Re: IPF, NAT or NIC
I suspect that you've created a cabling loop of some sort again. Maybe i made some cabling loop, becauce my internet stoped to work. In the beginning everything was ok, but after some time when all 3 pc's was connected to switch it stopped to work. Why? -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25520353.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
Freeco wrote: Maybe i made some cabling loop, becauce my internet stoped to work. In the beginning everything was ok, but after some time when all 3 pc's who was connected to switch it stopped to work. Why? -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25521566.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
How to change the interfaces to not to be on same physical subnet? -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25504647.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
How to change the interfaces to not to be on same physical subnet? Hummm, subnet is virtual, it is not physical. To have interface on different phisical network, plug your interfaces to different switchwes that are not interconnected one to the other. To have a different subnet used on different interfaces, configure them. Now you can run two or more subnets on the same physical LAN. Bests, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
What does it look like? ISP---Hub---My Gateway---Switch--Pc Or ISPMy Gateway---Switch-Hub-Pc -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25507235.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
In the beginning when gateway starts the web page opens, but after that no one web doesn't open. The same is in first 5min ping reach my ISP gateway, but then it's gone. Same from my gateway with ping. -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25507722.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
Freeco wrote: What does it look like? ISP---Hub---My Gateway---Switch--Pc Or ISPMy Gateway---Switch-Hub-Pc ...are you sure that by accident that you don't have the following *physical* setup? --- | Gateway | --- | | | | |--- Switch/Hub | | | | | ISP PC This doesn't appear to be a logical subnetting issue, but more of a 'having two interfaces on a logically undivided physical medium'. If you do have the above setup, it may work, but I would highly advise against it. The only way you can get around the warnings and still have things in this case work properly is to use VLANs. Freeco, let us know how things are connected physically. Your best bet would be: |-pc | ISP---Gateway-Switch-pc | |_pc Trash binHub Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: IPF, NAT or NIC
Steve Bertrand wrote: [ snip ] Freeco, let us know how things are connected physically. Your best bet would be: |-pc | ISP---Gateway-Switch-pc | |_pc I just noticed that your ISP has assigned you a /28 prefix. Is all of this 255.255.255.240 yours, or are you on a shared network segment? If it is yours, and you plan on using it, you'll want to set things up like the following. If it is all yours (88.18 - 88.30) and you didn't request it, I'd sure be interested to know who is giving away /28's nowadays when the client didn't even request it ;) |-pc | ISP-Switch---Gateway--Switchpc | \ | | \ |_pc | \ server1 server2 ...Not depicted, but I'd recommend a firewall for anything between the gateway and the ISP. Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: IPF, NAT or NIC
So it means that i will need 2 more NIC's in my gateway? |-pc | ISP---Gateway-Switch-pc | |_pc Why all pc's can't be in one subnet? I'll be happy with one subnet, i don't need more. I tried this: ISP x.x.88.17---x.x.88.20 Gateway 192.168.1.2--pc cable unplugged 192.168.1.7? I want to use this one: |-pc 192.168.1.5 | ISP x.x.88.17---x.x.88.20 Gateway 192.168.1.2-Switch-pc 192.168.1.6 | |_pc 192.168.1.7 The gateway will work like firewall and nat. Maybe i have wrong settings on my pc? PC Settings IP: 192.168.1.7 Mask: 255.255.255.128 (same in rc.conf) Gateway: 192.168.1.2 Dns: x.x.88.17 Dns: 192.168.1.2 -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25508442.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
Freeco wrote: So it means that i will need 2 more NIC's in my gateway? |-pc | ISP---Gateway-Switch-pc | |_pc Why all pc's can't be in one subnet? I'll be happy with one subnet, Ok. One of us is confused, but I don't know who yet :) A 'subnet' is a term used to describe a portion of an IP address space, where each device in that space can communicate with one another without using a router: 192.168.1.0/24 is a subnet, so hosts 192.168.1.1 through 192.168.1.254 can 'speak' to each other without using a router. If you have more than one PC, you need a 'switch' or hub to physically connect all of those devices, so they can all speak to each other. (fwiw, I cringe at the term subnet). In the diagram above, you need two NICs in the gateway. One goes to the ISP, and the other 192.168.1.2 goes to the switch. The rest of the computers also plug into the switch. If all of the devices have 192.168.1.x, they are all in the same subnet. i don't need more. I tried this: ISP x.x.88.17---x.x.88.20 Gateway 192.168.1.2--pc cable unplugged 192.168.1.7? You need what's known as a 'cross-over' cable to connect the PC to the Gateway directly. The first sentence in this link describes it well: http://en.wikipedia.org/wiki/Ethernet_crossover_cable I want to use this one: |-pc 192.168.1.5 | ISP x.x.88.17---x.x.88.20 Gateway 192.168.1.2-Switch-pc 192.168.1.6 | |_pc 192.168.1.7 The diagram got mangled, but from what I can tell, this is the same as the diagram I left at the top of this message. The gateway will work like firewall and nat. Maybe i have wrong settings on my pc? You do. Although technically it will work, you have in your gateway: 192.168.1.2 255.255.255.0 ...but on the pc: 192.168.1.7 255.255.255.128: PC Settings IP: 192.168.1.7 Mask: 255.255.255.128 (same in rc.conf) Gateway: 192.168.1.2 Dns: x.x.88.17 Dns: 192.168.1.2 I'm not convinced that there still isn't a cabling issue,. I don't use NAT, so perhaps someone else can help with any config issues, but I would find out/fix what is causing the traffic to be received on the wrong interface first. Also, I just noticed in your original post that there appears to be another clerical error. Again, I don't know ipnat, but I would suspect that this: map fxp0 192.168.0.0/16 - 0/32 should really be this: map fxp0 192.168.0.0/24 - 0/32 Aside from that, are you sure that this entry shouldn't be: map rl0 192.168.0.0/24 - 0/32 ? Again, I don't know ipnat, but to me, in the fxp0 entry, it looks like you are trying to map the 192 space coming INTO fxp0 (which in your original post is the NIC that faces the ISP, not the internal network). If this is how ipnat looks at this, then this is also a problem. Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: IPF, NAT or NIC
Steve Bertrand wrote: [ snip ] Freeco, let us know how things are connected physically. Your best bet would be: |-pc | ISP---Gateway-Switch-pc | |_pc |-pc | ISP-Switch---Gateway--Switchpc | \ | | \ |_pc | \ server1 server2 Steve wrote: ...Not depicted, but I'd recommend a firewall for anything between the gateway and the ISP. The gateway will work like IPF (Firewall) and NAT. Is it wrong? Steve wrote: I just noticed that your ISP has assigned you a /28 prefix. Is all of this 255.255.255.240 yours, or are you on a shared network segment? If it is yours, and you plan on using it, you'll want to set things up like the following. If it is all yours (88.18 - 88.30) and you didn't request it, I'd sure be interested to know who is giving away /28's nowadays when the client didn't even request it ;) Yes, it's mine. I'm paying just for 3 static addresses 18-20. I plan other static addresses to use for other plans. So i'll need 2 more NIC's for gateway? I think that my ISP uses the 2nd image. In my room is a switch. In our home is switch. 3 homes from mine is a gateway. I don't know what else there is. P.S. Sorry for my poor english -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25509501.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
Steve Bertrand wrote: map fxp0 192.168.0.0/24 - 0/32 Aside from that, are you sure that this entry shouldn't be: map rl0 192.168.0.0/24 - 0/32 ? Again, I don't know ipnat, but to me, in the fxp0 entry, it looks like you are trying to map the 192 space coming INTO fxp0 (which in your original post is the NIC that faces the ISP, not the internal network). If this is how ipnat looks at this, then this is also a problem. Just a note, section 30.5.16 IPNAT Rules of the handbook states that using the external interface in the map rule is the correct way of doing things. Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: IPF, NAT or NIC
Freeco wrote: Steve Bertrand wrote: |-pc | ISP-Switch---Gateway--Switchpc | \ | | \ |_pc | \ server1 server2 So i'll need 2 more NIC's for gateway? No, unless there is something I don't know about. I think that my ISP uses the 2nd image. In my room is a switch. In our home is switch. 3 homes from mine is a gateway. I don't know what else there is. Ok. Lets start with the basics. - What is connected to the switch in your room? - what is connected to the switch in your home? - what is connected to the gateway down the street? - how do you connect your room, to your home, to the house three homes away? This new information makes it more believable that there is some sort of cabling mishap. P.S. Sorry for my poor english You don't have to be. You're doing just fine! Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: IPF, NAT or NIC
A 'subnet' is a term used to describe a portion of an IP address space, where each device in that space can communicate with one another without using a router: Steve wrote: 192.168.1.0/24 is a subnet, so hosts 192.168.1.1 through 192.168.1.254 can 'speak' to each other without using a router. If you have more than one PC, you need a 'switch' or hub to physically connect all of those devices, so they can all speak to each other. (fwiw, I cringe at the term subnet). I have a switch to connect all of these 3 pc's. Steve wrote: In the diagram above, you need two NICs in the gateway. One goes to the ISP, and the other 192.168.1.2 goes to the switch. The rest of the computers also plug into the switch. If all of the devices have 192.168.1.x, they are all in the same subnet. If the 2 pc's will be connected to gateway directly and another one with the switch, then all 3 pc's won't be in one subnet. Right? I want to use this one: |---pc 192.168.1.5 | ISP x.x.88.17---x.x.88.20 Gateway192.168.1.2---Switch---pc 192.168.1.6 | |___pc 192.168.1.7 Steve wrote: 192.168.1.2 255.255.255.0 ...but on the pc: 192.168.1.7 255.255.255.128: PC Settings IP: 192.168.1.7 Mask: 255.255.255.128 (SAME IN rc.conf ON FREEBSD) Gateway: 192.168.1.2 Dns: x.x.88.17 Dns: 192.168.1.2 -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25510433.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
Freeco wrote: Steve wrote: In the diagram above, you need two NICs in the gateway. One goes to the ISP, and the other 192.168.1.2 goes to the switch. The rest of the computers also plug into the switch. If all of the devices have 192.168.1.x, they are all in the same subnet. If the 2 pc's will be connected to gateway directly and another one with the switch, then all 3 pc's won't be in one subnet. Right? That is right. Knowing that you aren't bridging on the gateway, if you connect two pc's directly to the gateway, and another to the gateway through a switch, they will all need different prefixes (they'll be in different subnets): 192.168.1.x 192.168.2.x 192.168.3.x etc. In this case, you WILL need at least four NICs in the gateway, and you will need at least three different NAT configurations. I'm at a loss of what you are trying to do, primarily because I now envision a scenario where you have multiple switches with cables going everywhere (possibly back to one another), and have no idea what your physical layout truly is. You need to answer the questions in my other message before I can even begin to comprehend what your setup is. Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: IPF, NAT or NIC
Ok. Lets start with the basics. - What is connected to the switch in your room? There is connected ISP cable from my home switch and 3 pc's - what is connected to the switch in your home? I'm not sure, but i think there is connected a cable to my switch ( i plan: my gateway - switch) And my neighbour (with private IP) - what is connected to the gateway down the street? I already said, i don't know. I haven't been there. - how do you connect your room, to your home, to the house three homes away? Everything is connected with cable. This new information makes it more believable that there is some sort of cabling mishap. P.S. Sorry for my poor english You don't have to be. You're doing just fine! -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25510716.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
fxp0 is integrated NIC. In this NIC connects a cable from ISP. rl0 is PCI NIC the cable connets to switch with all other 3 pc's. -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25510880.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
Freeco wrote: - What is connected to the switch in your room? There is connected ISP cable from my home switch and 3 pc's So, like this: down the street | | home switch---neighbor | | cable from home switch, that also goes to ISP | | room switch /|\ / | \ /|\ pcpc pc - what is connected to the switch in your home? I'm not sure, but i think there is connected a cable to my switch ( i plan: my gateway - switch) And my neighbour (with private IP) Since you already said that you could ping from your gateway to the 'ISP' router, I'll pretend I didn't hear that your neighbour has a private IP whilst possibly on the same physical broadcast domain. Now, this is what you want to do if I understand the situation correctly: down the street | | home switch---neighbor | | cable from home switch, that also goes to ISP | | x.x.88.20 gateway 192.168.1.2 | | room switch /|\ / | \ /|\ pcpc pc 192.168.1.5 .6 .7 To test, plug the gateway into the cable that comes from the home switch. Do not plug anything else into the gateway. Now, while logged into the gateway pc: % ping x.x.88.20 % ping x.x.88.17 % ping 208.70.104.211 ...if that works, you now know that the WAN side of your network is working correctly. Now plug the room switch into the other NIC on the gateway, and plug in ONE pc into the switch. Have a look to see if the 'received on wrong int' messages have gone away. If so, on the pc: % ping 192.168.1.2 ...if that works: % ping x.x.88.20 ...if that one does NOT work, post back to the list, and I'll help you with a few commands to do, so we can see where things are dying, and try to find out if this is a NAT problem or not. If it does work: % ping x.x.88.17 ...if that works, we now know that NAT is functional, and you can reach the ISP gateway, and it knows how to get back to you. % ping 208.70.104.211 ...if that works, you are done :) Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: IPF, NAT or NIC
Thanks man! Everything works when i connected a cable directly to the gateway. Till this there was two cables connected because inet cable was too short. But i want my gateway to bring to another room so i'll need to connect 2 cables and inet will doesn't work again? I could ping all IP's when cables was connected. -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25511903.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
Freeco wrote: Thanks man! Everything works when i connected a cable directly to the gateway. Till this there was two cables connected because inet cable was too short. I kind of figured something along those lines. But i want my gateway to bring to another room so i'll need to connect 2 cables and inet will doesn't work again? You can't change the way it is...it must stay this way. Do whatever you have to do (get a longer cable for instance) in order to keep things the way they are. Here is a solution for you. Note that the new switch has ONLY the ISP cable, and the gateway cable plugged into it AND NOTHING ELSE. A new switch may cost only about $40USD, but not only will it work the same, but it will allow you to put the gateway in your other room: down the street | | home switch---neighbor | | cable from home switch, that also goes to ISP | | new switch | | | | | | long cable that goes to room far, far away | | | | x.x.88.20 gateway 192.168.1.2 | | room switch /|\ / | \ /|\ pcpc pc 192.168.1.5 .6 .7 Cheers. I'm glad it worked out for you! :) Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: IPF, NAT or NIC
Freeco wrote: Thanks man! Everything works when i connected a cable directly to the gateway. Till this there was two cables connected because inet cable was too short. But i want my gateway to bring to another room so i'll need to connect 2 cables and inet will doesn't work again? I could ping all IP's when cables was connected. Now that we've resolved it, I suspect this is what you had, with the pc's (quite possibly) plugged into the room switch as well: down the street | | home switch---neighbor | | cable from home switch, that also goes to ISP | | room switch |\ | \ x.x.88.20\ gateway | 192.168.1.2| | | | | |_| Yes? Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: IPF, NAT or NIC
Ok, thanks for advice about switch. You really helped me so much. Now i'll get with my ipf and nat rules. What ports u recomend to keep open and how to block gateway ping? -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25512314.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
Freeco wrote: Ok, thanks for advice about switch. You really helped me so much. Now i'll get with my ipf and nat rules. I'm glad I could help. So many people here and on other lists have helped me significantly over the years, so I try to give back whenever I can/have time. What ports u recomend to keep open and how to block gateway ping? About the portsthat depends on what you are going to do. My theory is, unless you are an Internet Provider, all ports should be closed by default, and opened on an as-is needed basis. Generally, there isn't very much that will break if you block everything coming into the ISP side of your gateway (so long as you are using the firewall as a 'stateful' firewall). On the other hand, having the idea that wide open and block certain things leads to accidentally leaving things like SSH on your gateway accessible. As for the ping. I am generally dead against blocking any type of ICMP. I've spent countless nights trying to troubleshoot wide-scale Internet reachability problems because someone out there decided that blocking ICMP was the same as blocking ping. This goes against my above 'deny everything', but it's my only exception. Those who have ever had to deal with pmtud issues when it's least expected know exactly what I mean. Issues caused by careless filtering of ICMP can have the same effect to a home user as it does to an ISP, but the home user will likely have a much harder time figuring out what is wrong :) For instance, most will do the following: # ipfw add 100 deny icmp from any to any in You just broke Path MTU Discovery, lost the ability to learn when a remote port/host is unreachable, and our tests earlier would have failed as well. If your firewall is clamped down, there is no real good reason to block ping requests IMHO. If you don't want others on the WAN side to be able to ping you, block ICMP Type 8 messages inbound only. In IPFW, it would look like this: # ipfw add 10 deny icmp from any to me in via $ext_if icmptypes 8 # ipfw add 15 allow icmp from any to any ...but my personal recommendation is to not do it. Even for the simple fact that if you ever have to call your ISP for support, pinging is one of the most basic and helpful utilities available. Again, IMHO. Cheers, Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: IPF, NAT or NIC
After some time, when all 3 pc's was connected to switch inet lost. I couldn't open any web page. I didn;t try to ping anything. -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25513318.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
My gateway gave me a message: gateway kernel: arp: x.x.88.17 is on fxp0 but got reply from 00:0c:42:11:15:a8 on rl0 -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25513518.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
Freeco wrote: My gateway gave me a message: gateway kernel: arp: x.x.88.17 is on fxp0 but got reply from 00:0c:42:11:15:a8 on rl0 That MAC address is that of a Mikrotic router. I suspect that you've created a cabling loop of some sort again. Steve smime.p7s Description: S/MIME Cryptographic Signature
IPF, NAT or NIC
I'm new in BSD, I installed FreeBSD 7.2 and want to use as gateway with IPF and NAT. I have 2 NIC's fxp0 and rl0. When i booted up my pc i got a message gateway kernel: arp xxx.xxx.88.17 is on fxp0 but got reply from rl0. My configuration files looks like this: rc.conf clear_tmp_enable=YES hostname=gateway.fbsdfreeco.com ifconfig_fxp0= inet xxx.xxx.88.20 netmask 255.255.255.240 gateway_enable=YES ipfilter_enable=YES ipmon_enable=YES ipmon_flags=-Ds ipnat_enable=YES ipnat_rules=/etc/ipnat.rules ifconfig_rl0=inet 192.168.1.2 netmask 255.255.255.0 defaultrouter=xxx.xxx.88.17 resolv.conf search xxx.xxx.88.17 nameserver xxx.xxx.88.17 nameserver xxx.xxx.xxx.xxx ipf.loadrules.sh oif=fxp0 odns=xxx.xxx.88.17 myip=xxx.xxx.88.20 ks=keep state fks=flags S keep state /sbin/ipf -Fa -f - EOF pass out quick on $oif proto tcp from any to $odns port = 53 $fks pass out quick on $oif proto udp from any to $odns port = 53 $ks pass out quick on $oif proto tcp from xxx.xxx.88.20 to any port = 80 $fks pass out quick on $oif proto tcp from xxx.xxx.88.20 to any port = 443 $fks EOF ipnat.rules map fxp0 192.168.1.0/16 - xxx.xxx.88.20/32 rdr fxp0 0.0.0.0/0 - xxx.xxx.88.20 map fxp0 192.168.0.0/16 - 0/32 proxy port 21 ftp/tcp map fxp0 0.0.0.0/0 - 0/32 map fxp0 192.168.0.0/16 - 0/32 --- ISP Gateway-fxp0--ping-ok---My Gateway-rl0-LAN--Switch---ping-ok---pc ISP IP - xxx.xxx.88.17 (static) My IP - xxx.xxx.88.20 (fxp0 static) My IP - 192.168.1.2 (rl0 private) pc IP - 192.168.1.x (private) where's the problem? -- View this message in context: http://www.nabble.com/IPF%2C-NAT-or-NIC-tp25491958p25491958.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPF, NAT or NIC
On Thu, Sep 17, 2009 at 08:27:45AM -0700, Freeco typed: I'm new in BSD, I installed FreeBSD 7.2 and want to use as gateway with IPF and NAT. I have 2 NIC's fxp0 and rl0. When i booted up my pc i got a message gateway kernel: arp xxx.xxx.88.17 is on fxp0 but got reply from rl0. My configuration files looks like this: [...] where's the problem? Both interfaces are on the same physical subnet. Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
