc1 has IP 192.168.1.1 ( need help with this ). Right now i am just using fxp0 and dc0 so any computer on the LAN A 192.168.10.2-254 can have Internet, my ipnat.rules file looks like this: -- map fxp0 192.168.10.1/24 - 0/32 portmap tcp/udp auto map fxp0 192.168.10.1/24 - 0/32 -- until that point everything just work OK. There is another network, I will call it LAN B, this LAN make the same thing that i am doing with the FreeBSD Server, but instead it uses LINUX, the m achine have 2 network cars. eth0 has a public IP. eth1 is the gateway for the LAN B 192.168.1.3 Both networks are connected to the same switch/hub, but now i need that the computers of LAN A can see ping computers on LAN B. If I configure the third nick dc1 on the FreeBSD server to have an IP on the range of LAN B for example with ip 192.168.1.1, then I can see all the computers from both LAN's, I can ping, telnet, ssh etc. to both 192.168.10.X and 192.168.1.X. networks standing on the FreeBSD server. What i want to do is that a computer on LAN A with an IP on the range of 192.168.10.2-254 can ping, telnet, ssh, etc. to a computer on LAN B 192.168.1.X. How can i solve this problem, is this is a route or Nat problem ? There is one more issue, I can't touch the LINUX SERVER I can just be a client or join the LAN by configure a nic with a IP on the range of 192.168.1.0/24. I have been trying to fix this with static routes but i am not having luck. Any help will be apreciated. regards. -- [EMAIL PROTECTED] key ID 1EF56FDC -- [EMAIL PROTECTED] key ID 1EF56FDC -- [EMAIL PROTECTED] key ID 1EF56FDC ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing to specific network
On Mon, 12 Jan 2004, David Miller wrote: Isn't this equivilent to selecting the outbound route? You want to select 10.a.b.c uf you want the connection routed out ISP 1 and 192.168.x.y otherwise. yes it is. There are bizzare cases where it might make sense to try and load balance two broadband connections, but they're really special cases and don't have general purpose solutions:( and what i want to try doing is a bizarre case, load balancing without handling bgp. off the cuff, perhaps a hook or a netgraph node which round robins my source ip address over the two interfaces. of course, once a flow goes over one particular interface, it'd always use that interface till that connection is torn down. in cases where HTTP/1.1 is used without keep alives for example, each IMG could be pulled over a different interface, in effect multiplexing both connections. perhaps, i'll go read up on netgraph implementations and try something here. Regards, /\_/\ All dogs go to heaven. [EMAIL PROTECTED](0 0)http://www.alphaque.com/ +==oOO--(_)--OOo==+ | for a in past present future; do| | for b in clients employers associates relatives neighbours pets; do | | echo The opinions here in no way reflect the opinions of my $a $b. | | done; done | +=+ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing to specific network
On Sun, 11 Jan 2004, David Miller wrote: So you want packets for 60.6.* to go out through ISP2? it is amazing that how something which completely stumps you at 4am, suddenly becomes so clear after some sleep and coffee at 11am. i added a route for 60.6/16, but was trying to traceroute 61.6/16. the mistake kept perpetuating because i kept using the shell's history to run the traceroute, and the mind could not tell the difference between the 0 and the 1. my bad, and much apologies. all works fine now. Zebra implemets a number of routing protocols, including bgp. With BGP you can pick the best route *out* for your packet, but everyone else's BGP sessions will decide the best route *in* for you. In other words, to me, if i can pick the source ip address of my _outgoing_ packet, i.e. on which interface the connection is made, i'd be a happy camper. since i have two interfaces with two ip addies, the first http connection can have a 192.168.0/24 ip address, with the flow being carried on fxp0. the second http connection have have a 10.1/16 address with the flow being carried on the aue0. that would actually solve the problem, without having to set up multiple static routes. would this be possible ? thanx a bunch, david. Regards, /\_/\ All dogs go to heaven. [EMAIL PROTECTED](0 0)http://www.alphaque.com/ +==oOO--(_)--OOo==+ | for a in past present future; do| | for b in clients employers associates relatives neighbours pets; do | | echo The opinions here in no way reflect the opinions of my $a $b. | | done; done | +=+ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing to specific network
On Mon, 12 Jan 2004, Dinesh Nair wrote: On Sun, 11 Jan 2004, David Miller wrote: So you want packets for 60.6.* to go out through ISP2? it is amazing that how something which completely stumps you at 4am, suddenly becomes so clear after some sleep and coffee at 11am. i added a route for 60.6/16, but was trying to traceroute 61.6/16. the mistake kept perpetuating because i kept using the shell's history to run the traceroute, and the mind could not tell the difference between the 0 and the 1. my bad, and much apologies. all works fine now. Oops. Now if I had a dollar for every time *I'd* done something like that... Zebra implemets a number of routing protocols, including bgp. With BGP you can pick the best route *out* for your packet, but everyone else's BGP sessions will decide the best route *in* for you. In other words, to me, if i can pick the source ip address of my _outgoing_ packet, i.e. on which interface the connection is made, i'd be a happy camper. Isn't this equivilent to selecting the outbound route? You want to select 10.a.b.c uf you want the connection routed out ISP 1 and 192.168.x.y otherwise. since i have two interfaces with two ip addies, the first http connection can have a 192.168.0/24 ip address, with the flow being carried on fxp0. the second http connection have have a 10.1/16 address with the flow being carried on the aue0. that would actually solve the problem, without having to set up multiple static routes. would this be possible ? I don't think that's really going to help much. You still have to have some basis for knowing which network you want to handle which connections. Unless you're doing heavy duty uploading somewhere you're very likely to be limited by your inbound bandwidth, so it doesn't really matter which interface you're going out anyway. FreeBSD should pick the closest IP address for any outgoing connections anyway. Say you had two real addresses so we can forget about NAT, 12.1.2.3 and 24.2.3.4. Say you routed 60.1/16 out the upstream for 24.2.3.4. Say you pinged 60.1.2.3. It would already see a source address on the ping packets of 24.2.3.4, not 12.1.2.3. You don't have to do anything special for that to happen - your application would have to bind to 12.1.2.3 exclusively in order for it to be the source address. There are bizzare cases where it might make sense to try and load balance two broadband connections, but they're really special cases and don't have general purpose solutions:( --- David ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
routing to specific network
hey, i'm on a multihomed FreeBSD 4.9-RELEASE, cvsupped and built to -STABLE as of two weeks ago. the two NICs on the box each go to different ADSL providers. right now, i can switch which provider i use by just manually changing the default route. however, what i'd like to do is to have the default route set to one provider, but manually add static routes to networks closer to the second provider going out that way. EXAMPLE OUTPUT OF NETSTAT -RN: default192.168.0.1UGSc 13 2878 fxp0 10.1/16link#9 UC 20 aue0 10.1.105.5 00:e0:7d:03:a2:08 UHLW0 363 aue0815 10.1.105.2600:08:54:d0:5d:2e UHLW10lo0 60.6/1610.1.1.1 UGSc00 aue0 127.0.0.1 127.0.0.1 UH 012407lo0 192.168.0 link#2 UC 10 fxp0 192.168.0.100:30:ab:10:6c:0d UHLW 13 215 fxp0913 (192.168.0.1 is ISP1's router and 10.1.1.1 is ISP2's router) i've successfully managed to add routes for /16 networks, and 'netstat -rn' as well as 'route -n get' both give the expected results. however, tracerouting to an ip address in one of these static routes still shows that it is going out thru the default route instead of the second provider. running a packet sniffer and attempting a http connection confirmed this. in this case, any packet going to 60.6.1.1 what exactly should i be doing to get the behaviour i desire ? a secondary question is, with the /usr/ports/net/zebra package, can i configure this box to load balance flows over both ADSL connections, assuming i do not have an AS number (for BGP) handy ? i.e. the question is, assuming i make a tcp connection out using a browser (for argument's sake, mozilla), can mozilla send the packet out dynamically on the first NIC (with its IP address as source) and then round robin the next TCP connection off the second NIC (with the second IP address as source) ? would i need the recent multipath patches (though its for 4.8-STABLE) to do this ? Regards, /\_/\ All dogs go to heaven. [EMAIL PROTECTED](0 0)http://www.alphaque.com/ +==oOO--(_)--OOo==+ | for a in past present future; do| | for b in clients employers associates relatives neighbours pets; do | | echo The opinions here in no way reflect the opinions of my $a $b. | | done; done | +=+ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing to specific network
On Mon, 12 Jan 2004, Dinesh Nair wrote: hey, i'm on a multihomed FreeBSD 4.9-RELEASE, cvsupped and built to -STABLE as of two weeks ago. the two NICs on the box each go to different ADSL providers. right now, i can switch which provider i use by just manually changing the default route. however, what i'd like to do is to have the default route set to one provider, but manually add static routes to networks closer to the second provider going out that way. EXAMPLE OUTPUT OF NETSTAT -RN: default192.168.0.1UGSc 13 2878 fxp0 10.1/16link#9 UC 20 aue0 10.1.105.5 00:e0:7d:03:a2:08 UHLW0 363 aue0815 10.1.105.2600:08:54:d0:5d:2e UHLW10lo0 60.6/1610.1.1.1 UGSc00 aue0 127.0.0.1 127.0.0.1 UH 012407lo0 192.168.0 link#2 UC 10 fxp0 192.168.0.100:30:ab:10:6c:0d UHLW 13 215 fxp0913 (192.168.0.1 is ISP1's router and 10.1.1.1 is ISP2's router) So you want packets for 60.6.* to go out through ISP2? i've successfully managed to add routes for /16 networks, and 'netstat -rn' as well as 'route -n get' both give the expected results. however, tracerouting to an ip address in one of these static routes still shows that it is going out thru the default route instead of the second provider. running a packet sniffer and attempting a http connection confirmed this. in this case, any packet going to 60.6.1.1 what exactly should i be doing to get the behaviour i desire ? By the sounds of it, exactly what you are doing. Can you show us a traceroute that isn't working normally? Are you running any routing protocols, like routed? a secondary question is, with the /usr/ports/net/zebra package, can i configure this box to load balance flows over both ADSL connections, assuming i do not have an AS number (for BGP) handy ? i.e. the question is, assuming i make a tcp connection out using a browser (for argument's sake, mozilla), can mozilla send the packet out dynamically on the first NIC (with its IP address as source) and then round robin the next TCP connection off the second NIC (with the second IP address as source) ? would i need the recent multipath patches (though its for 4.8-STABLE) to do this ? Zebra implemets a number of routing protocols, including bgp. With BGP you can pick the best route *out* for your packet, but everyone else's BGP sessions will decide the best route *in* for you. In other words, you can't really shape the incoming traffic very much. In order to setup BGP you'll need to get both your upstreams to setup BGP sessions with you, which is very unlikely to happen. It's also unlikely to really buy you any performance advantage after you subtract the bandwidth that the routing protocol takes. Lastly, you don't have any routes to advertise that will help. I assume, at least, that you just have a /32 for each connection, in which case you'd be trying to advertise a /32 to the entire Internet. That's not going to happen:) Hope this helps, --- David ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
routing question
Hello everybody :) I have a routing question and was wondering if FreeBSD was able to do this. I have 2 ISPs (so 2 connections). Can I use only one FreeBSD box as a gateway to: - route LAN -- INTERNET (using connection 1) - route DMZ -- INTERNET (using connection 2) - route LAN -- DMZ (simple routing through the gateway) The gateway would have either one of the 2 connections as default gateway. I do not need any kind of load-balance nor failover for now, just routing. Thanks in advance. Regards, Antoine ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
mpd PPTP to Cisco 3000 VPN Concentrator routing problem
Hi. I've gone over list archives and seen this issue discussed before, but the sugggested solutions aren't working for me. I am using mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN Concentrator. I have negotiated CHAP and MPPE and the ng0 interface comes up, but when I try to do anything I get this: $ ping 10.10.58.7 PING 10.10.58.7 (10.10.58.7): 56 data bytes ping: sendto: Resource deadlock avoided ping: sendto: No buffer space available A little investigation showed that this is a known routing issue and that it is possible to work around by re-addressing the ng0 interface with the VPN concentrator's private IP and set a default route to it. I did this, but I still have the same problem. :( Does anyone see what I am doing wrong here? Below are my routing table and ifconfig before running mpd, after running mpd, and after running the fix. Below that is my mpd.conf and its output (verbose). I appreciate any help on this, I've been going crazy trying to figure out what I'm doing wrong. I can get it to work using the OSX PPTP client, but not mpd. - Chris VPN External IP: C.O.R.P VPN Interal IP: 10.10.58.7 *** before running mpd DestinationGatewayFlagsRefs Use Netif Expire default192.168.131.254UGS 00de0 127.0.0.1 127.0.0.1 UH 00lo0 192.168.131link#1 UC 00de0 192.168.131.25400:00:0f:00:00:00 UHLW10de0 36 *** after running mpd ng0: flags=88d1UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST mtu 1494 inet 10.10.58.156 -- C.O.R.P netmask 0x inet6 fe80::203::fe73:504c%ng0 prefixlen 64 scopeid 0x3 DestinationGatewayFlagsRefs Use Netif Expire default192.168.131.254UGS 0 30de0 10.10.58.156 lo0UHS 00lo0 127.0.0.1 127.0.0.1 UH 00lo0 192.168.131link#1 UC 00de0 192.168.131.25400:00:0f:00:00:00 UHLW10de0 4 C.O.R.P10.10.58.156 UH 00ng0 *** run fix from iface up-script ifconfig ng0 inet 10.10.58.156 10.10.58.7 netmask 0x route delete default route add default -interface ng0 *** after running fix ng0: flags=88d1UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST mtu 1494 inet6 fe80::203::fe73:504c%ng0 prefixlen 64 scopeid 0x3 inet 10.10.58.156 -- 10.10.58.7 netmask 0x DestinationGatewayFlagsRefs Use Netif Expire defaultng0US 00ng0 10.10.58.7 10.10.58.156 UH 00ng0 10.10.58.156 lo0UHS 00lo0 127.0.0.1 127.0.0.1 UH 00lo0 192.168.131link#1 UC 00de0 192.168.131.25400:00:0f:00:00:00 UHLW00de0 ciscovpn: new -i ng0 ciscovpn work set bundle authname user set bundle password password set ipcp ranges 10.10.58.0/23 C.O.R.P/32 set link max-redial -1 set link keep-alive 0 0 set link disable acfcomp protocomp set bundle no crypt-reqd set bundle enable compression encryption set ccp yes mppc set ccp yes mpp-e128 set ccp no mpp-e40 set ccp yes mpp-stateless set link disable pap chap set link no chap-md5 set link no chap-msv2 set link no pap set link accept chap-msv1 set iface idle 0 set ipcp disable vjcomp set ipcp enable req-pri-dns req-sec-dns set iface up-script /usr/local/etc/mpd/ciscovpn-iface-up.sh open *** mpd.links work: set link type pptp set pptp peer C.O.R.P set pptp enable originate outcall *** mpd output # mpd Multi-link PPP for FreeBSD, by Archie L. Cobbs. Based on iij-ppp, by Toshiharu OHNO. mpd: pid 1033, version 3.15 ([EMAIL PROTECTED] 00:39 7-Jan-2004) [ciscovpn] ppp node is mpd1033-ciscovpn [ciscovpn] using interface ng0 [ciscovpn] IFACE: Open event [ciscovpn] IPCP: Open event [ciscovpn] IPCP: state change Initial -- Starting [ciscovpn] IPCP: LayerStart [ciscovpn:work] [ciscovpn] bundle: OPEN event in state CLOSED [ciscovpn] opening link work... [work] link: OPEN event [work] LCP: Open event [work] LCP: state change Initial -- Starting [work] LCP: LayerStart [work] device: OPEN event in state DOWN pptp0: connecting to C.O.R.P:1723 [work] device is now in state OPENING pptp0: connected to C.O.R.P:1723 pptp0: attached to connection with C.O.R.P:1723 pptp0-0: outgoing call connected at 1000 bps [work] PPTP call successful [work] device: UP event in state OPENING [work] device is now
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
On Thu, 2004-01-08 at 02:49, Chris Jones wrote: Hi. I've gone over list archives and seen this issue discussed before, but the sugggested solutions aren't working for me. I am using mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN Concentrator. I have negotiated CHAP and MPPE and the ng0 interface comes up, but when I try to do anything I get this: $ ping 10.10.58.7 PING 10.10.58.7 (10.10.58.7): 56 data bytes ping: sendto: Resource deadlock avoided ping: sendto: No buffer space available A little investigation showed that this is a known routing issue and that it is possible to work around by re-addressing the ng0 interface with the VPN concentrator's private IP and set a default route to it. I did this, but I still have the same problem. :( Does anyone see what I am doing wrong here? Below are my routing table and ifconfig before running mpd, after running mpd, and after running the fix. Below that is my mpd.conf and its output (verbose). I appreciate any help on this, I've been going crazy trying to figure out what I'm doing wrong. I can get it to work using the OSX PPTP client, but not mpd. Good luck. I have tried to get this working, but have never been able to get mpd encryption to work with the Concentrator's encryption (neither has anyone else to my knowledge). If you disable encryption on the concentrator, the tunnel will come up, and you will be able to pass traffic across it. Any other combination does not work. I haven't tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this problem. Joe -- PGP Key : http://www.marcuscom.com/pgp.asc signature.asc Description: This is a digitally signed message part
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
Oh. :( I thought it negotiated the encryption ok because I see this: [ciscovpn] CCP: LayerUp Compress using: MPPE, 128 bit, stateless Decompress using: MPPE, 128 bit, stateless And capturing on the interface, I see echo req's coming in from the concentrator, but I encounter a routing loop when I try to send across the tunnel. Disabling encryption isn't an option, even for testing, I'm afraid. Original message from Joe Marcus Clarke: On Thu, 2004-01-08 at 02:49, Chris Jones wrote: Hi. I've gone over list archives and seen this issue discussed before, but the sugggested solutions aren't working for me. I am using mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN Concentrator. I have negotiated CHAP and MPPE and the ng0 interface comes up, but when I try to do anything I get this: $ ping 10.10.58.7 PING 10.10.58.7 (10.10.58.7): 56 data bytes ping: sendto: Resource deadlock avoided ping: sendto: No buffer space available A little investigation showed that this is a known routing issue and that it is possible to work around by re-addressing the ng0 interface with the VPN concentrator's private IP and set a default route to it. I did this, but I still have the same problem. :( Does anyone see what I am doing wrong here? Below are my routing table and ifconfig before running mpd, after running mpd, and after running the fix. Below that is my mpd.conf and its output (verbose). I appreciate any help on this, I've been going crazy trying to figure out what I'm doing wrong. I can get it to work using the OSX PPTP client, but not mpd. Good luck. I have tried to get this working, but have never been able to get mpd encryption to work with the Concentrator's encryption (neither has anyone else to my knowledge). If you disable encryption on the concentrator, the tunnel will come up, and you will be able to pass traffic across it. Any other combination does not work. I haven't tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this problem. Joe -- PGP Key : http://www.marcuscom.com/pgp.asc -- Chris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
On Thu, 2004-01-08 at 03:34, Chris Jones wrote: Oh. :( I thought it negotiated the encryption ok because I see this: [ciscovpn] CCP: LayerUp Compress using: MPPE, 128 bit, stateless Decompress using: MPPE, 128 bit, stateless This is fine. I get this, too. However, when trying to send data, I get decryption errors (the concentrator reports invalid packets). And capturing on the interface, I see echo req's coming in from the concentrator, but I encounter a routing loop when I try to send across the tunnel. I was able to get past the routing loop by readdressing the interface as soon as it came up. This is a good starter howto on that procedure: http://www.cs.rpi.edu/~flemej/fbsd-cisco-vpn/fbsd-cisco-vpn.pdf Disabling encryption isn't an option, even for testing, I'm afraid. Then you're probably not going have any luck getting this to work. You might also consider trying out security/vpnc if the concentrator also allows for IPSec clients using the Cisco VPN client. Joe Original message from Joe Marcus Clarke: On Thu, 2004-01-08 at 02:49, Chris Jones wrote: Hi. I've gone over list archives and seen this issue discussed before, but the sugggested solutions aren't working for me. I am using mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN Concentrator. I have negotiated CHAP and MPPE and the ng0 interface comes up, but when I try to do anything I get this: $ ping 10.10.58.7 PING 10.10.58.7 (10.10.58.7): 56 data bytes ping: sendto: Resource deadlock avoided ping: sendto: No buffer space available A little investigation showed that this is a known routing issue and that it is possible to work around by re-addressing the ng0 interface with the VPN concentrator's private IP and set a default route to it. I did this, but I still have the same problem. :( Does anyone see what I am doing wrong here? Below are my routing table and ifconfig before running mpd, after running mpd, and after running the fix. Below that is my mpd.conf and its output (verbose). I appreciate any help on this, I've been going crazy trying to figure out what I'm doing wrong. I can get it to work using the OSX PPTP client, but not mpd. Good luck. I have tried to get this working, but have never been able to get mpd encryption to work with the Concentrator's encryption (neither has anyone else to my knowledge). If you disable encryption on the concentrator, the tunnel will come up, and you will be able to pass traffic across it. Any other combination does not work. I haven't tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this problem. Joe -- PGP Key : http://www.marcuscom.com/pgp.asc -- PGP Key : http://www.marcuscom.com/pgp.asc signature.asc Description: This is a digitally signed message part
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
On Thu, 8 Jan 2004, Joe Marcus Clarke wrote: Good luck. I have tried to get this working, but have never been able to get mpd encryption to work with the Concentrator's encryption (neither has anyone else to my knowledge). If you disable encryption on the concentrator, the tunnel will come up, and you will be able to pass traffic across it. Any other combination does not work. I haven't tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this problem. This is a know issue. I've been in touch with Archie, I sent him some tcpdump traces, logs and the same stuff from a linux client with works OK. The bad news is Archie is horribly busy at this time and won't be able to look at it for some time. Fer ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
hard time with routing
Well, I have this problem again, I hope I get help at this time, not big problem, its just something I'm missing here. interface to net: ep0 interface to lan: xl0 ep0 has 2001:a68:2:10::2/64 with default gw 2001:a68:2:10:: and she works fine. xl0 should have 2001:a68:2:10:dead::/96 ifconfig ep0 inet6 2001:a68:2:10::2/64 route add -inet6 default 2001:a68:2:10:: fine. ipv6 works now, then: ifconfig xl0 inet6 2001:a68:2:10:dead::/96 and situation is like this(ping -S 2001:a68:2:10:dead::) : --- 2001:a68:2:10::2 ping6 statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/std-dev = 0.317/0.367/0.462/0.067 ms --- 2001:a68:2:10:: ping6 statistics --- 2 packets transmitted, 0 packets received, 100% packet loss lan interface can ping to internet interface but no gw? ip and ip6 forward bits are 1. How I should route that 96-block so it would work? Greets Markus Kovero ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
fun routing problem
Well, I got this fun routing problem again; so here it goes. I have a router, which gets native ipv6 on xl0 with block 2001:a6x:2:1x::/64 and she has also lan-interface. My idea was to route 2001:a6x:2:1x:dead::/96 to lan interface so i thought doing as follows; added 2001:a6x:2:1x::3/64 to lan-interface, then routed 2001:a6x:2:1x:dead::/96 to it. Now the fun comes in, xl0 pings net fine, lan interface pings xl0 fine, but lan interface wont ping net. tcpdump says like this: 13:13:32.755545 2001:a6x:2:1x::1337 2001:a6x:2:1x::: icmp6: echo request 13:13:32.764543 2001:a6x:2:1x:220:48ff:fe5b:2d15 ff02::1:ff00:1337: icmp6: neighbor sol: who has 2001:a6x:2:1x::1337 no answer. so gw-router is like hmm. who the fck has this address. then asks it with multicast or similar thing (ff02-thing) but wont get reply? Why lan-if wont get that multicast-whateveritis request while it is on same net but different interface? all forwarding sysctls are 1. no firewalls harrassing or anything. Greets Markus Kovero ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing to External IPs from Internal IPs
On Mon, Dec 22, 2003 at 06:07:24PM -0800, Jason C. Wells wrote: I would like to be able to set the DNS settings for my internal network to 209.20.215.30 and 209.20.215.31. The internal network is addressed as 192.168.1/24. How can I route from the internal addresses, through the internal interface of the firewall, to the external interface of the firewall, back through the port address translation to my internal nameservers? You can do static NAT -- use the 'redirect_address' option for natd(8). This will let you map an Internet address on your external network through to an internal machine: eg. natd -redirect_address 192.168.1.1 209.20.215.31 This will allow external machines to access a server on your internal network. Your internal machines should be set up so that they use just the internal addresses -- you can't route the packets from internal machines through natd on the external interface as you describe. It's just the way that natd works, I'm afraid. If this question is too arcane, please refer me to the correct documentation. I don't even know where to start. Routing has always just magically worked on FreeBSD. I would think it would be possible to add some sort of manual route to the routing tables, but what do I know. The idea is to allow roamers to roam and never have to change any of their configuration settings, namely their DNS settings. This does depend somewhat on how you set up the roaming access to your network. If you create a VPN tunnel into your private network, then the roaming users will see your internal servers just fine: no renumbering necessary. However you will have to solve the initial problem of making the network connections required to set up the VPN. Split DNS obviously can handle all other settings such as mail, time, web and so forth. Handling the DNS settings themselves, which are by IP address, proves more difficult. Ah -- this is what DHCP is for. You can run DHCP on your internal network to configure machines there, and also have a default lease which dhclient(8) will fall back to when it can't find a DHCP server -- as the man page says: A mobile host which may sometimes need to access a network on which no DHCP server exists may be preloaded with a lease for a fixed address on that network. When all attempts to contact a DHCP server have failed, dhclient will try to validate the static lease, and if it succeeds, will use that lease until it is restarted. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Routing to External IPs from Internal IPs
I would like to be able to set the DNS settings for my internal network to 209.20.215.30 and 209.20.215.31. The internal network is addressed as 192.168.1/24. How can I route from the internal addresses, through the internal interface of the firewall, to the external interface of the firewall, back through the port address translation to my internal nameservers? If this question is too arcane, please refer me to the correct documentation. I don't even know where to start. Routing has always just magically worked on FreeBSD. I would think it would be possible to add some sort of manual route to the routing tables, but what do I know. The idea is to allow roamers to roam and never have to change any of their configuration settings, namely their DNS settings. Split DNS obviously can handle all other settings such as mail, time, web and so forth. Handling the DNS settings themselves, which are by IP address, proves more difficult. Thanks, Jason C. Wells ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing to External IPs from Internal IPs
On Mon, Dec 22, 2003 at 06:07:24PM -0800, Jason C. Wells wrote: I would like to be able to set the DNS settings for my internal network to 209.20.215.30 and 209.20.215.31. The internal network is addressed as 192.168.1/24. How can I route from the internal addresses, through the internal interface of the firewall, to the external interface of the firewall, back through the port address translation to my internal nameservers? If this question is too arcane, please refer me to the correct documentation. I don't even know where to start. Routing has always just magically worked on FreeBSD. I would think it would be possible to add some sort of manual route to the routing tables, but what do I know. The idea is to allow roamers to roam and never have to change any of their configuration settings, namely their DNS settings. Split DNS obviously can handle all other settings such as mail, time, web and so forth. Handling the DNS settings themselves, which are by IP address, proves more difficult. Thanks, Jason C. Wells I'm not entirely sure I understand exactly what you are asking, but in answer to one of your questions, yes, you can add manual routes to the routing tables with the route command. Whether this is what you want to do or not is another issue altoghter. You may wish to setup a /30 subnet if you have a block of IPs to work with and then use nat to push them through your router. As far as roamers needing to change their DNS settings, I roam all over the place and use the same DNS servers all the time. Perhaps all you need is someone to run slave DNS servers for you...you could easily forward port 53 tcp/udp through nat to your internal nameservers. HTH, Josh Paetzel ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Routing problem
Hello, Running 4.9-stable. Here is a brief overview of the network I'm setting up. ***Internet*** | DSL modem (192.168.1.1, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway external (192.168.1.2, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway internal (10.0.0.1, netmask 255.255.255.0) | LAN (clients, 10.0.0.x, netmask 255.255.255.0) LAN clients can access boh gateway interfaces by hostname and IP. Clients are setup to use 192.168.1.2 for DNS, and 192.168.1.2 uses 192.168.1.1 for DNS. I cannot get any traffic to reach (let alone pass) the DSL modem from the clients. I have tried this with the FreeBSD gateway, a Win2k gateway, and Linksys router. Under any setup, the result is the same. My ISP's support desk has been absolutely no help. Can anyone tell what the problem may be here? Thanks in advance for any help. -- Best Regards, Joshua Lokken _ Wonder if the latest virus has gotten to your computer? Find out. Run the FREE McAfee online computer scan! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem
LAN clients can access boh gateway interfaces by hostname and IP. Clients are setup to use 192.168.1.2 for DNS, and 192.168.1.2 uses 192.168.1.1 for DNS. I cannot get any traffic to reach (let alone pass) the DSL modem from the clients. I have tried this with the FreeBSD gateway, a Win2k gateway, and Linksys router. Under any setup, the result is the same. My ISP's support desk has been absolutely no help. Can anyone tell what the problem may be here? Thanks in advance for any help. If your ISP is anything like this one, your modem will have NAT translation built in, meaning that is likely your default gateway. On your FBSD router, you never implied that it could/couldn't see the Internet. I take it that if you put a PC into the modem and set it's default gateway to 1.1 (the modem probably assigns this via DHCP anyway), then you can get online. If this is the case, then the secondary router is no use unless used as a firewall. In that case, you wouldn't need to route, and you could just set it up as an IP-less bridge firewall. Regards, Steve -- Best Regards, Joshua Lokken _ Wonder if the latest virus has gotten to your computer? Find out. Run the FREE McAfee online computer scan! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Steve Bertrand President/CTO, Northumberland Network Services t: 905.352.2688 w: www.northnetworks.ca ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem
This setup appears a little confusing. Does your ISP give you a static or dynamic IP address to the internet? It would also help to see the interface configuration info in your rc.conf file. generally speaking, your external interface should have the ip address assigned by your isp, not a private network address like you describe. You should also have a valid address to a dns server, rather than being referred to your dsl modem's private ip address. #my rc.conf (cable modem, with ip dynamically assigned - I'm using 192.168.1.0 as my private network range) gateway_enable=YES defaultrouter=192.168.1.1 network_interfaces=fxp0 dc0 lo0 hostname=vesta.bitheaven.net ifconfig_fxp0=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 If this doesn't help, send more info On Dec 8, 2003, at 12:22 PM, joshua lokken wrote: Hello, Running 4.9-stable. Here is a brief overview of the network I'm setting up. ***Internet*** | DSL modem (192.168.1.1, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway external (192.168.1.2, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway internal (10.0.0.1, netmask 255.255.255.0) | LAN (clients, 10.0.0.x, netmask 255.255.255.0) LAN clients can access boh gateway interfaces by hostname and IP. Clients are setup to use 192.168.1.2 for DNS, and 192.168.1.2 uses 192.168.1.1 for DNS. I cannot get any traffic to reach (let alone pass) the DSL modem from the clients. I have tried this with the FreeBSD gateway, a Win2k gateway, and Linksys router. Under any setup, the result is the same. My ISP's support desk has been absolutely no help. Can anyone tell what the problem may be here? Thanks in advance for any help. -- Best Regards, Joshua Lokken _ Wonder if the latest virus has gotten to your computer? Find out. Run the FREE McAfee online computer scan! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem
You're right, I didn't explain thoroughly. The FreeBSD gateway can reach the internet. The cable modem and gateway addresses are assigned by the ISP. My rc.conf: ifconfig_rl0=DHCP ifconfig_de0=inet 10.0.0.1 netmask 255.255.255.0 gateway_enable=YES ... Thank you. -- Best Regards, Joshua Lokken From: Clayton F [EMAIL PROTECTED] To: joshua lokken [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Routing problem Date: Mon, 8 Dec 2003 12:52:47 -0800 This setup appears a little confusing. Does your ISP give you a static or dynamic IP address to the internet? It would also help to see the interface configuration info in your rc.conf file. generally speaking, your external interface should have the ip address assigned by your isp, not a private network address like you describe. You should also have a valid address to a dns server, rather than being referred to your dsl modem's private ip address. #my rc.conf (cable modem, with ip dynamically assigned - I'm using 192.168.1.0 as my private network range) gateway_enable=YES defaultrouter=192.168.1.1 network_interfaces=fxp0 dc0 lo0 hostname=vesta.bitheaven.net ifconfig_fxp0=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 If this doesn't help, send more info On Dec 8, 2003, at 12:22 PM, joshua lokken wrote: Hello, Running 4.9-stable. Here is a brief overview of the network I'm setting up. ***Internet*** | DSL modem (192.168.1.1, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway external (192.168.1.2, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway internal (10.0.0.1, netmask 255.255.255.0) | LAN (clients, 10.0.0.x, netmask 255.255.255.0) LAN clients can access boh gateway interfaces by hostname and IP. Clients are setup to use 192.168.1.2 for DNS, and 192.168.1.2 uses 192.168.1.1 for DNS. I cannot get any traffic to reach (let alone pass) the DSL modem from the clients. I have tried this with the FreeBSD gateway, a Win2k gateway, and Linksys router. Under any setup, the result is the same. My ISP's support desk has been absolutely no help. Can anyone tell what the problem may be here? Thanks in advance for any help. -- Best Regards, Joshua Lokken _ Wonder if the latest virus has gotten to your computer? Find out. Run the FREE McAfee online computer scan! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] _ Cell phone switch rules are taking effect find out more here. http://special.msn.com/msnbc/consumeradvocate.armx ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem
From which interface? Try these: ping google.com (that will ping using the external interface) ping -S 10.0.0.1 google.com (that will ping using the internal interface) If one works, but not the other, post your firewall rules and natd command line. Hello, The FreeBSD machine is simply passing traffice for the time being, no ipfw, no NAT. I know the name, ut not much mre about the DSL modem I was given.It's an ARESCOM800, and the service is **wince** MSN DSL. The modem has a very simple html display that gives me the very basics; modem IP (192.168.1.1), netmask (255.255.255.252) and external IP. rl0 is the modem-facing interface (external) on a FreeBSD 4.9 gateway. de0 is the LAN-facing (internal) interface on the same machine. /etc/rc.conf says: ifconfig_rl0=DHCP ifconfig_de0=inet 10.0.0.1 netmask 255.255.255.0 gateway_enable=YES defaultrouter=192.168.1.1 I can reach the outside world from both intrefaces on the gateway. rl0 is configured thusly (automatically via DHCP): inet 192.168.1.2 netmask 255.255.255.252, with a default gateway of 192.168.1.1. Clients are configured as follows: inet 10.0.0.x netmask 255.255.255.0 defaultrouter 10.0.0.1 From a client machine on the 10.0.0.0 network, I can ping both de0 and rl0 on the gateway, but I cannot get any traffic past rl0 to the cable modem from the LAN client. That is where my minimal understanding of routing ends. I do not know why I cannot pass traffic to the modem and out. I hope this makes my problem clearer, thanks for the help. After following up on the above reply, I find that I cannot ping out from the LAN interface (de0, 10.0.0.1). Hmmm, and again, no ipfw or NAT on the FreeBSD firewall. Joshua _ Browse styles for all ages, from the latest looks to cozy weekend wear at MSN Shopping. And check out the beauty products! http://shopping.msn.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing, was: Re: blank subject
Charles Swiger [EMAIL PROTECTED] said: Hi, Liquid-- On Dec 6, 2003, at 3:06 AM, [EMAIL PROTECTED] wrote: I'm going to have a static IP - say xx.xx.yy.zz - and a subnet as follows: xx.xx.xx.zz/28 Do you mean, I am switching from a single static IP to a 16-address subnet, or are you going to have both a static IP on one connection AND a /28 subnet over a second connection? Sorry I wasn't clearer on that. I have one corporate DSL connection with a static IP. Along with the static IP, I'll get an additional /28 1. Do I need to inform the ISP of my intentions so that people can actually connect to an IP which is part of my subnet, but behind this router I intend to build? (I didn't think it was necessary until I read 19.2.5 in the handbook - it doesn't seem like it's necessary based on that alone, but it has placed some doubt in my mind). No, your ISP will route IP traffic for the subnet to you. On the other hand, certainly you should talk to your ISP about your network topology if you have any specific issues or questions for them. 2. I currently run my FreeBSD router on a cable connection while waiting for the new ISP to get setup. I use NAT to translate the EXT. IP to the internal ones of my lan. I don't need to run nat for the setup I plan to have do I? No, you don't need NAT for IPs on your new subnet: they are directly Internet routable if you want a buzzword. :-) However, you should spend some time considering security and setting up a firewall. That's what I thought. Again I just needed someone else to say so too for me to be 100% certain. The whole reason for this is in fact security. I plan to do some webhosting, and also, to generate some additional revenue, give out a few accounts for irc bots. You KNOW that can be alot of trouble ;) I'm actually using an openbsd bridged firewall right now, have been for a couple of years and I like it. Firewalling on the FreeBSD box I intend to use as a router will only increase the security. Are there tricks regarding running ipf on the router that I should look into? Sometime later, you might want to consider how to have machines on your new network be able to fail-over to your single-IP connection; and one way of doing so would be to use a NAT gateway of your public IPs from the /28 subnet via your original connection. [The inverse of -unregistered_only.] 3. Finally, I've read (briefly thus far) about routed on FreeBSD. Would this daemon be used in such a way that I don't even need to add static routes for LAN? Yes, but routed is really intended for dynamic routing within an intranet, and is overkill for your situation. Specificly, you would accomplish more by configuring DHCP on your FreeBSD machine and broadcasting the correct default router IP than you would gain by using routed. Ping all of your machines (or use the subnet broadcast address), and do an arp -a to get MAC addrs, then set up host sections to allocate static IPs via DHCP, so your machines can all be network auto-configured even if you rebuild/reinstall the OS on a particular box. I think I'll just add the static routes for now. Sounds much simpler. Besides, with all these IP's, I still only have 6 machines behind this router... route add default gw my.isp.gateway route add net my./28.sub.net Those appear to be the only two route commands needed. Of course, I can only know for sure once I get my connection (sometime next week) and set it all up. In the future I may toy with routed just so I can know how it works. each of my machines will have wireless NIC's so they can interconnect using non-routable addresses and so I can connect to them from my desktop machine locally. Obviously I'm quite a routing nubile... my goal would be to setup routing so that from one machine who's address is in my subnet, I can connect to another machine within my subnet but ensure it's all done locally without going out beyond the router for two reasons: A) My monthly bandwidth is capped, B) It would only go at my internet connection speed, and not the full 10/100mbit of the LAN. Again, this address is not subscribed, so please answer by putting my address in the cc: field. Done. Thanks, and thanks also for the responses. Very helpful :) -- -Chuck -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPSEC Tunnel Routing question
Hello Tom, So I assume by working you mean that the two computers can ping one another? If so, simply set the computer in Builing B to have a default route to the IP of the computer in Building A: [Building B]# route add default 10.0.0.1 Where 10.0.0.1 is the IP of the computer in Building A. Also, ensure that any firewall in A allows traffic from Building B to flow in and out router etc. HTH. Matthew Faircliff On Thu, Dec 04, 2003 at 06:50:08PM -0500, Tom Thompson wrote: Date: Thu, 4 Dec 2003 18:50:08 -0500 From: Tom Thompson [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Mailer: IMail v8.04 Subject: IPSEC Tunnel Routing question I would like to route all traffic over a gif/ipsec tunnel I have the following situation Existing internet connection in building A Building to building wireless(between building A and Building B) To secure the traffic going across the wireless I would like to run an ipsec tunnel between freebsd 5.1 based machines sitting at Building A and Building B. I have the tunnels up and running but I am experiencing a problem with routing. Building B does not have an internet connection so it needs to use the internet connection at Building A. To lay it out in more details Router at building A connections to the internet FreeBSD 5.1 machine at Building A connects to router and to wireless bridges FreeBSD 5.1 machine at Building B connects to Wireless bridges and internal network What do I need to do you get traffic to flow from Building B to Building A and out A's internet connection? I have tried setting building B defaultrouter to building A internal address(other side of GIF tunnel) Thanks Tom ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPSEC Tunnel Routing question
I think I figured out the problem but am unsure how to fix it To recap my situation is as follows Internet connection located in Building A(independent of BSD boxes) FreeBSD 5.1 machine located at Building A FreeBSD 5.1 machine located at Building B Building-To-Building wireless between building A and Building B Goal All traffic NOT destined for the local area lan at Building B should go thru a VPN tunnel over the wireless link to building A and out its internet connection. The problem Building B's BSD box does not know to encrypt traffic to the internet and send it thru the vpn. My ipsec.conf has spdadd building B/subnet building A/subnet any -P out ipsec and the reverse The traffic to the internet is not sent over the VPN so it goes nowere I have tried spdadd building a/subnet 0.0.0.0/0 any -P out ipsec and the reverse Now all traffic is encrypted EVEN traffic destined for the LAN Anyone have any suggestions Thanks Tom ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPSEC Tunnel Routing question
Thanks for the reply! I have tried what you recommended and basically nothing can talk over the vpn tunnels unless it is addressed on Building A or Building B's network. I have a router with an internet connection sitting at Building A and I set the defaultrouter in Building B to be the router address. I can ping the router but the traffic will not even go thru the vpn and I get ping saying the network is down. I can post configs if you think it will help Thanks Tom -- Original Message -- From: Matthew Faircliff [EMAIL PROTECTED] Date: Fri, 5 Dec 2003 11:23:33 + Hello Tom, So I assume by working you mean that the two computers can ping one another? If so, simply set the computer in Builing B to have a default route to the IP of the computer in Building A: [Building B]# route add default 10.0.0.1 Where 10.0.0.1 is the IP of the computer in Building A. Also, ensure that any firewall in A allows traffic from Building B to flow in and out router etc. HTH. Matthew Faircliff On Thu, Dec 04, 2003 at 06:50:08PM -0500, Tom Thompson wrote: Date: Thu, 4 Dec 2003 18:50:08 -0500 From: Tom Thompson [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Mailer: IMail v8.04 Subject: IPSEC Tunnel Routing question I would like to route all traffic over a gif/ipsec tunnel I have the following situation Existing internet connection in building A Building to building wireless(between building A and Building B) To secure the traffic going across the wireless I would like to run an ipsec tunnel between freebsd 5.1 based machines sitting at Building A and Building B. I have the tunnels up and running but I am experiencing a problem with routing. Building B does not have an internet connection so it needs to use the internet connection at Building A. To lay it out in more details Router at building A connections to the internet FreeBSD 5.1 machine at Building A connects to router and to wireless bridges FreeBSD 5.1 machine at Building B connects to Wireless bridges and internal network What do I need to do you get traffic to flow from Building B to Building A and out A's internet connection? I have tried setting building B defaultrouter to building A internal address(other side of GIF tunnel) Thanks Tom ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPSEC Tunnel Routing question
I would like to route all traffic over a gif/ipsec tunnel I have the following situation Existing internet connection in building A Building to building wireless(between building A and Building B) To secure the traffic going across the wireless I would like to run an ipsec tunnel between freebsd 5.1 based machines sitting at Building A and Building B. I have the tunnels up and running but I am experiencing a problem with routing. Building B does not have an internet connection so it needs to use the internet connection at Building A. To lay it out in more details Router at building A connections to the internet FreeBSD 5.1 machine at Building A connects to router and to wireless bridges FreeBSD 5.1 machine at Building B connects to Wireless bridges and internal network What do I need to do you get traffic to flow from Building B to Building A and out A's internet connection? I have tried setting building B defaultrouter to building A internal address(other side of GIF tunnel) Thanks Tom ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
VPN(touch-ID)/gif0/Dynamic Routing Issue
Hello, I have few questions regarding the Dynamic Rouitng (i.e. routed) and gif0 interface. I go through the following documents: http://www.freebsd.org/handbook/ipsec.html http://asherah.dyndns.org/~josh/ipsec-howto.txt and follow the following steps: 1. Configure the gif0 interface using the www.freebsd.org/handbook/ipsec.html diagram as reference, it work fine (tested by ping) 2. Configure IPSec in Transport mode (since I am interested in forwarding dynamic routing information over point-2-point VPN) using draft-touch-ipsec- vpn approach, i.e: IPSec policy spdadd A.B.C.D W.X.Y.Z any -P out ipsec esp/transport//use; spdadd W.X.Y.Z A.B.C.D any -P in ipsec esp/transport//use; It works fine (ping test). 3. Now I start routed with -s options, It never saw any routing information flow through the VPN (tcpdump). 4. So, I disabled the IPSec and try again but I still saw no routing information over VPN (tcpdump). 5. So, I disabled the gif0 interface as well, I saw the RIP packets exchanges between two freeBSD machine. Summary: 1. routed works fine without gif0 interface. 2. VPN works fine without routed. Question: Now my questions are 1. There is any in-compatibility (or known bug) between routed and gif0 interface (I am using freeBSD 4.8 Release). 2. Is there any freeBSD document which describe how to configure gif0 and routed together. Thanks, Amin _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/viruspgmarket=en-caRU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
VPN(touch-ID)/gif0/Dynamic Routing Issue [freeBSD 4.8 Release]
Hello, I have few questions regarding the Dynamic Rouitng (i.e. routed) and gif0 interface. Questions: 1. There is any in-compatibility or known bug, if we use routed and gif0 interface together (I am using freeBSD 4.8 Release). 2. If there is no known bug then any one tested the above mention combination (routed and gif0 interface) 3. Is there any freeBSD document which describe how to configure gif0 and routed together. Details: I go through the following documents: http://www.freebsd.org/handbook/ipsec.html http://asherah.dyndns.org/~josh/ipsec-howto.txt and follow the following steps: 1. I am using the www.freebsd.org/handbook/ipsec.html diagram as my reference network 2. Configure the gif0 interface , it work fine (tested by ping and tcpdump) 3. Configure IPSec in Transport mode (since I am interested in forwarding dynamic routing information over point-2-point VPN) using draft-touch-ipsec- vpn approach, i.e: IPSec policy On Network 1: spdadd A.B.C.D W.X.Y.Z any -P out ipsec esp/transport//use; spdadd W.X.Y.Z A.B.C.D any -P in ipsec esp/transport//use; On Network 2: spdadd W.X.Y.Z A.B.C.D any -P out ipsec esp/transport//use; spdadd A.B.C.D W.X.Y.Z any -P in ipsec esp/transport//use; It works fine (ping and tcpdump). 3. Now I start routed with -s options, It never saw any routing information flow through the VPN (tcpdump). But I saw some ERROR message (IP_ADD_MEMBERSHIP RIP) during system REBOOT 4. So, I disabled the IPSec and try again but I still saw no routing information over VPN (tcpdump). But I saw some ERROR message (IP_ADD_MEMBERSHIP RIP) during system REBOOT 5. So, I disabled the gif0 interface as well, I saw the RIP packets exchanges between two freeBSD machine. Summary: 1. routed works fine without gif0 interface. 2. VPN works fine without routed. Thanks, Amin _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=dept/bcommpgmarket=en-caRU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Routing problem
Hello My goals are: - to use an Win2k server (terminal server) in a lan over the internet (FreeBSD box with pptpd) My equipment: - Win2k server, SP4 (test machine) - file server - telnet server IP: 192.168.1.50 - FreeBSD 4.8 - firewall (all rules works very well, also ftp etc.) - VPN server (PopTop 1.1.4-b3). I have access from the Internet to this box over a VPN (=pptp) connection - ssh server - DynDNS client IP router side: 192.168.2.2 IP LAN (Win2k server) side: 192.168.1.1 - Router ADSL Router ZyXel Prestige 642R-I IP: 192.168.2.3 Here is the schema: client in FreeBSD Win2k the Internet Routerbox server xl1 xl0 | | --- | | --- | | -- | | (for example: Win2k, Win9x) If I start a pptp connect from the client in the internet (they receive an ip from 192.168.1.200 to .210), I can ping 192.168.1.1 without problem. Also I can ping from my FreeBSD box the remote client and the Win2k server. From the Win2k server I can alway ping the FreeBSD box but not the client in the internet. I also set manualy the arp resolution (MAC adress with ip adress) on both side but also no luck. I started also tcpdump on the FreeBSD box with the following result: Pings from the client to Win2k server. tcpdump start with options -n -i xl0 icmp: 23:18:20.217987 192.168.1.206 192.168.1.50: icmp: echo request 23:18:21.677929 192.168.1.206 192.168.1.50: icmp: echo request 23:18:22.693478 192.168.1.206 192.168.1.50: icmp: echo request 23:18:23.709587 192.168.1.206 192.168.1.50: icmp: echo request here the same with options -n -i xl0 arp: 23:20:28.412407 arp who-has 192.168.1.206 tell 192.168.1.50 23:20:29.685452 arp who-has 192.168.1.206 tell 192.168.1.50 23:20:30.701281 arp who-has 192.168.1.206 tell 192.168.1.50 23:20:31.717197 arp who-has 192.168.1.206 tell 192.168.1.50 Pings from the Win2k server to the client. tcpdump started like above (icmp): ... no output here the same like above (arp) 23:23:24.855173 arp who-has 192.168.1.206 tell 192.168.1.50 23:23:25.923374 arp who-has 192.168.1.206 tell 192.168.1.50 23:23:26.924785 arp who-has 192.168.1.206 tell 192.168.1.50 23:23:27.926212 arp who-has 192.168.1.206 tell 192.168.1.50 I also deactivetd the firewall but also no success. What the hell is going wrong here? -- Regards Martin Schweizer [EMAIL PROTECTED] PC-Service M. Schweizer; Gewerbehaus Schwarz; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch; public key : http://www.pc-service.ch/pgp/public_key.asc; fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239; pgp0.pgp Description: PGP signature
zebra routing and gif interface question
Hello, I have coulpe of ipip tunnels at 2 near servers and trying to make backup link for each using zebra via multiple nexthop static route. So, 2 boxes: 192.168.5.1 has ipip link to host 210.210.210.1 and 192.168.5.3 also has ipip link to host 210.210.210.1 (using other uplink). Other side has network 192.168.81.0/24. Running zebra on 192.168.5.3 and has following in zebra.conf: ip route 192.168.81.0/24 gif3 ip route 192.168.81.0/24 192.168.5.1 As a result I want to use route to 192.168.5.1 in case of isp uplink fail on 192.168.5.3 external iface (accordingly gif3 link failed). But that is the throuble.. It seems there is no check for remote endpoint availability at gif interface and gif never will not be in DOWN state, so no route change. Trying to create gif interface and check it's state after each step. You may see: mx2# ifconfig gif5 create mx2# ifconfig gif5 gif5: flags=8010POINTOPOINT,MULTICAST mtu 1280 - that is good mx2# gifconfig gif5 200.200.200.1 210.210.210.1 mx2# ifconfig gif5 gif5: flags=8050POINTOPOINT,RUNNING,MULTICAST mtu 1280 tunnel inet 200.200.200.1 -- 210.210.210.1 - that is good mx2# ifconfig gif5 192.168.5.3 192.168.82.0 netmask 255.255.255.0 mx2# ifconfig gif5 gif5: flags=8051 - UP -,POINTOPOINT,RUNNING,MULTICAST mtu 1280 tunnel inet 200.200.200.1 -- 210.210.210.1 inet 192.168.5.3 -- 192.168.82.0 netmask 0xff00 - is that good?? interface state has changed to UP but there is no link to remote endpoint and never will be, I have no 200.200.200.1 and 210.210.210.1 is fictitious address Any ideas? Thanks -- Best regards, Sergey [FreeBSD 4.9] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing problems
Hi Dimitris, snip lots of relevaent info The 10.X.X.X subnet will never need to use any of the services of the 193.X.X.X subnet or the 193.R.R.R router. It will always access internet via its own 10.R.R.R router, which only routes packets towards the internet and never towards the 193.X.X.X subnet. Thus, what's the need to do any of the above? Well a packet originating on the 193.x.x.x network will have a return address on the 193.x.x.x network even after its been routed via the freebsd box, (unless you nat, which if your adsl router is a rubbish as mine was you may have to as i couldnt add static routes to mine, but thats another issue.) and so the 10.R.R.R router wont know where to forward to if it has no route to 10.x.x.x (or at least the sending host on that network.) Please note that I am rather inexperienced in routing and please forgive me if I make terrible mistakes. :-) and excuse me if i do too :) I've plenty of experience, but no formal training. Thanks for the responce Jim Xochellis Do You Yahoo!? ?p??t?ste t? d??e?? @yahoo.gr d?es? sa? st? http://www.otenet.gr ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]