Re: routing problem
On Sat, 24 Nov 2007, Alaor Barroso de Carvalho Neto wrote: 2007/11/24, Ian Smith [EMAIL PROTECTED]: No I didn't mean that; use your own favourite packet filter, any of them can handle what you've described. Bill suggested pf - lots of people seem to like it a lot - and I use ipfw because I (mostly) know how to. I always had linux servers, so I'm very familiar with iptables, I don't have a favorite BSD firewall yet, so that's why I'm asking. I choose ipfilter because I liked the tutorial in the FreeBSD handbook, but I don't know any features of the others, I even don't know ipfilter yet. Yes, I suspect the handbook firewall sections were put together by an ipfilter fan, even the ipfw section contains some oddities indicating that, and the pf section so far lacks the basic and with-NAT firewall setups that might encourage more people unfamiliar with pf to try it. Ok. Pasted output of 'ifconfig' and 'netstat -finet -nr' may help .. it's easier to parse familiar machine output than textual descriptions. My BSD box don't have graphic interface and I must admit I'm suffering to use it, so that's why I'm transcripting the configs, but I'm gonna change that. You can mark and copy with the mouse in text terminals on non-X boxes, at a pinch. I then use (say) ee to save the paste, though of course it's a lot less tedious working from an xterm with multiple clipboard buffers .. I've pasted up to 2000 lines from a Konsole at times :) Dunno. I'd just run tcpdump in a different terminal for each interface and watch the traffic; what gets forwarded, or not, what gets translated by NAT, or not. As you said, pings are a useful start, as can be adding temporary firewall rules to log everything in and out per interface .. I know next to nothing about routed(8) and RIP, nor why you might prefer it to static and cloned routing, but taking it out of the mix might help with debugging until your basic routing and filtering works right? I think it's hard to be NAT even because I've disabled ipfilter and the problem still. I thought I would just set gateway_enable=YES and things would start working, at least that was how I've seem in the docs, but like it didn't, I tried to set static routes. I don't know anything about routed too, I just know that it's supposed to build the routes on demand, or I think routed might only work in a network that's using RIP throughout, but that's only from what I've read in Hunt's TCP/IP Network Admin book, and I've seen next to no discussion of using RIP in recent times. I'm pretty sure you don't want to run routed(8) and that it would only add to confusion for anyone trying to help you spot your problem here. something like that. I'll copy the result of netstat on monday but the routes seems to be OK, they're there like they're supposed to be, at least I think they are right. Probably the problem is very stupid, but I feel like Possibly just a little confusion re how freebsd routing tables are presented compared to Linux, especially re default routes, perhaps? I've checked everything and I can't find the error, and like I'm not very familiar with BSD I'm losing my hope. Next week I'll try some things and if it don't work I think it's time to go back to linux. That's bad because I liked a lot the freebsd way of do the things. I suggest ending this thread here, and that you come back with a fresh start on a fresh subject stating again what you want to do, your network setup and layout, ifconfig and your full IPv4 routing tables, and clear description of which packets via which interface/s are failing to get to where you want them to go (and back!). Your original message was fairly clear about that, though it's got lost in the mists of time by now .. Don't give up. Perhaps spend a little time browsing the freebsd-net list to see if that's worth joining for you, if you can't get sufficent answers here, but with enough basic info I'm sure someone here can help. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
2007/11/24, Ian Smith [EMAIL PROTECTED]: ipfw works fine too for these sorts of network policy separation :) So ipfilter is not recommended by you guyz? If that wasn't a typo, this is a non-contiguous netmask. I suspect you want 255.255.255.224, assuming the default router is in the same subnet? Specifying CIDR notation with route and ifconfig can make netmask fatfingering a bit less likely (eg here XXX.XXX.XXX.130/27) I'm not saying this odd netmask explains your problem, nor that I fully understand the effect of non-contiguous netmasks, but it's worth fixing. My fault again, the mask is 255.255.255.224, I messed up the things the 27 come from XXX.XXX.XXX.XXX/27, you're right! But in the config file it's .224. On which machine/s is NAT translation taking place? Eg if 10.10/16 were allowed access to the internet via here, where would they get NAT'd to the external IP? Cheers, Ian The ipfilter was nating, but I'm not sure about the NAT rules inside the config file, I must recheck it monday, I just tested the redirection rules, do you think this can be the problem? Alaor ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
On Sat, 24 Nov 2007, Alaor Barroso de Carvalho Neto wrote: 2007/11/24, Ian Smith [EMAIL PROTECTED]: ipfw works fine too for these sorts of network policy separation :) So ipfilter is not recommended by you guyz? No I didn't mean that; use your own favourite packet filter, any of them can handle what you've described. Bill suggested pf - lots of people seem to like it a lot - and I use ipfw because I (mostly) know how to. I'm not saying this odd netmask explains your problem, nor that I fully understand the effect of non-contiguous netmasks, but it's worth fixing. My fault again, the mask is 255.255.255.224, I messed up the things the 27 come from XXX.XXX.XXX.XXX/27, you're right! But in the config file it's .224. Ok. Pasted output of 'ifconfig' and 'netstat -finet -nr' may help .. it's easier to parse familiar machine output than textual descriptions. On which machine/s is NAT translation taking place? Eg if 10.10/16 were allowed access to the internet via here, where would they get NAT'd to the external IP? Cheers, Ian The ipfilter was nating, but I'm not sure about the NAT rules inside the config file, I must recheck it monday, I just tested the redirection rules, do you think this can be the problem? Dunno. I'd just run tcpdump in a different terminal for each interface and watch the traffic; what gets forwarded, or not, what gets translated by NAT, or not. As you said, pings are a useful start, as can be adding temporary firewall rules to log everything in and out per interface .. I know next to nothing about routed(8) and RIP, nor why you might prefer it to static and cloned routing, but taking it out of the mix might help with debugging until your basic routing and filtering works right? HTH, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
2007/11/24, Ian Smith [EMAIL PROTECTED]: No I didn't mean that; use your own favourite packet filter, any of them can handle what you've described. Bill suggested pf - lots of people seem to like it a lot - and I use ipfw because I (mostly) know how to. I always had linux servers, so I'm very familiar with iptables, I don't have a favorite BSD firewall yet, so that's why I'm asking. I choose ipfilter because I liked the tutorial in the FreeBSD handbook, but I don't know any features of the others, I even don't know ipfilter yet. Ok. Pasted output of 'ifconfig' and 'netstat -finet -nr' may help .. it's easier to parse familiar machine output than textual descriptions. My BSD box don't have graphic interface and I must admit I'm suffering to use it, so that's why I'm transcripting the configs, but I'm gonna change that. Dunno. I'd just run tcpdump in a different terminal for each interface and watch the traffic; what gets forwarded, or not, what gets translated by NAT, or not. As you said, pings are a useful start, as can be adding temporary firewall rules to log everything in and out per interface .. I know next to nothing about routed(8) and RIP, nor why you might prefer it to static and cloned routing, but taking it out of the mix might help with debugging until your basic routing and filtering works right? I think it's hard to be NAT even because I've disabled ipfilter and the problem still. I thought I would just set gateway_enable=YES and things would start working, at least that was how I've seem in the docs, but like it didn't, I tried to set static routes. I don't know anything about routed too, I just know that it's supposed to build the routes on demand, or something like that. I'll copy the result of netstat on monday but the routes seems to be OK, they're there like they're supposed to be, at least I think they are right. Probably the problem is very stupid, but I feel like I've checked everything and I can't find the error, and like I'm not very familiar with BSD I'm losing my hope. Next week I'll try some things and if it don't work I think it's time to go back to linux. That's bad because I liked a lot the freebsd way of do the things. Thankz the attention guyz, hugs! Alaor ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
On Sat, 24 Nov 2007 13:41:51 -0200 Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: 2007/11/24, Ian Smith [EMAIL PROTECTED]: No I didn't mean that; use your own favourite packet filter, any of them can handle what you've described. Bill suggested pf - lots of people seem to like it a lot - and I use ipfw because I (mostly) know how to. I always had linux servers, so I'm very familiar with iptables, I don't have a favorite BSD firewall yet, so that's why I'm asking. I choose ipfilter because I liked the tutorial in the FreeBSD handbook, but I don't know any features of the others, I even don't know ipfilter yet. IPFilter was OpenBSD's old firewall, but because of its restrictive licence PF was developed and IPFilter was dropped from OpenBSD. The two firewalls use a very similar syntax. Unless you have a good reason to use IPFilter, it's probably better to start with PF, the documentation on the OpenBSD site is pretty good. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
First off, what's the output of sysctl net.inet.ip.forwarding? If it is 0, then reboot and see if it starts working. The return was: net.inet.ip.forwarding 1 Routed is running, named is running, the server itself can ping to any network, I don't know what else to test. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
On Fri, 23 Nov 2007 12:33:26 -0200 Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: 2007/11/23, Bill Moran [EMAIL PROTECTED]: Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: [..] em0 external world XXX.XXX.XXX.XXX rl0 adm 192.168.1.80 rl1 acad 192.168.2.90 rl3 database 10.10.0.50 They are all separated networks. What I want: 192.168.2 should only access the internet, shouldn't have access to 192.168.1 or 10.10/16. 192.168.1should access the internet and 10.10/16, but shouldn't access the academic network. 10.10/16 should access only the 192.168.1 network, but it's not a problem if they had access to internet too. How I would set up my rc.conf with my static routes? This is beyond the scope of routing. You'll need to install a packet filter. The best at this time is probably pf: ipfw works fine too for these sorts of network policy separation :) Yes, I have IPFIlTER installed, but if I would want to everybody ping to everybody and then block the things in the firewall, it isn't about routes? because neighter of my networks are pinging to any other right now. By ping I mean have access. I thought it would have something to do with setting routes. BTW, my ipfilter now just pass everything because I'm building the server, but I already have a config file with the blocks that I would apply. That's a completely different scenario than the one you described in your previous message. Do you have gatetway_enable=YES in /etc/rc.conf? -- Bill Moran http://www.potentialtech.com Just to add a couple of points to what Bill's pursuing here: Yeah, I know, I was trying to make it work with only adm and external, but the real scenario I have is this. Yes I have this line, my rc.conf is like this: [...] gateway_enable=yes defaultrouter=XXX.XXX.XXX.158 (the external ip) ifconfig_em0=inet XXX.XXX.XXX.130 netmask 255.255.255.227 If that wasn't a typo, this is a non-contiguous netmask. I suspect you want 255.255.255.224, assuming the default router is in the same subnet? Specifying CIDR notation with route and ifconfig can make netmask fatfingering a bit less likely (eg here XXX.XXX.XXX.130/27) I'm not saying this odd netmask explains your problem, nor that I fully understand the effect of non-contiguous netmasks, but it's worth fixing. ifconfig_rl0=inet 192.168.1.80 netmask 255.255.255.0 ifconfig_rl1=inet 192.168.2.90 netmask 255.255.255.0 ifconfig_rl2=inet 10.10.0.50 netmask 255.255.0.0 [...] On which machine/s is NAT translation taking place? Eg if 10.10/16 were allowed access to the internet via here, where would they get NAT'd to the external IP? Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
2007/11/23, Bill Moran [EMAIL PROTECTED]: I'm going to the server room to test the command. And yes, the DNS is working properly. I just came from the room and I did the command dig @ 192.168.1.1 google.ca and it said no server reached, then I did dig @ 127.0.0.1 google.ca and it worked! Is this on the FreeBSD machine? I have a sneaking suspicion that your ipfilter rules are blocking everything. Yes, that's on the FreeBSD machine. I'm not sure about the RIP, I must check. About the ipfilter, I disabled it in rc.conf and it still not working. I'm not in my work anymore, only in monday I'll be able to run the netstat, but I'm losing my hope. Have a nice weekend brother. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: 2007/11/23, Bill Moran [EMAIL PROTECTED]: Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: OK guyz, I did some tests and I found the error, like you said, it's a config problem with the routes, I thought the routed daemon would care of it for me but it seems like it don't. Please I ask you to forget the scenario I said before, now what i have is: The dns server is now with the IP 192.168.1.1. But to turn things more easy I installed it in the FreeBSD box that is gonna be my gateway and proxy machine, so the problem isn't about the dns anymore. I work in a school and I have now this sccenario two local networks, 192.168.1/24, an administrative network and 192.168.2/24, an academic network, plus I must have access to a network of other school with the ip 10.10/16, because they share their database serverwith us. So the FreeBSD machine have four network cards: em0 external world XXX.XXX.XXX.XXX rl0 adm 192.168.1.80 rl1 acad 192.168.2.90 rl3 database 10.10.0.50 They are all separated networks. What I want: 192.168.2 should only access the internet, shouldn't have access to 192.168.1 or 10.10/16. 192.168.1should access the internet and 10.10/16, but shouldn't access the academic network. 10.10/16 should access only the 192.168.1 network, but it's not a problem if they had access to internet too. How I would set up my rc.conf with my static routes? This is beyond the scope of routing. You'll need to install a packet filter. The best at this time is probably pf: http://www.freebsd.org/cgi/man.cgi?query=pfctlsektion=8apropos=0manpath=FreeBSD+6.2-RELEASE http://www.freebsd.org/cgi/man.cgi?query=pf.confapropos=0sektion=0manpath=FreeBSD+6.2-RELEASEformat=html Yes, I have IPFIlTER installed, but if I would want to everybody ping to everybody and then block the things in the firewall, it isn't about routes? because neighter of my networks are pinging to any other right now. By ping I mean have access. I thought it would have something to do with setting routes. BTW, my ipfilter now just pass everything because I'm building the server, but I already have a config file with the blocks that I would apply. That's a completely different scenario than the one you described in your previous message. Do you have gatetway_enable=YES in /etc/rc.conf? -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
2007/11/23, Bill Moran [EMAIL PROTECTED]: Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: OK guyz, I did some tests and I found the error, like you said, it's a config problem with the routes, I thought the routed daemon would care of it for me but it seems like it don't. Please I ask you to forget the scenario I said before, now what i have is: The dns server is now with the IP 192.168.1.1. But to turn things more easy I installed it in the FreeBSD box that is gonna be my gateway and proxy machine, so the problem isn't about the dns anymore. I work in a school and I have now this sccenario two local networks, 192.168.1/24, an administrative network and 192.168.2/24, an academic network, plus I must have access to a network of other school with the ip 10.10/16, because they share their database serverwith us. So the FreeBSD machine have four network cards: em0 external world XXX.XXX.XXX.XXX rl0 adm 192.168.1.80 rl1 acad 192.168.2.90 rl3 database 10.10.0.50 They are all separated networks. What I want: 192.168.2 should only access the internet, shouldn't have access to 192.168.1 or 10.10/16. 192.168.1should access the internet and 10.10/16, but shouldn't access the academic network. 10.10/16 should access only the 192.168.1 network, but it's not a problem if they had access to internet too. How I would set up my rc.conf with my static routes? This is beyond the scope of routing. You'll need to install a packet filter. The best at this time is probably pf: http://www.freebsd.org/cgi/man.cgi?query=pfctlsektion=8apropos=0manpath=FreeBSD+6.2-RELEASE http://www.freebsd.org/cgi/man.cgi?query=pf.confapropos=0sektion=0manpath=FreeBSD+6.2-RELEASEformat=html -- Bill Moran http://www.potentialtech.com Yes, I have IPFIlTER installed, but if I would want to everybody ping to everybody and then block the things in the firewall, it isn't about routes? because neighter of my networks are pinging to any other right now. By ping I mean have access. I thought it would have something to do with setting routes. BTW, my ipfilter now just pass everything because I'm building the server, but I already have a config file with the blocks that I would apply. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
OK guyz, I did some tests and I found the error, like you said, it's a config problem with the routes, I thought the routed daemon would care of it for me but it seems like it don't. Please I ask you to forget the scenario I said before, now what i have is: The dns server is now with the IP 192.168.1.1. But to turn things more easy I installed it in the FreeBSD box that is gonna be my gateway and proxy machine, so the problem isn't about the dns anymore. I work in a school and I have now this sccenario two local networks, 192.168.1/24, an administrative network and 192.168.2/24, an academic network, plus I must have access to a network of other school with the ip 10.10/16, because they share their database serverwith us. So the FreeBSD machine have four network cards: em0 external world XXX.XXX.XXX.XXX rl0 adm 192.168.1.80 rl1 acad 192.168.2.90 rl3 database 10.10.0.50 They are all separated networks. What I want: 192.168.2 should only access the internet, shouldn't have access to 192.168.1 or 10.10/16. 192.168.1should access the internet and 10.10/16, but shouldn't access the academic network. 10.10/16 should access only the 192.168.1 network, but it's not a problem if they had access to internet too. How I would set up my rc.conf with my static routes? Thankz for the attention you're having with me guyz, hugs! 2007/11/21, Steve Bertrand [EMAIL PROTECTED]: Alaor Barroso de Carvalho Neto wrote: Sorry, searchdomain ... nameserver 192.168.1.2 not 192.168.1.1 as I've said before. What about: # dig @192.168.1.2 google.ca Also, I don't know if it has any impact, but my resolv.conf shows just 'search mydomain.com' as opposed to searchdomain. Perhaps you could fix that to see if it helps. Steve -- Atenciosamente, Alaor Neto CEFET Campos/UNED Macaé Coordenação de Tecnologia da Informação (22) 9217-3198 / (22) 2773-6530 ramal 2035 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: OK guyz, I did some tests and I found the error, like you said, it's a config problem with the routes, I thought the routed daemon would care of it for me but it seems like it don't. Please I ask you to forget the scenario I said before, now what i have is: The dns server is now with the IP 192.168.1.1. But to turn things more easy I installed it in the FreeBSD box that is gonna be my gateway and proxy machine, so the problem isn't about the dns anymore. I work in a school and I have now this sccenario two local networks, 192.168.1/24, an administrative network and 192.168.2/24, an academic network, plus I must have access to a network of other school with the ip 10.10/16, because they share their database serverwith us. So the FreeBSD machine have four network cards: em0 external world XXX.XXX.XXX.XXX rl0 adm 192.168.1.80 rl1 acad 192.168.2.90 rl3 database 10.10.0.50 They are all separated networks. What I want: 192.168.2 should only access the internet, shouldn't have access to 192.168.1 or 10.10/16. 192.168.1should access the internet and 10.10/16, but shouldn't access the academic network. 10.10/16 should access only the 192.168.1 network, but it's not a problem if they had access to internet too. How I would set up my rc.conf with my static routes? This is beyond the scope of routing. You'll need to install a packet filter. The best at this time is probably pf: http://www.freebsd.org/cgi/man.cgi?query=pfctlsektion=8apropos=0manpath=FreeBSD+6.2-RELEASE http://www.freebsd.org/cgi/man.cgi?query=pf.confapropos=0sektion=0manpath=FreeBSD+6.2-RELEASEformat=html -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
2007/11/23, Bill Moran [EMAIL PROTECTED]: Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: 2007/11/23, Bill Moran [EMAIL PROTECTED]: Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: OK guyz, I did some tests and I found the error, like you said, it's a config problem with the routes, I thought the routed daemon would care of it for me but it seems like it don't. Please I ask you to forget the scenario I said before, now what i have is: The dns server is now with the IP 192.168.1.1. But to turn things more easy I installed it in the FreeBSD box that is gonna be my gateway and proxy machine, so the problem isn't about the dns anymore. I work in a school and I have now this sccenario two local networks, 192.168.1/24, an administrative network and 192.168.2/24, an academic network, plus I must have access to a network of other school with the ip 10.10/16, because they share their database serverwith us. So the FreeBSD machine have four network cards: em0 external world XXX.XXX.XXX.XXX rl0 adm 192.168.1.80 rl1 acad 192.168.2.90 rl3 database 10.10.0.50 They are all separated networks. What I want: 192.168.2 should only access the internet, shouldn't have access to 192.168.1 or 10.10/16. 192.168.1should access the internet and 10.10/16, but shouldn't access the academic network. 10.10/16 should access only the 192.168.1 network, but it's not a problem if they had access to internet too. How I would set up my rc.conf with my static routes? This is beyond the scope of routing. You'll need to install a packet filter. The best at this time is probably pf: http://www.freebsd.org/cgi/man.cgi?query=pfctlsektion=8apropos=0manpath=FreeBSD+6.2-RELEASE http://www.freebsd.org/cgi/man.cgi?query=pf.confapropos=0sektion=0manpath=FreeBSD+6.2-RELEASEformat=html Yes, I have IPFIlTER installed, but if I would want to everybody ping to everybody and then block the things in the firewall, it isn't about routes? because neighter of my networks are pinging to any other right now. By ping I mean have access. I thought it would have something to do with setting routes. BTW, my ipfilter now just pass everything because I'm building the server, but I already have a config file with the blocks that I would apply. That's a completely different scenario than the one you described in your previous message. Do you have gatetway_enable=YES in /etc/rc.conf? -- Bill Moran http://www.potentialtech.com Yeah, I know, I was trying to make it work with only adm and external, but the real scenario I have is this. Yes I have this line, my rc.conf is like this: [...] gateway_enable=yes defaultrouter=XXX.XXX.XXX.158 (the external ip) ifconfig_em0=inet XXX.XXX.XXX.130 netmask 255.255.255.227 ifconfig_rl0=inet 192.168.1.80 netmask 255.255.255.0 ifconfig_rl1=inet 192.168.2.90 netmask 255.255.255.0 ifconfig_rl2=inet 10.10.0.50 netmask 255.255.0.0 [...] I don't know if that matters, but the yes should be YES to things work? I'd kill myself if this is the problem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: 2007/11/23, Bill Moran [EMAIL PROTECTED]: Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: Yes, I have IPFIlTER installed, but if I would want to everybody ping to everybody and then block the things in the firewall, it isn't about routes? because neighter of my networks are pinging to any other right now. By ping I mean have access. By ping, mean ping. I don't know what have access means, but I know what ping means. So what do you really mean ... what are you actually doing? If you run ping 192.168.1.[some working IP] from a machine on the 192.168.2.0/24 network, what is the result? I thought it would have something to do with setting routes. BTW, my ipfilter now just pass everything because I'm building the server, but I already have a config file with the blocks that I would apply. That's a completely different scenario than the one you described in your previous message. Do you have gatetway_enable=YES in /etc/rc.conf? Yeah, I know, I was trying to make it work with only adm and external, but the real scenario I have is this. Yes I have this line, my rc.conf is like this: [...] gateway_enable=yes defaultrouter=XXX.XXX.XXX.158 (the external ip) ifconfig_em0=inet XXX.XXX.XXX.130 netmask 255.255.255.227 ifconfig_rl0=inet 192.168.1.80 netmask 255.255.255.0 ifconfig_rl1=inet 192.168.2.90 netmask 255.255.255.0 ifconfig_rl2=inet 10.10.0.50 netmask 255.255.0.0 [...] I don't know if that matters, but the yes should be YES to things work? I'd kill myself if this is the problem. Don't kill yourself. At least, if you do, will me all your stuff. The parameter is case-insensitive, I just prefer the caps. First off, what's the output of sysctl net.inet.ip.forwarding? If it is 0, then reboot and see if it starts working. Once you're sure that sysctl is being properly set (which is all that gateway_enable=yes does), if you're still having problems, disable ipfilter altogether and see if it starts working. If it does, then it becomes a discussion of firewall rules. Also, is your DNS working properly? I don't know how many times I've seen DNS timeouts mistaken for network problems. 99% of the programs out there will _seem_ to have a network problem if the DNS isn't working properly. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
2007/11/23, Bill Moran [EMAIL PROTECTED]: Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: 2007/11/23, Bill Moran [EMAIL PROTECTED]: Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: Yes, I have IPFIlTER installed, but if I would want to everybody ping to everybody and then block the things in the firewall, it isn't about routes? because neighter of my networks are pinging to any other right now. By ping I mean have access. By ping, mean ping. I don't know what have access means, but I know what ping means. So what do you really mean ... what are you actually doing? If you run ping 192.168.1.[some working IP] from a machine on the 192.168.2.0/24 network, what is the result? I thought it would have something to do with setting routes. BTW, my ipfilter now just pass everything because I'm building the server, but I already have a config file with the blocks that I would apply. That's a completely different scenario than the one you described in your previous message. Do you have gatetway_enable=YES in /etc/rc.conf? Yeah, I know, I was trying to make it work with only adm and external, but the real scenario I have is this. Yes I have this line, my rc.conf is like this: [...] gateway_enable=yes defaultrouter=XXX.XXX.XXX.158 (the external ip) ifconfig_em0=inet XXX.XXX.XXX.130 netmask 255.255.255.227 ifconfig_rl0=inet 192.168.1.80 netmask 255.255.255.0 ifconfig_rl1=inet 192.168.2.90 netmask 255.255.255.0 ifconfig_rl2=inet 10.10.0.50 netmask 255.255.0.0 [...] I don't know if that matters, but the yes should be YES to things work? I'd kill myself if this is the problem. Don't kill yourself. At least, if you do, will me all your stuff. The parameter is case-insensitive, I just prefer the caps. First off, what's the output of sysctl net.inet.ip.forwarding? If it is 0, then reboot and see if it starts working. Once you're sure that sysctl is being properly set (which is all that gateway_enable=yes does), if you're still having problems, disable ipfilter altogether and see if it starts working. If it does, then it becomes a discussion of firewall rules. Also, is your DNS working properly? I don't know how many times I've seen DNS timeouts mistaken for network problems. 99% of the programs out there will _seem_ to have a network problem if the DNS isn't working properly. -- Bill Moran http://www.potentialtech.com I don't have that much stuff at all, only some bills to pay, we have a deal? ;) I'm going to the server room to test the command. And yes, the DNS is working properly. I just came from the room and I did the command dig @ 192.168.1.1 google.ca and it said no server reached, then I did dig @ 127.0.0.1 google.ca and it worked! Then I gone to the DNS machine and tried to ping to the IP that dig gave me, it can't. I changed the ip of the FreeBSD box to 192.168.1.240 and turned on the linux machine back with the ip 192.168.1.80 and did dig @192.168.1.1 googla.ca and it worked! Gone to the DNS machine and pinged to the IP dig gave me and it worked. It seems like the dns machine have no access to the external network.. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
By ping, mean ping. I don't know what have access means, but I know what ping means. Well I say have access because the icpm would be blocked, but I would still have communicationwith the network even if I didn't ping. But yeah, for meright now ping and have access is the same once the firewall s passing anything. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: First off, what's the output of sysctl net.inet.ip.forwarding? If it is 0, then reboot and see if it starts working. The return was: net.inet.ip.forwarding 1 OK. That's not the problem then ... did you disable ipfilter and try without it? Routed is running, named is running, the server itself can ping to any network, I don't know what else to test. Do you have RIP on your network? Based on your description, it seems unlikely that RIP is in use on your network ... I don't know what the default behaviour is for routed when it can't acquire routing information. What is the output of netstat -rn? -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
Alaor Barroso de Carvalho Neto wrote: If I turn off linux and set the rl0 to 192.168.1.1 it stop resolving names but can ping to anywhere. Help!!! in the rc.conf gateway_enable=YES defaultrouter=X.X.X.X I don't know if I quite understand on which machine things are breaking, but if it is a FreeBSD box, can you post the output to: # cat /etc/resolv.conf ...and # dig @192.168.1.2 google.ca Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
Sorry my english skills, I'm brazilian and I'm not very familiar with the language, but I'm gonna try to explain it clearly: LINUX SERVER private network 192.168.1.1 external network x.x.x.x FREEBSD SERVER private network 192.168.1.240 external network x.x.x.x DNS SERVER private network 192.168.1.2 The LINUX machine is the network gateway, I want the FREEBSD to be the gateway, so I tested the freebsd machine configuring some clients manually to use the 192.168.1.240 as gateway, 3 machines, everything worked. So I thought: time to replace the linux server. So I turned off the linux machine and changed the ip of freebsd to 192.168.1.1, just it, and then it stop working, it can resolv dns for some seconds and then stop. Something I've noticed, when it's not the network gateway in fact, with just some machines using it as gateway, the return of netstat -r is ok, with the routes of the machines accessing it, the active conections, if I just change the ip and turn off the LINUX machine, the netstat -r return me no routes at all. Pretty strange. My nameserver is just searchdomain ... nameserver 192.168.1.1 2007/11/21, Steve Bertrand [EMAIL PROTECTED]: Alaor Barroso de Carvalho Neto wrote: If I turn off linux and set the rl0 to 192.168.1.1 it stop resolving names but can ping to anywhere. Help!!! in the rc.conf gateway_enable=YES defaultrouter=X.X.X.X I don't know if I quite understand on which machine things are breaking, but if it is a FreeBSD box, can you post the output to: # cat /etc/resolv.conf ...and # dig @192.168.1.2 google.ca Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
Sorry, searchdomain ... nameserver 192.168.1.2 not 192.168.1.1 as I've said before. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
In response to Alaor Barroso de Carvalho Neto [EMAIL PROTECTED]: Sorry my english skills, I'm brazilian and I'm not very familiar with the language, but I'm gonna try to explain it clearly: LINUX SERVER private network 192.168.1.1 external network x.x.x.x FREEBSD SERVER private network 192.168.1.240 external network x.x.x.x DNS SERVER private network 192.168.1.2 The LINUX machine is the network gateway, I want the FREEBSD to be the gateway, so I tested the freebsd machine configuring some clients manually to use the 192.168.1.240 as gateway, 3 machines, everything worked. So I thought: time to replace the linux server. So I turned off the linux machine and changed the ip of freebsd to 192.168.1.1, just it, and then it stop working, it can resolv dns for some seconds and then stop. Something I've noticed, when it's not the network gateway in fact, with just some machines using it as gateway, the return of netstat -r is ok, with the routes of the machines accessing it, the active conections, if I just change the ip and turn off the LINUX machine, the netstat -r return me no routes at all. Pretty strange. My nameserver is just searchdomain ... nameserver 192.168.1.1 You've pointed the FreeBSD machine at itself for DNS. Do you have a DNS server running on this system? If not, you need to point it at a valid DNS server. If routes are missing then something is configured wrong. If you'd post the contents of /etc/rc.conf, it's more likely that we could provide more detailed assistance. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
The nameserver is the 192.168.1.2 in the resolv.conf, sorry my fault. I'm gonna copy the rc.conf and paste here. But the routes are OK and still OK for any time when the machine is not the main gateway and have some few clients using it as gateway, if it was a config problem it wouldn't work never, no? Is there any chance of the traffic of the network be the responsible for that??? Thankz the help 2007/11/21, Bill Moran [EMAIL PROTECTED]: In response to Alaor Barroso de Carvalho Neto [EMAIL PROTECTED]: Sorry my english skills, I'm brazilian and I'm not very familiar with the language, but I'm gonna try to explain it clearly: LINUX SERVER private network 192.168.1.1 external network x.x.x.x FREEBSD SERVER private network 192.168.1.240 external network x.x.x.x DNS SERVER private network 192.168.1.2 The LINUX machine is the network gateway, I want the FREEBSD to be the gateway, so I tested the freebsd machine configuring some clients manually to use the 192.168.1.240 as gateway, 3 machines, everything worked. So I thought: time to replace the linux server. So I turned off the linux machine and changed the ip of freebsd to 192.168.1.1, just it, and then it stop working, it can resolv dns for some seconds and then stop. Something I've noticed, when it's not the network gateway in fact, with just some machines using it as gateway, the return of netstat -r is ok, with the routes of the machines accessing it, the active conections, if I just change the ip and turn off the LINUX machine, the netstat -r return me no routes at all. Pretty strange. My nameserver is just searchdomain ... nameserver 192.168.1.1 You've pointed the FreeBSD machine at itself for DNS. Do you have a DNS server running on this system? If not, you need to point it at a valid DNS server. If routes are missing then something is configured wrong. If you'd post the contents of /etc/rc.conf, it's more likely that we could provide more detailed assistance. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Atenciosamente, Alaor Neto CEFET Campos/UNED Macaé Coordenação de Tecnologia da Informação (22) 9217-3198 / (22) 2773-6530 ramal 2035 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: routing problem
Alaor Barroso de Carvalho Neto wrote: Sorry, searchdomain ... nameserver 192.168.1.2 not 192.168.1.1 as I've said before. What about: # dig @192.168.1.2 google.ca Also, I don't know if it has any impact, but my resolv.conf shows just 'search mydomain.com' as opposed to searchdomain. Perhaps you could fix that to see if it helps. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem
In response to George Vanev [EMAIL PROTECTED]: I have FreeBSD 6.2 box with 1 NIC and 2 IPs. The first IP is to access internet, the second is for the ISP's LAN. Unfortunately I have internet, but no access to the other network. I made a test. I assigned to the NIC only the local IP and removed the defaultrouter. Then, of course, I have no internet but was able to access the ISP's network. I've tried everything I know, but still nothing Consider providing more details, such as the output of ifconfig and netstat -rn. Sure sounds like a routing issue, but I doubt anyone can say anything more without details. -- Bill Moran Collaborative Fusion Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem
On 2/8/07, Bill Moran [EMAIL PROTECTED] wrote: In response to George Vanev [EMAIL PROTECTED]: I have FreeBSD 6.2 box with 1 NIC and 2 IPs. The first IP is to access internet, the second is for the ISP's LAN. Unfortunately I have internet, but no access to the other network. I made a test. I assigned to the NIC only the local IP and removed the defaultrouter. Then, of course, I have no internet but was able to access the ISP's network. I've tried everything I know, but still nothing Consider providing more details, such as the output of ifconfig and netstat -rn. Sure sounds like a routing issue, but I doubt anyone can say anything more without details. -- Bill Moran Collaborative Fusion Inc. You are right. ifconfig -- rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 212.25.37.96 netmask 0xff00 broadcast 212.25.37.255 inet 192.168.67.41 netmask 0xfc00 broadcast 192.168.67.255 ether 00:17:31:e7:92:18 media: Ethernet autoselect (100baseTX full-duplex) status: active rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 ether 00:50:bf:d5:f1:33 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet 127.0.0.1 netmask 0xff00 Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default212.25.37.1UGS 0 458268rl0 10/24 link#2 UC 00rl1 10.0.0.2 00:15:60:ae:f7:61 UHLW1 231827rl1922 10.0.0.3 00:17:08:2d:08:26 UHLW1 1686rl1 1004 10.0.0.255 ff:ff:ff:ff:ff:ff UHLWb 1 67rl1 127.0.0.1 127.0.0.1 UH 00lo0 192.168.64/22 link#1 UC 00rl0 192.168.64.1 00:02:a5:90:a9:b6 UHLW10rl0 1200 192.168.64.3 00:17:08:58:83:8d UHLW10rl0 1113 212.25.37 link#1 UC 00rl0 212.25.37.100:02:a5:90:a9:b6 UHLW20rl0 1195 In this case I can't access nothing from 192.168.64/22 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 192.168.67.41 netmask 0xfc00 broadcast 192.168.67.255 ether 00:17:31:e7:92:18 media: Ethernet autoselect (100baseTX full-duplex) status: active rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 ether 00:50:bf:d5:f1:33 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet 127.0.0.1 netmask 0xff00 Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire 10/24 link#2 UC 00rl1 10.0.0.2 00:15:60:ae:f7:61 UHLW1 232034rl1784 10.0.0.3 00:17:08:2d:08:26 UHLW1 1712rl1866 10.0.0.255 ff:ff:ff:ff:ff:ff UHLWb 1 67rl1 127.0.0.1 127.0.0.1 UH 00lo0 192.168.64/22 link#1 UC 00rl0 In this case I don't have internet, but I can access 192.168.64/22 -- George Vanev ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem
In response to George Vanev [EMAIL PROTECTED]: On 2/8/07, Bill Moran [EMAIL PROTECTED] wrote: In response to George Vanev [EMAIL PROTECTED]: I have FreeBSD 6.2 box with 1 NIC and 2 IPs. The first IP is to access internet, the second is for the ISP's LAN. Unfortunately I have internet, but no access to the other network. I made a test. I assigned to the NIC only the local IP and removed the defaultrouter. Then, of course, I have no internet but was able to access the ISP's network. I've tried everything I know, but still nothing Consider providing more details, such as the output of ifconfig and netstat -rn. Sure sounds like a routing issue, but I doubt anyone can say anything more without details. You are right. ifconfig -- rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 212.25.37.96 netmask 0xff00 broadcast 212.25.37.255 inet 192.168.67.41 netmask 0xfc00 broadcast 192.168.67.255 ether 00:17:31:e7:92:18 media: Ethernet autoselect (100baseTX full-duplex) status: active rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 ether 00:50:bf:d5:f1:33 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet 127.0.0.1 netmask 0xff00 Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default212.25.37.1UGS 0 458268rl0 10/24 link#2 UC 00rl1 10.0.0.2 00:15:60:ae:f7:61 UHLW1 231827rl1922 10.0.0.3 00:17:08:2d:08:26 UHLW1 1686rl1 1004 10.0.0.255 ff:ff:ff:ff:ff:ff UHLWb 1 67rl1 127.0.0.1 127.0.0.1 UH 00lo0 192.168.64/22 link#1 UC 00rl0 192.168.64.1 00:02:a5:90:a9:b6 UHLW10rl0 1200 192.168.64.3 00:17:08:58:83:8d UHLW10rl0 1113 212.25.37 link#1 UC 00rl0 212.25.37.100:02:a5:90:a9:b6 UHLW20rl0 1195 In this case I can't access nothing from 192.168.64/22 Nothing? You're able to arp 192.168.64.1 and 192.168.64.3, can you ping them? Since you have an RFC-1918 address on both the inside and the outside, I assume you're running nat on this machine to translate internal machine traffic. It looks like you have all the routes you need, so my _guess_ at this point is that when the public address is up, the nat is preventing traffic from going out that interface without being translated. Once it has a public address, it can't route properly on the 192.168.64/22 space. Have a look at what you're using for nat. If you can't see anything obviously at odds, post your nat/firewall/related config. -- Bill Moran Collaborative Fusion Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem
Nothing? You're able to arp 192.168.64.1 and 192.168.64.3, can you ping them? Since you have an RFC-1918 address on both the inside and the outside, I assume you're running nat on this machine to translate internal machine traffic. It looks like you have all the routes you need, so my _guess_ at this point is that when the public address is up, the nat is preventing traffic from going out that interface without being translated. Once it has a public address, it can't route properly on the 192.168.64/22 space. Have a look at what you're using for nat. If you can't see anything obviously at odds, post your nat/firewall/related config. -- Bill Moran Collaborative Fusion Inc. No I can't ping them. Just to be sure I switched off the natd... It's the same. I want the FreeBSD box to connect to both - internet and 192.168.64/22 and the I'll think of the nat -- George Vanev ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem
On Thu, Feb 08, 2007 at 12:10:07PM +0200, George Vanev wrote: I have FreeBSD 6.2 box with 1 NIC and 2 IPs. The first IP is to access internet, the second is for the ISP's LAN. Unfortunately I have internet, but no access to the other network. We need network IP configuration details; ie addresses, netmasks, et al. -- Jonathan Chen [EMAIL PROTECTED] -- Opportunity does not knock, it presents itself when you beat down the door - W.E. Channing ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing problem
In answer to my own question. When I disable the firewall on the server the routing issue is instantly resolved. However for 90% of the time the firewall runs without any apparent problems... I will start a new thread of conversation and ask my now firewall related problem. Sorry for my apparent thickness :) Hi, I am running a 5.4 box as a gateway server / firewall / mail relay at our company. Previously we had a 4.3-beta server which although horribly outdated hardly ever gave us any problems. Since replacing it with a Dell 850 and installing 5.4 I have experienced intermittent routing issues. The box will stop routing traffic correctly (I have included the output of a ping below). I initially thought that the box was just dropping the packets but after running a trafshow I saw that this was not the case. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing Problem
Gustafson, Tim wrote: I know it can be done. I have a feeling that the FreeBSD TCP stack lacks the capability. If you are looking for multiple routes to the same destination, you are correct. I believe that if you see the thread on net@ from 03/01/04 with the subject My planned work on networking stack: quote [] move IPv4 routing to its own optimized routing table structure and add multi-path and policy-routing options. (planned) /quote I think this is the feature you are looking for: multi-path I am also not sure of the status of this. There are some hackish ways of dealing with this: eg. route add 0.0.0.0/1 router1 route add 128.0.0.0/1 router2 (or some such hideous incantation) If you want to get real nasty, I would try some jiggery pokery with vlans/ng_one2many: # receiving is done with public ips (all the same here as your current config) router1 vlan0 pubip1 router2 vlan0 pubip2 server vlan0 pubip1/2 #transmitting is done through faked gateway 50% load each router1 vlan1 10.0.0.1 router2 vlan2 10.0.0.1 server vlan1/2 10.0.0.2 route add default 10.0.0.1 You'll need to be sure that both upstream providers will route either ip address though. Also, there is no dynamic type of functionallity on this, if one of the links goes down, you'll lose 50% of your traffic. You could probably rig up a script to notify netgraph when the remote g/w goes down though. I've never tried this, but it seems this wouldn't be a bad way to start if you've got some time on your hands. Cheers, Derek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing Problem
Im confused.. if you have two T1s, then are using /30s dor the ranges? If so.. what about not giving a default gateway for either one and just add routes... Are you attempting utilize this as just a router.? Theres a section that covers setting up routing on interfaces in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html Hope this helps T - Original Message - From: Gustafson, Tim [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Tuesday, February 01, 2005 5:35 PM Subject: Routing Problem I am having a problem setting up a multi-homed host. I have two separate T1 internet connections, and one physical NIC in my FreeBSD box. The two networks are as follows: Connection 1: LAN Address: 1.2.3.24/25 Router Address: 1.2.3.1 Connection 2: LAN Address: 4.5.6.106/29 Router Address: 4.5.6.105 I would like to set up my FreeBSD box so that I can connect to either LAN address from the outside world. The problem is that I cannot specify two default gateways. Right now, I have 1.2.3.1 set up as a default gateway, and I can get to the 1.2.3.24 IP from the outside world. However, I can't get to 4.5.6.106. I can't even ping it. From the FreeBSD box, I can ping 4.5.6.105, and from the outside world I can ping 4.5.6.105, but I can't ping 4.5.6.106 from the outside world. Is there any way to make this work? How can I make FreeBSD have two default gateways? I read somewhere about being able to set up source routing, but I haven't been able to find any HOWTO's about that. Any help is greatly appreciated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing Problem
Thomas, No, I'm not using this box as a router. It is a web server, and I need to spread the load of my web traffic across two separate T1s. I can't just add routes. You need a default route, or parts of the internet would become inaccessible. In my case, you need TWO default routes. I have set up Cisco equipment and Windows workstations with two default routes in the past, and it has worked. In fact, I have one Windows box right now that is configured on both these networks with two default gateways, and it is working. There has to be a way to make it work on FreeBSD. Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ -Original Message- From: Thomas Foster [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 4:48 AM To: Gustafson, Tim Cc: [EMAIL PROTECTED] Subject: Re: Routing Problem Im confused.. if you have two T1s, then are using /30s dor the ranges? If so.. what about not giving a default gateway for either one and just add routes... Are you attempting utilize this as just a router.? Theres a section that covers setting up routing on interfaces in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routin g.html Hope this helps T - Original Message - From: Gustafson, Tim [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Tuesday, February 01, 2005 5:35 PM Subject: Routing Problem I am having a problem setting up a multi-homed host. I have two separate T1 internet connections, and one physical NIC in my FreeBSD box. The two networks are as follows: Connection 1: LAN Address: 1.2.3.24/25 Router Address: 1.2.3.1 Connection 2: LAN Address: 4.5.6.106/29 Router Address: 4.5.6.105 I would like to set up my FreeBSD box so that I can connect to either LAN address from the outside world. The problem is that I cannot specify two default gateways. Right now, I have 1.2.3.1 set up as a default gateway, and I can get to the 1.2.3.24 IP from the outside world. However, I can't get to 4.5.6.106. I can't even ping it. From the FreeBSD box, I can ping 4.5.6.105, and from the outside world I can ping 4.5.6.105, but I can't ping 4.5.6.106 from the outside world. Is there any way to make this work? How can I make FreeBSD have two default gateways? I read somewhere about being able to set up source routing, but I haven't been able to find any HOWTO's about that. Any help is greatly appreciated. smime.p7s Description: S/MIME cryptographic signature
Re: Routing Problem
Hi Tim.. If you have multiple interfaces and you configure a default gateway for each interface, the default metric determination that is based on the speed of the interface usually uses the fastest interface for default gateway traffic. This is usually desirable in configurations in which the computer is connected to the same network. This behavior can become a problem when the computer exists on two or more disjointed networks (networks that do not provide symmetric reachability on layer3). Symmetric reachability exists when packets can be sent to and received from an arbitrary destination. Because the TCP/IP version4 protocol uses a single default route in FreeBSD's routing table at any one time for default route traffic, default routers configured on multiple interfaces connected to two or more disjointed networks can wreak routing traffic havoc. In FreeBSD, you can manually configure the routing table for the individual interfaces.. but it sounds to me as if you are attempting to use two ethernet interfaces connected to two disjointed networks connected to routers with two seperate subnets in order to balance http requests to one server.. is this the case? I guess I am not fully understanding your configuration ... T. - Original Message - From: Gustafson, Tim [EMAIL PROTECTED] To: Thomas Foster [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 4:06 AM Subject: RE: Routing Problem Thomas, No, I'm not using this box as a router. It is a web server, and I need to spread the load of my web traffic across two separate T1s. I can't just add routes. You need a default route, or parts of the internet would become inaccessible. In my case, you need TWO default routes. I have set up Cisco equipment and Windows workstations with two default routes in the past, and it has worked. In fact, I have one Windows box right now that is configured on both these networks with two default gateways, and it is working. There has to be a way to make it work on FreeBSD. Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ -Original Message- From: Thomas Foster [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 4:48 AM To: Gustafson, Tim Cc: [EMAIL PROTECTED] Subject: Re: Routing Problem Im confused.. if you have two T1s, then are using /30s dor the ranges? If so.. what about not giving a default gateway for either one and just add routes... Are you attempting utilize this as just a router.? Theres a section that covers setting up routing on interfaces in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routin g.html Hope this helps T - Original Message - From: Gustafson, Tim [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Tuesday, February 01, 2005 5:35 PM Subject: Routing Problem I am having a problem setting up a multi-homed host. I have two separate T1 internet connections, and one physical NIC in my FreeBSD box. The two networks are as follows: Connection 1: LAN Address: 1.2.3.24/25 Router Address: 1.2.3.1 Connection 2: LAN Address: 4.5.6.106/29 Router Address: 4.5.6.105 I would like to set up my FreeBSD box so that I can connect to either LAN address from the outside world. The problem is that I cannot specify two default gateways. Right now, I have 1.2.3.1 set up as a default gateway, and I can get to the 1.2.3.24 IP from the outside world. However, I can't get to 4.5.6.106. I can't even ping it. From the FreeBSD box, I can ping 4.5.6.105, and from the outside world I can ping 4.5.6.105, but I can't ping 4.5.6.106 from the outside world. Is there any way to make this work? How can I make FreeBSD have two default gateways? I read somewhere about being able to set up source routing, but I haven't been able to find any HOWTO's about that. Any help is greatly appreciated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing Problem
Thomas (and John too), Let me clarify a little bit. What I have is this: A single FreeBSD web server with a single NIC in it Two T1 routers, each with a different subnet. My FreeBSD box has two IP addresses assigned to it, one from the first subnet and one from the second subnet. I want to use round-robin DNS to direct half my web traffic to the first IP and half to the second IP. As I said to John in a private e-mail earlier this morning, I have a Windows 2000 box that is doing exactly this with these two subnets right now. I know it can be done. I have a feeling that the FreeBSD TCP stack lacks the capability. By the way, this also works with Cisco hardware. I have used Cisco equipment in this same configuration in the past. I think they way it SHOULD work is that you should be able to give a FreeBSD box multiple default gateways. When FreeBSD gets a packet to an IP on the first subnet, it should use the default gateway that is also on that subnet. When FreeBSD gets a packet to an IP on the second subnet, it should use the second default gateway. This seems to be the logic that Windows (and Cisco) uses. Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ -Original Message- From: Thomas Foster [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 7:57 AM To: Gustafson, Tim Cc: [EMAIL PROTECTED] Subject: Re: Routing Problem Hi Tim.. If you have multiple interfaces and you configure a default gateway for each interface, the default metric determination that is based on the speed of the interface usually uses the fastest interface for default gateway traffic. This is usually desirable in configurations in which the computer is connected to the same network. This behavior can become a problem when the computer exists on two or more disjointed networks (networks that do not provide symmetric reachability on layer3). Symmetric reachability exists when packets can be sent to and received from an arbitrary destination. Because the TCP/IP version4 protocol uses a single default route in FreeBSD's routing table at any one time for default route traffic, default routers configured on multiple interfaces connected to two or more disjointed networks can wreak routing traffic havoc. In FreeBSD, you can manually configure the routing table for the individual interfaces.. but it sounds to me as if you are attempting to use two ethernet interfaces connected to two disjointed networks connected to routers with two seperate subnets in order to balance http requests to one server.. is this the case? I guess I am not fully understanding your configuration ... T. - Original Message - From: Gustafson, Tim [EMAIL PROTECTED] To: Thomas Foster [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 4:06 AM Subject: RE: Routing Problem Thomas, No, I'm not using this box as a router. It is a web server, and I need to spread the load of my web traffic across two separate T1s. I can't just add routes. You need a default route, or parts of the internet would become inaccessible. In my case, you need TWO default routes. I have set up Cisco equipment and Windows workstations with two default routes in the past, and it has worked. In fact, I have one Windows box right now that is configured on both these networks with two default gateways, and it is working. There has to be a way to make it work on FreeBSD. Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ -Original Message- From: Thomas Foster [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 4:48 AM To: Gustafson, Tim Cc: [EMAIL PROTECTED] Subject: Re: Routing Problem Im confused.. if you have two T1s, then are using /30s dor the ranges? If so.. what about not giving a default gateway for either one and just add routes... Are you attempting utilize this as just a router.? Theres a section that covers setting up routing on interfaces in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routin g.html Hope this helps T - Original Message - From: Gustafson, Tim [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Tuesday, February 01, 2005 5:35 PM Subject: Routing Problem I am having a problem setting up a multi-homed host. I have two separate T1 internet connections, and one physical NIC in my FreeBSD box. The two networks are as follows: Connection 1: LAN Address: 1.2.3.24/25 Router Address: 1.2.3.1 Connection 2: LAN Address: 4.5.6.106/29 Router Address: 4.5.6.105 I would like to set up my FreeBSD box so that I can connect to either LAN address from the outside world. The problem is that I cannot specify two default gateways. Right now, I
Re: Routing Problem
Sounds like the man page for routed might be what you seek http://www.freebsd.org/cgi/man.cgi?query=routedsektion=8 T - Original Message - From: Gustafson, Tim [EMAIL PROTECTED] To: Thomas Foster [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 5:02 AM Subject: RE: Routing Problem Thomas (and John too), Let me clarify a little bit. What I have is this: A single FreeBSD web server with a single NIC in it Two T1 routers, each with a different subnet. My FreeBSD box has two IP addresses assigned to it, one from the first subnet and one from the second subnet. I want to use round-robin DNS to direct half my web traffic to the first IP and half to the second IP. As I said to John in a private e-mail earlier this morning, I have a Windows 2000 box that is doing exactly this with these two subnets right now. I know it can be done. I have a feeling that the FreeBSD TCP stack lacks the capability. By the way, this also works with Cisco hardware. I have used Cisco equipment in this same configuration in the past. I think they way it SHOULD work is that you should be able to give a FreeBSD box multiple default gateways. When FreeBSD gets a packet to an IP on the first subnet, it should use the default gateway that is also on that subnet. When FreeBSD gets a packet to an IP on the second subnet, it should use the second default gateway. This seems to be the logic that Windows (and Cisco) uses. Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ -Original Message- From: Thomas Foster [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 7:57 AM To: Gustafson, Tim Cc: [EMAIL PROTECTED] Subject: Re: Routing Problem Hi Tim.. If you have multiple interfaces and you configure a default gateway for each interface, the default metric determination that is based on the speed of the interface usually uses the fastest interface for default gateway traffic. This is usually desirable in configurations in which the computer is connected to the same network. This behavior can become a problem when the computer exists on two or more disjointed networks (networks that do not provide symmetric reachability on layer3). Symmetric reachability exists when packets can be sent to and received from an arbitrary destination. Because the TCP/IP version4 protocol uses a single default route in FreeBSD's routing table at any one time for default route traffic, default routers configured on multiple interfaces connected to two or more disjointed networks can wreak routing traffic havoc. In FreeBSD, you can manually configure the routing table for the individual interfaces.. but it sounds to me as if you are attempting to use two ethernet interfaces connected to two disjointed networks connected to routers with two seperate subnets in order to balance http requests to one server.. is this the case? I guess I am not fully understanding your configuration ... T. - Original Message - From: Gustafson, Tim [EMAIL PROTECTED] To: Thomas Foster [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 4:06 AM Subject: RE: Routing Problem Thomas, No, I'm not using this box as a router. It is a web server, and I need to spread the load of my web traffic across two separate T1s. I can't just add routes. You need a default route, or parts of the internet would become inaccessible. In my case, you need TWO default routes. I have set up Cisco equipment and Windows workstations with two default routes in the past, and it has worked. In fact, I have one Windows box right now that is configured on both these networks with two default gateways, and it is working. There has to be a way to make it work on FreeBSD. Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ -Original Message- From: Thomas Foster [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 4:48 AM To: Gustafson, Tim Cc: [EMAIL PROTECTED] Subject: Re: Routing Problem Im confused.. if you have two T1s, then are using /30s dor the ranges? If so.. what about not giving a default gateway for either one and just add routes... Are you attempting utilize this as just a router.? Theres a section that covers setting up routing on interfaces in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routin g.html Hope this helps T - Original Message - From: Gustafson, Tim [EMAIL PROTECTED] To: freebsd-questions@freebsd.org Sent: Tuesday, February 01, 2005 5:35 PM Subject: Routing Problem I am having a problem setting up a multi-homed host. I have two separate T1 internet connections, and one physical NIC in my FreeBSD box. The two networks are as follows: Connection 1: LAN Address: 1.2.3.24/25 Router Address: 1.2.3.1 Connection
Re: Routing problem on 3 homed host
You should add on your router the following routes 192.168.1.0/24 192.168.2.0/24 with gateway 192.168.0.2 (interface firewall) Your router doesn't know where to return the packets to. And your firewall needs to route 0.0.0.0 to 192.168.0.1 (router interface) Your CIDR is good. These changes should make it work. Use tracert or traceroute to see at which hop it goes wrong. Regards Patrick Hi, I am really having problems with this, any help appreciated. Amended repost of ipnat port forwarding froblem The configuration: Router: This is a dedicated ADSL router with integrated firewall and nat The firewall cannot be configured other than turning ports on and off for traffic from the internet and routing traffic to specific hosts. All traffic is sent to the firewall. Firewall: This firewall is an i386 arch FreeBSD 5.3 build currently running ipf and ipnat and sits on the three networks 192.168.0.0/24, 192.168.1.0/24 and 192.168.2.0/24 (This may be wrong, I am unsure of CIDR - please advise if it is). rc.conf: gateway_enable=YES ipf_enable=YES ipnat_enable=YES No nameserver setup all info in hosts files except for 192.168.0.1 for traffic to and from the internet. resolv.conf: domain somenet.com nameserver 192.168.0.2 nameserver 192.168.0.1 ipnat.rules: map dc0 192.168.2.0/24 - 192.168.0.2/32 portmap tcp/udp 1:2 map dc0 192.168.2.0/24 - 192.168.0.2/32 map dc0 192.168.1.0/24 - 192.168.0.2/32 portmap tcp/udp 20001:4 map dc0 192.168.1.0/24 - 192.168.0.2/32 ipf.rules: - wide open until I can get this working pass out quick all pass in quick all The setup: (simpified) -- |Internet| -- | IP: 192.168.0.10 | IP: x.x.x.x ---- | Laptop || Router | ---- | IP: 192.168.0.1 | | IP: 192.168.0.2 IF: dc0 -- | Firewall | |- IP: 192.168.1.2 IF: dc1 || IP 192.168.2.2 IF: rl0 || IP: 192.168.1.10|| --- --- | DMZ Host| | | Switch --- | | | | --- | | | | Pri Host | The problem: The firewall can ping the router, dmz host and private host and can retrieve html pages from the internet. The laptop can ping the firewall The dmz host can ping the firewall The private host can ping the firewall The dmz host and private host cannot ping the router or retrieve pages from the internet. (No route to host) Is there something else that I need to setup or do to enable routing the packets between the 3 networks ? Any help greatly appreciated. - Tim Preece. ___ ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem in IPv4/IPSec VPN environment
- Original Message - From: James P. Howard, II [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 29, 2004 2:57 PM Subject: Routing problem in IPv4/IPSec VPN environment As a personal favor, I am building a VPN for a small business. I have chosen FreeBSD for this due to my greater familiarity. The project will consist of linking four sites, each with a FreeBSD system providing DHCP, NAT, and VPN services. I have built DHCP and NAT servers before, but the IPSec and VPN is new to me. Right now, the first two systems are nearly complete. The two machines are named goldengate and waltwhitman. Here's the IP config, currently: goldengate: external 192.168.1.101 internal 10.1.1.1 waltwhitman: external 192.168.1.102 internal 10.1.2.1 The external interfaces are in the reserved space because testing is taking place behind a cable/DSL router providing NAT services. The output of gifconfig -a; ifconfig -a; netstat -rn for each will be provided at the end of this message. IPSec, with Racoon, is properly exchanging keys. From goldengate, I can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1. If a Windows computer is connected behind either system, they receive an IP (10.1.x.254, where x is the network number). The problem is, if behind the 10.1.2.1 firewall, I cannot ping 10.1.1.1 and vice-versa. I assume, at this point, this is some type of routing issue and not a problem with IPSec. This seems to be confirmed by the fact tracerouting to the local internal interface goes through the *other* internal interface first: snip Not to be disrespectful, but did you do what I've done in the past and forget to enable forwarding so the systems can route traffic? [EMAIL PROTECTED]/sysctl -a |grep forward net.inet.ip.forwarding: 1 If not, make sure that gateway_enable=YES in rc.conf and reboot, or sysctl net.inet.ip.forwarding=1 from command line to enable it without a reboot. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Routing problem in IPv4/IPSec VPN environment
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html Essentially, once the gif tunnel has been established you just need to add an additional route for the specific gif interface from each server to the other's remote subnet using the external IP of the remote subnet as the gateway. I also found that gateway_enable sysctl option was be turned on for the packet traversal from behind a natted server. Hope this helps T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James P. Howard, II Sent: Tuesday, June 29, 2004 12:57 PM To: [EMAIL PROTECTED] Subject: Routing problem in IPv4/IPSec VPN environment As a personal favor, I am building a VPN for a small business. I have chosen FreeBSD for this due to my greater familiarity. The project will consist of linking four sites, each with a FreeBSD system providing DHCP, NAT, and VPN services. I have built DHCP and NAT servers before, but the IPSec and VPN is new to me. Right now, the first two systems are nearly complete. The two machines are named goldengate and waltwhitman. Here's the IP config, currently: goldengate: external 192.168.1.101 internal 10.1.1.1 waltwhitman: external 192.168.1.102 internal 10.1.2.1 The external interfaces are in the reserved space because testing is taking place behind a cable/DSL router providing NAT services. The output of gifconfig -a; ifconfig -a; netstat -rn for each will be provided at the end of this message. IPSec, with Racoon, is properly exchanging keys. From goldengate, I can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1. If a Windows computer is connected behind either system, they receive an IP (10.1.x.254, where x is the network number). The problem is, if behind the 10.1.2.1 firewall, I cannot ping 10.1.1.1 and vice-versa. I assume, at this point, this is some type of routing issue and not a problem with IPSec. This seems to be confirmed by the fact tracerouting to the local internal interface goes through the *other* internal interface first: waltwhitman$ ifconfig bge1; traceroute 10.1.2.1 bge1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3RXCSUM,TXCSUM inet 10.1.2.1 netmask 0xff00 broadcast 10.1.2.255 inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2 ether 00:09:5b:60:e5:08 media: Ethernet autoselect (10baseT/UTP half-duplex) status: active traceroute to 10.1.2.1 (10.1.2.1), 64 hops max, 44 byte packets 1 10.1.1.1 (10.1.1.1) 0.848 ms 0.736 ms 0.783 ms 2 10.1.2.1 (10.1.2.1) 1.173 ms 1.262 ms 1.247 ms The other machine behaves identically, except the numbers are reversed. At this point, I have reached the limits of my knowledge. Any help would be appreciated. Thank you, James Notes on the output: IPv6 info removed from netstat output. There is a third interface in WALTWHITMAN which may break off to a DMZ in the future. No descision has been made and won't be for some time. The interface was given the IP 172.16.1.1. GOLDENGATE: goldengate$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 inet 10.1.1.1 -- 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 physical address inet 192.168.1.101 -- 192.168.1.102 bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3RXCSUM,TXCSUM inet 10.1.1.1 netmask 0xff00 broadcast 10.1.1.255 inet6 fe80::209:5bff:fe62:714e%bge0 prefixlen 64 scopeid 0x1 ether 00:09:5b:62:71:4e media: Ethernet autoselect (100baseTX full-duplex) status: active xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=1RXCSUM inet6 fe80::2b0:d0ff:fe23:5b8d%xl0 prefixlen 64 scopeid 0x2 inet 192.168.1.101 netmask 0xff00 broadcast 192.168.1.255 ether 00:b0:d0:23:5b:8d media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 tunnel inet 192.168.1.101 -- 192.168.1.102 inet 10.1.1.1 -- 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 scopeid 0x6 Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGSc3 6082xl0 10.1.1/24 link#1 UC 20 bge0 10.1.1.1 00:09:5b:62:71:4e UHLW0 306lo0 10.1.1.254 link#1 UHLW214933 bge0 10.1.2/24 10.1.2.0 UGSc015578xl0 10.1.2.1
Re: Routing problem
LAN clients can access boh gateway interfaces by hostname and IP. Clients are setup to use 192.168.1.2 for DNS, and 192.168.1.2 uses 192.168.1.1 for DNS. I cannot get any traffic to reach (let alone pass) the DSL modem from the clients. I have tried this with the FreeBSD gateway, a Win2k gateway, and Linksys router. Under any setup, the result is the same. My ISP's support desk has been absolutely no help. Can anyone tell what the problem may be here? Thanks in advance for any help. If your ISP is anything like this one, your modem will have NAT translation built in, meaning that is likely your default gateway. On your FBSD router, you never implied that it could/couldn't see the Internet. I take it that if you put a PC into the modem and set it's default gateway to 1.1 (the modem probably assigns this via DHCP anyway), then you can get online. If this is the case, then the secondary router is no use unless used as a firewall. In that case, you wouldn't need to route, and you could just set it up as an IP-less bridge firewall. Regards, Steve -- Best Regards, Joshua Lokken _ Wonder if the latest virus has gotten to your computer? Find out. Run the FREE McAfee online computer scan! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Steve Bertrand President/CTO, Northumberland Network Services t: 905.352.2688 w: www.northnetworks.ca ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem
This setup appears a little confusing. Does your ISP give you a static or dynamic IP address to the internet? It would also help to see the interface configuration info in your rc.conf file. generally speaking, your external interface should have the ip address assigned by your isp, not a private network address like you describe. You should also have a valid address to a dns server, rather than being referred to your dsl modem's private ip address. #my rc.conf (cable modem, with ip dynamically assigned - I'm using 192.168.1.0 as my private network range) gateway_enable=YES defaultrouter=192.168.1.1 network_interfaces=fxp0 dc0 lo0 hostname=vesta.bitheaven.net ifconfig_fxp0=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 If this doesn't help, send more info On Dec 8, 2003, at 12:22 PM, joshua lokken wrote: Hello, Running 4.9-stable. Here is a brief overview of the network I'm setting up. ***Internet*** | DSL modem (192.168.1.1, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway external (192.168.1.2, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway internal (10.0.0.1, netmask 255.255.255.0) | LAN (clients, 10.0.0.x, netmask 255.255.255.0) LAN clients can access boh gateway interfaces by hostname and IP. Clients are setup to use 192.168.1.2 for DNS, and 192.168.1.2 uses 192.168.1.1 for DNS. I cannot get any traffic to reach (let alone pass) the DSL modem from the clients. I have tried this with the FreeBSD gateway, a Win2k gateway, and Linksys router. Under any setup, the result is the same. My ISP's support desk has been absolutely no help. Can anyone tell what the problem may be here? Thanks in advance for any help. -- Best Regards, Joshua Lokken _ Wonder if the latest virus has gotten to your computer? Find out. Run the FREE McAfee online computer scan! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem
You're right, I didn't explain thoroughly. The FreeBSD gateway can reach the internet. The cable modem and gateway addresses are assigned by the ISP. My rc.conf: ifconfig_rl0=DHCP ifconfig_de0=inet 10.0.0.1 netmask 255.255.255.0 gateway_enable=YES ... Thank you. -- Best Regards, Joshua Lokken From: Clayton F [EMAIL PROTECTED] To: joshua lokken [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Routing problem Date: Mon, 8 Dec 2003 12:52:47 -0800 This setup appears a little confusing. Does your ISP give you a static or dynamic IP address to the internet? It would also help to see the interface configuration info in your rc.conf file. generally speaking, your external interface should have the ip address assigned by your isp, not a private network address like you describe. You should also have a valid address to a dns server, rather than being referred to your dsl modem's private ip address. #my rc.conf (cable modem, with ip dynamically assigned - I'm using 192.168.1.0 as my private network range) gateway_enable=YES defaultrouter=192.168.1.1 network_interfaces=fxp0 dc0 lo0 hostname=vesta.bitheaven.net ifconfig_fxp0=DHCP ifconfig_dc0=inet 192.168.1.1 netmask 255.255.255.0 If this doesn't help, send more info On Dec 8, 2003, at 12:22 PM, joshua lokken wrote: Hello, Running 4.9-stable. Here is a brief overview of the network I'm setting up. ***Internet*** | DSL modem (192.168.1.1, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway external (192.168.1.2, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway internal (10.0.0.1, netmask 255.255.255.0) | LAN (clients, 10.0.0.x, netmask 255.255.255.0) LAN clients can access boh gateway interfaces by hostname and IP. Clients are setup to use 192.168.1.2 for DNS, and 192.168.1.2 uses 192.168.1.1 for DNS. I cannot get any traffic to reach (let alone pass) the DSL modem from the clients. I have tried this with the FreeBSD gateway, a Win2k gateway, and Linksys router. Under any setup, the result is the same. My ISP's support desk has been absolutely no help. Can anyone tell what the problem may be here? Thanks in advance for any help. -- Best Regards, Joshua Lokken _ Wonder if the latest virus has gotten to your computer? Find out. Run the FREE McAfee online computer scan! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] _ Cell phone switch rules are taking effect find out more here. http://special.msn.com/msnbc/consumeradvocate.armx ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem
From which interface? Try these: ping google.com (that will ping using the external interface) ping -S 10.0.0.1 google.com (that will ping using the internal interface) If one works, but not the other, post your firewall rules and natd command line. Hello, The FreeBSD machine is simply passing traffice for the time being, no ipfw, no NAT. I know the name, ut not much mre about the DSL modem I was given.It's an ARESCOM800, and the service is **wince** MSN DSL. The modem has a very simple html display that gives me the very basics; modem IP (192.168.1.1), netmask (255.255.255.252) and external IP. rl0 is the modem-facing interface (external) on a FreeBSD 4.9 gateway. de0 is the LAN-facing (internal) interface on the same machine. /etc/rc.conf says: ifconfig_rl0=DHCP ifconfig_de0=inet 10.0.0.1 netmask 255.255.255.0 gateway_enable=YES defaultrouter=192.168.1.1 I can reach the outside world from both intrefaces on the gateway. rl0 is configured thusly (automatically via DHCP): inet 192.168.1.2 netmask 255.255.255.252, with a default gateway of 192.168.1.1. Clients are configured as follows: inet 10.0.0.x netmask 255.255.255.0 defaultrouter 10.0.0.1 From a client machine on the 10.0.0.0 network, I can ping both de0 and rl0 on the gateway, but I cannot get any traffic past rl0 to the cable modem from the LAN client. That is where my minimal understanding of routing ends. I do not know why I cannot pass traffic to the modem and out. I hope this makes my problem clearer, thanks for the help. After following up on the above reply, I find that I cannot ping out from the LAN interface (de0, 10.0.0.1). Hmmm, and again, no ipfw or NAT on the FreeBSD firewall. Joshua _ Browse styles for all ages, from the latest looks to cozy weekend wear at MSN Shopping. And check out the beauty products! http://shopping.msn.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem.. cisco --fbsd--Lan Experts??
[EMAIL PROTECTED] wrote: I have a friend with a cisco 827 adsl router. It has config hassles but when that is sorted, we need to setup a freebsd box inside the cisco router to handle a /29 block of ips. 3 questions... I'm running an identical setup here - a Cisco 827, a /29, and a FreeBSD machine (or two) performing NAT for my LAN. a) Should I assume the cisco is not the worlds greatest firewall and setup the freebsd machine as one (creating a dmz) The Cisco will be adequate, but I prefer the ease of use and added functions a FreeBSD machine running IP Filter/IPNAT, but that's just me. b) The /29 block is routed by the ISP to the cisco device. I guess we need to place a static route on the cisco gadget that directs any of the incoming /29 block request onto the freebsd box...Correct? I have my 827 set up as a very basic bridge. This means that instead of the /29 terminating, so to speak, on the 827, each of my allocated IP addresses is available directly on an ethernet interface on one of two FreeBSD machines. As a partial answer to part C, if you bridge the /29 to the FreeBSD machine, you can easily configure IPF and IPNAT to port-forward to various internet servers as required. Personally, the machine I have performing NAT (with my /29 on one interface and a private /24 on the other) for my internal network also runs various services. It's not an ideal setup, but it is functional and easy to maintain. Sorry I can't answer the rest of your questions, my brain is still enjoying the aftereffects of a big Friday night :) --Steven ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem.. cisco --fbsd--Lan Experts??
HI and thanks, Cool! I am OK with the fbsd stuff ipfilter ipnat etc. I garee it is nice. The small matter of the cisco thing...hmmm! OK...so would it be ok to ask another question or 2 later if today is bad? I need to know how to bridge the /29 on the cisco. does it mean I simply install static routing on the cisco by doing something like... ip classless (default) ip route 203.44.288.0 255.255.255.248 ethernet0 10.0.0.2 no ip http server (default) (NOTE: 10.0.0.2 is the ip of the fbsd box, 10.0.0.1 is the ethernet0 ip of cisco router) I have read the cisco docs but is slightly foreign language to me. I would greatly appreciate it. My balls are now on the line here. I should never volunteer to help!? Am i close? Keith [EMAIL PROTECTED] wrote: I have a friend with a cisco 827 adsl router. It has config hassles but when that is sorted, we need to setup a freebsd box inside the cisco router to handle a /29 block of ips. 3 questions... I'm running an identical setup here - a Cisco 827, a /29, and a FreeBSD machine (or two) performing NAT for my LAN. a) Should I assume the cisco is not the worlds greatest firewall and setup the freebsd machine as one (creating a dmz) The Cisco will be adequate, but I prefer the ease of use and added functions a FreeBSD machine running IP Filter/IPNAT, but that's just me. b) The /29 block is routed by the ISP to the cisco device. I guess we need to place a static route on the cisco gadget that directs any of the incoming /29 block request onto the freebsd box...Correct? I have my 827 set up as a very basic bridge. This means that instead of the /29 terminating, so to speak, on the 827, each of my allocated IP addresses is available directly on an ethernet interface on one of two FreeBSD machines. As a partial answer to part C, if you bridge the /29 to the FreeBSD machine, you can easily configure IPF and IPNAT to port-forward to various internet servers as required. Personally, the machine I have performing NAT (with my /29 on one interface and a private /24 on the other) for my internal network also runs various services. It's not an ideal setup, but it is functional and easy to maintain. Sorry I can't answer the rest of your questions, my brain is still enjoying the aftereffects of a big Friday night :) --Steven ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Routing problem ? Solved
Thx everybody. Problem solved. /Hasse. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Routing problem ? Solved
On Friday 21 March 2003 15.32, Steve Bertrand wrote: SB Thx everybody. SB Problem solved. SB /Hasse. SB SB It would be nice for the people who followed your thread to know what SB actually resolved the issue. If you could post your fix, it would be SB appreciated. SB SB Tks. SB SB Steve SB Sorry, will offcourse do. I just removed the line and the problem was gone. Subject: Re: Re: Routing problem ? Date: Thursday 20 March 2003 21.37 From: Joshua Lokken [EMAIL PROTECTED] To: Hasse [EMAIL PROTECTED] * Hasse ([EMAIL PROTECTED]) wrote: == blanktime=3000 == gateway_enable=YES == defaultrouter=YES I believe that you need to set defaultrouter to the IP of your internal interface, ie defaultrouter=10.0.0.1 right now it's looking for YES as the default route, and I'm pretty sure YES is not a viable route for your network. [snip - long list of rc.conf options] HTH, -- Joshua To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Re: Routing problem ? Solved
* Hasse ([EMAIL PROTECTED]) wrote: == On Friday 21 March 2003 15.32, Steve Bertrand wrote: == SB Thx everybody. == SB Problem solved. == SB /Hasse. == SB == SB It would be nice for the people who followed your thread to know what == SB actually resolved the issue. If you could post your fix, it would be == SB appreciated. == SB == SB Tks. == SB == SB Steve == SB == Sorry, will offcourse do. == I just removed the line and the problem was gone. == == Subject: Re: Re: Routing problem ? == Date: Thursday 20 March 2003 21.37 == From: Joshua Lokken [EMAIL PROTECTED] == To: Hasse [EMAIL PROTECTED] == == * Hasse ([EMAIL PROTECTED]) wrote: == == blanktime=3000 == == gateway_enable=YES == == defaultrouter=YES == == I believe that you need to set defaultrouter to the IP == of your internal interface, ie == == defaultrouter=10.0.0.1 == == right now it's looking for YES as the default route, and == I'm pretty sure YES is not a viable route for your network. == == [snip - long list of rc.conf options] == == HTH, == == -- == Joshua I'm afraid that was my bad. I was having trouble sending mail to the list until a day or so ago, so I replied to the sender only. Things seems to work now. Apologies. -- Joshua To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Routing problem ?
On Thursday 20 March 2003 17.54, Steve Bertrand wrote: SB Hi everybody. SB I have small network at home with two machines connected to the net SB via ADSL. That means Dynamic IP, though not changing very often. SB - SB odin.swedehost.com running FreeBSD 4.8-RC #0 Sun Mar 16 2003 SB Two NICs. xl0 DHCP and NAT-interface, acting as a gateway, doing NAT. SBifconfig SB fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 SB inet 192.168.1.200 netmask 0xff00 broadcast 192.168.1.255 SB inet6 fe80::202:b3ff:fe8f:90fd%fxp0 prefixlen 64 scopeid 0x1 SB ether 00:02:b3:8f:90:fd SB media: Ethernet autoselect (100baseTX full-duplex) SB status: active SB xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 SB options=3rxcsum,txcsum SB inet6 fe80::201:2ff:fef7:7de8%xl0 prefixlen 64 scopeid 0x2 SB inet 217.209.211.129 netmask 0xff00 broadcast 217.209.211.255 SB ether 00:01:02:f7:7d:e8 SB media: Ethernet autoselect (10baseT/UTP) SB status: active SB lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 SB lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 SB inet6 ::1 prefixlen 128 SB inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 SB inet 127.0.0.1 netmask 0xff00 SB ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 SB sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 SB faith0: flags=8002BROADCAST,MULTICAST mtu 1500 SB SB thor.swedehost.com running FreeBSD 4.8-RC #1: Fri Mar 7 23:23:21 CET 2003 SB Dualboot with W2k-Server. SB Two NICs xl0 and fxp0 but only one of them configured. SB thor# ifconfig SB xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 SB options=3rxcsum,txcsum SB inet 192.168.1.220 netmask 0xff00 broadcast 192.168.1.255 SB inet6 fe80::204:76ff:fe19:3b1d%xl0 prefixlen 64 scopeid 0x1 SB ether 00:04:76:19:3b:1d SB media: Ethernet autoselect (100baseTX full-duplex) SB status: active SB fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 SB inet6 fe80::202:b3ff:fe4c:13a4%fxp0 prefixlen 64 scopeid 0x2 SB ether 00:02:b3:4c:13:a4 SB media: Ethernet autoselect (none) SB status: no carrier SB lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 SB lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 SB inet6 ::1 prefixlen 128 SB inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 SB inet 127.0.0.1 netmask 0xff00 SB ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 SB sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 SB faith0: flags=8002BROADCAST,MULTICAST mtu 1500 SB - SB At bootup I get this message: SB Snip SB Mar 20 16:50:26 natd[88]: Aliasing to 217.209.211.129, mtu 1500 bytes SB route: bad address: YES SB SB Additional routing options: ignore ICMP redirect=YES log ICMP redirect=YES SB IP gateway=YES TCP keepalive=YES. SB Routing daemons:. SB /Snip SB - SB What's worry me is the route: bad address: YES part. SB SB Does it mean that I have a bad address in my routingtable ? SB I have tried to do route -n flush several times and rebooting. SB Everything is working the way it's supposed to, I think :-) SB I mean routing, NAT, mailservices etc. SB SB I'm willing you have a mistyped entry in an rc file. Take a look in SB /etc/rc.conf and or any other places where you may have manually SB configured IP's and/or static routes. SB SB Steve SB SB SB SB Preciate some enlightenment on this subject. SB TiA SB Geir Svalland. SB SB SB To Unsubscribe: send mail to [EMAIL PROTECTED] SB with unsubscribe freebsd-questions in the body of the message SB SB SB SB To Unsubscribe: send mail to [EMAIL PROTECTED] SB with unsubscribe freebsd-questions in the body of the message SB Hi again. And thx for the quick response to my question. As far as I know, I haven't configured any IP or routes any other places then /etc/rc.conf and here they come : First for odin ( gateway ) , then thor 2nd machine. -- # This file now contains just the overrides from /etc/defaults/rc.conf. blanktime=3000 gateway_enable=YES defaultrouter=YES hostname=odin.swedehost.com firewall_enable=YES firewall_script=/etc/rc.firewall firewall_type=OPEN firewall_logging=YES ipv6_firewall_enable=YES ipv6_firewall_type=OPEN ipv6_firewall_script=/etc/rc.firewall6 ipv6_firewall_logging=YES ifconfig_xl0=DHCP ifconfig_fxp0=inet 192.168.1.200 netmask 255.255.255.0 inetd_enable=YES ipv6_enable=YES named_enable=YES named_program=/usr/sbin/named named_flags=-u bind -g bind natd_enable=YES natd_interface=xl0 natd_flags=-dynamic kern_securelevel_enable=NO keymap=swedish.iso keyrate=fast linux_enable=YES lpd_enable=YES moused_enable=YES moused_port=/dev/psm0 ntpdate_enable=YES
Re: Routing problem ?
Hi everybody. I have small network at home with two machines connected to the net via ADSL. That means Dynamic IP, though not changing very often. - odin.swedehost.com running FreeBSD 4.8-RC #0 Sun Mar 16 2003 Two NICs. xl0 DHCP and NAT-interface, acting as a gateway, doing NAT. ifconfig fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.200 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::202:b3ff:fe8f:90fd%fxp0 prefixlen 64 scopeid 0x1 ether 00:02:b3:8f:90:fd media: Ethernet autoselect (100baseTX full-duplex) status: active xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3rxcsum,txcsum inet6 fe80::201:2ff:fef7:7de8%xl0 prefixlen 64 scopeid 0x2 inet 217.209.211.129 netmask 0xff00 broadcast 217.209.211.255 ether 00:01:02:f7:7d:e8 media: Ethernet autoselect (10baseT/UTP) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 thor.swedehost.com running FreeBSD 4.8-RC #1: Fri Mar 7 23:23:21 CET 2003 Dualboot with W2k-Server. Two NICs xl0 and fxp0 but only one of them configured. thor# ifconfig xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=3rxcsum,txcsum inet 192.168.1.220 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::204:76ff:fe19:3b1d%xl0 prefixlen 64 scopeid 0x1 ether 00:04:76:19:3b:1d media: Ethernet autoselect (100baseTX full-duplex) status: active fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::202:b3ff:fe4c:13a4%fxp0 prefixlen 64 scopeid 0x2 ether 00:02:b3:4c:13:a4 media: Ethernet autoselect (none) status: no carrier lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 - At bootup I get this message: Snip Mar 20 16:50:26 natd[88]: Aliasing to 217.209.211.129, mtu 1500 bytes route: bad address: YES Additional routing options: ignore ICMP redirect=YES log ICMP redirect=YES IP gateway=YES TCP keepalive=YES. Routing daemons:. /Snip - What's worry me is the route: bad address: YES part. Does it mean that I have a bad address in my routingtable ? I have tried to do route -n flush several times and rebooting. Everything is working the way it's supposed to, I think :-) I mean routing, NAT, mailservices etc. I'm willing you have a mistyped entry in an rc file. Take a look in /etc/rc.conf and or any other places where you may have manually configured IP's and/or static routes. Steve Preciate some enlightenment on this subject. TiA Geir Svalland. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Routing problem
On Fri, Feb 21, 2003 at 09:24:44PM +0200, molotov wrote: I have a little problem with my home network. I had a Linux router before and now I have FreeBSD set up and running on the same box. The problem is, that I don't know what manual could speak about that kind of routing: there are three additional IP addresses routed to my gateway. I want an internal box to use the given external IP address or an internal address, while gateway configuration stays untouched. The external interface of the gateway is a wireless orinoco card and I do not have an ethernet-wireless converter, so the external interface should be published to inside network in a way, that any chosen machine from inside could use an external IP adress as it's IP and the external IP address of the router as it's gateway. Please help me to solve this problem. I know, that the solution is trivial, but I admit, I still think in Linux... ;) Hmmm... the keywords here are Static NAT. Start with the natd(8) manual page. That should give you a handle on the terminology used for the different concepts. There's basically three possibilities to do what you want: ipfw(8) + natd(8) ipf(8) + ipnat(8) ppp(8) The ppp(8) option of course, only applies if you're using PPP in some form for your internet connectivity. Otherwise, use which ever one of the other two suits you best. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: routing problem on 4.7 release
twig les wrote: Hey all, I have a 4.7 release box that needs to cvsup its ports. The problem is that this box never sees the outside world normally; it does IDS on an IP-less interface and of course has a backnet interface. So basically I added a temporary IP address to this box, edited my /etc/cvsupfile to use the IP address of the cvs server (to avoid dealing with DNS), added a few lines in IPFW and then used the route command to force packets out the correct interface. The problem is that packets destined for the legal gateway (I'll call it 1.1.1.1) are still going out the backnet interface. So if I ping 1.1.1.1, I can sit and watch access-list denies show up as the backnet interface tries to ping an IP that isn't even reachable. The fact that these pings are getting out tells me that IPFW isn't the problem and that the route table is screwed up. Please chime in if anyone has an answer, all I need to do is add a static route temporarily. My config looks like this below. As you may notice, I even tried adding a route to 1.1.1.1 out the specific interface route -n add 1.1.1.1/26 -interface ti0. mas01# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.20.0.1 UGSc7 56 fxp0 10.20/25 link#1 UC 20 fxp0 10.20.0.1 00:00:0c:07:ac:60 UHLW54 fxp0 1196 10.20.0.14 00:60:ab:03:7d:2f UHLW00 fxp0938 1.1.1.1/32 00:00:00:00:00:00 ULSc0 12ti0 1.1.1.1/26 link#2 UC 00ti0 127.0.0.1 127.0.0.1 UH 0 604lo0 165.64.255/24 1.1.1.1UGSc00 fxp0 208.185.175.214/32 1.1.1.1UGSc10 fxp0 Ouch ... please configure your mailer so it doesn't wrap netstat -rn output. I feel like I'm decyphering a secret code. I'm a little confused by your explanation. I thought 1.1.1.1 was the IP of the gateway you want to use? My suggestion might be bogus, since I'm not 100% sure I understand, but try this: ifconfig ti0 inet 1.1.1.1 netmask 255.255.255.0 Set the IP address on the gateway to 1.1.1.2 route delete default route add default 1.1.1.2 If you really want 10.20.0.1 to be your default route, add it back in after the cvsup is done: route delete default route add default 10.20.0.1 Note that this might disrupt services not on the local network during the cvsup, so it might not be the solution you really want. But if it works, you'll be one step closer to a real solution. Do you have additional machines off fxp0 that this machine needs to go through a gateway to access? -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: routing problem
today i tried to setup 4.7 gateway. It hastwo NICs (rl0 and rl1) on different subnets (rl0 = 192.168.0.66, rl1 = 192.168.1.2). The rl0 is connected to a cable-modem and gets an other IP (213.209.66.214) after booting. After playing with routes, i can ping outside, can ping rl0 and rl1 and 192.168.1.18 (a windows-box). The 192.168.1.18 can ping the 192.168.1.2 and 213.209.66.214 (the other NIC in the server), but not any outside IP (wich should be routed over 213.209.66.214 i think) gateway_enable=YES in /etc/rc.config and for testing router_enable=YES and natd_enable=YES Thomas, The problem is to do with setting up natd. You don't need router_enable=YES. Firstly, natd listens on a divert socket for packets to 'translate' from the internet to your LAN. Therefore, you need to make sure that the IP packets going to and coming from your modem get sent to natd. The way to do this is using ipfw, the kernel firewall. If you're not already using it (which I would recommend doing anyhow), you'll need to recompile your kernel with options IPFIREWALL and options IPDIVERT (checkout man ipfw). Then simply do : ipfw add divert natd ip from any to any via rl0 Assuming rl0 is the interface that has your 213.209.66.214 address, this will pass all ip packets through natd, which will rewrite them transparently. Secondly, you need to tell natd which interface (IP address actually) to operate on. To do this just add 'natd_interface=rl0' to you /etc/rc.conf , if rl0 is your internet interface. If you have a dynamic IP address, you may want to add 'natd_flags=-dynamic' aswell. See man natd for details. Then it should all work fine! A couple of points to check for : make sure you add a default route for your ISP's IP (the one the modem connects to) and be careful the connection with the public IP address is indeed on rl0 (if you use PPPOE for example, another interface is used...) Hope this helps, Jonathan To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
