Re: FreeBSD routing problem
> From: hrkesh sahu > Date: Thu, 3 Oct 2013 19:09:02 +0530 > To: "Julian H. Stacey" > Cc: Polytropon , > FreeBSD questions Hi, No idea why it was To: me. > Content-Type: text/html; charset=windows-1252 > Content-Transfer-Encoding: quoted-printable I dislike MS & windows & quoted-printable, > Content-Type: application/msword; name="1.5.VendorD.Topology.doc" > Content-Disposition: attachment; filename="1.5.VendorD.Topology.doc" MS excrement not accepted. http://www.berklix.com/~jhs/std/no_ms_format.txt Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with "> ". Send plain text. No quoted-printable, HTML, base64, multipart/alternative. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
FreeBSD routing problem
Hi All, I am facing a routing issue for the Interoperability 1.5 topology. Please find the attachment of the exact topology map. As per test setup – Ø Configured REF-Router2 NOT to transmit Router Advertisement on Network1. But REF-Router2 is able to transmit Router Advertisement on Network2 with 2001:db8::3::/64 . Ø Configured a static route on TAR-RouterD ( ubuntu) Indicating REF-Router2’s Link local address as the next hop for the Network2 . Ø But Ref-Router Not able to routes between Network1 and Network2. Due to this ICMPv6 request from TAR-router to the global address of REF-Host2 is not working. There is no reply for this ICMPv6 request. Ø Same when I try to transmit ICMPv6 Echo request from REF-HOST2 to global address of TAR-HOST1( Prefix of TAR-RouterD), no ICMPv6 reply. Ø Within Network1 , nodes are able to communicate. But when I try to communicate Netwrok2 from Network1, it is not working. Could you please suggest tell me if I am missing something to route the traffic on REF-Router ? I suspect , as there is no Route Advertisement on Interface1 of the Ref-Router, it is not able to route the traffic between the interfaces. Please help me to find this solution. Regards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: pppoe routing problem, default route isnt used for some hosts
Hello Nikos, thank you very much Nikos "You've repaired my internet" ,) On Fri, May 29, 2009 at 06:56:49PM +0300, Nikos Vassiliadis wrote: > Fabian Holler wrote: > > I have an strange routing problem. I can't connect to some hosts in the > > internet till I add an explicit route for this hosts with my default gw > > as gateway. > > There aren't any other routes that could match the destination IP for > > "non-working hosts". So the connection should also without an explicit > > route for this Hosts use the default gw. > Besides netstat -rn, you can use "route get southparkstudios.com" > to check a route for a destination. > > > Connections with nc to port 80 works > > (the connections tests are made from the router, the iface MTUs are correct) > > You cannot test MTU settings using nc, since initial packets, that > is, small packets, are always smaller than your MTU. You can test > MTU using fetch or ftp or nc + "GET /some.big.file". I only tried to say, that the connection problems couldn't be an MTU problem. Because I tried to connect from the router(where the PPPOE iface should have the correct MTU) and not from any LAN-Host. > > PPPoE: > > new -i ng0 PPPoE PPPoE > > set iface addrs 1.1.1.1 2.2.2.2 > > Maybe you should delete the above line as That was the problem:) I thought ip+netmask from the iface are arbitrary because they will be "overwritten" after I made an successfull connection. But the the crappy netmask was responsible for my problems > > set link mtu 1492 > > set link mru 1492 > > this is also wrong, don't try to set MTU > or MRU. There are negotiated during PPP. removed this also :) regards Fabian pgpksnt3OWbda.pgp Description: PGP signature
Re: pppoe routing problem, default route isnt used for some hosts
Fabian Holler wrote: Hello, I have an strange routing problem. I can't connect to some hosts in the internet till I add an explicit route for this hosts with my default gw as gateway. There aren't any other routes that could match the destination IP for "non-working hosts". So the connection should also without an explicit route for this Hosts use the default gw. My Setup: FreeBSD 7.2-RELEASE mppd to make an PPPOE connection to my internet service provider. PF as firewall To isolate the problem I used an minimal pf.conf: --- "inetif=ng0 lanif=vr0 scrub all max-mss 1492 pass quick on lo0 all pass out on $inetif proto { tcp udp icmp } all keep state" pass on $lanif from any to any --- I also tried pppd instead of mppd(dont helps). Hosts that I can't connect to, are ie spiegel.de, tagesschau.de, freebsd.org southparkstudios.com I.e TCP connections to Port 80 of southparkstudios.com dont work. If I add an explicit route: "route add southparkstudios.com 213.191.84.199" Besides netstat -rn, you can use "route get southparkstudios.com" to check a route for a destination. Connections with nc to port 80 works (the connections tests are made from the router, the iface MTUs are correct) You cannot test MTU settings using nc, since initial packets, that is, small packets, are always smaller than your MTU. You can test MTU using fetch or ftp or nc + "GET /some.big.file". Anybody have an idea what could be wrong? I have no idea anymore (its also not an provider problem, when i made the pppoe connection from windows I can connect to alls hosts) thanks for any hints:) best regards Fabian - My routing table: " # netstat -ra Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire defaultlo1.br04.weham.de. UGS 015505ng0 1.1.1.1&0x1010101 link#1 UC 00rl0 What is this ??? It looks like not-contiguous netmask? exxx45031.adsl.al lo0UHS 00lo0 localhost localhost UH 0 433lo0 192.168.113.0 link#2 UC 00vr0 xyz 00:30:18:ad:26:88 UHLW124005lo0 mail.xyz.ath.cx 00:30:18:ad:26:88 UHLW186400lo0 http.xyz.ath.cx 00:30:18:ad:26:88 UHLW1 770lo0 192.168.113.255ff:ff:ff:ff:ff:ff UHLWb 1 3228vr0 lo1.br04.weham.de. e176145031.adsl.al UH 10ng0 [... ipv6 stuff] " Interface infos: " # netstat -ira NameMtu Network Address Ipkts IerrsOpkts Oerrs Coll rl01492 00:02:2a:b0:4a:e0 26128479 0 19855993 0 0 01:00:5e:00:00:010 0 rl01492 1.1.1.1&0x101 1.1.1.1 0 - 2653 - - ALL-SYSTEMS.MCAST vr01500 00:30:18:ad:26:88 12662831 0 17678949 0 0 01:00:5e:00:00:01 2038 0 vr01500 192.168.113.0 xyz 9745471 - 13639692 - - ALL-SYSTEMS.MCAST vr01500 192.168.113.0 mail.xyz.a 291626 -86404 - - ALL-SYSTEMS.MCAST vr01500 192.168.113.0 http.xyz.a 6814 - 770 - - ALL-SYSTEMS.MCAST lo0 16384 113929 0 113929 0 0 lo0 16384 fe80:3::1 fe80:3::10 -0 - - ff01:3::1 (refs: 1) ff02:3::2:a61d:93b4(refs: 1) ff02:3::1 (refs: 1) ff02:3::1:ff00:1 (refs: 1) lo0 16384 localhost ::1 0 -0 - - ff01:3::1 (refs: 1) ff02:3::2:a61d:93b4(refs: 1) ff02:3::1 (refs: 1) ff02:3::1:ff00:1 (refs: 1) lo0 16384 your-net localhost 433 - 2433 - - ALL-SYSTEMS.MCAST pflog 332040 080567 0 0 tun0* 150078331 076381 0 0 tun99 1500 353 0 375 0 0 ng01492 17114096 0 13449463 0 0 ng01492 85.176.145.31 e176145031.adsl.a12398 -17011 - - ALL-SYSTEMS.MCAST " mpd.conf: " default: load PPPoE PPPoE: new -i ng0 PPPoE PPPoE set iface addrs 1.1.1.1 2.2.2.2 Maybe you should delete the above line as well. I dont remembere what "iface addrs" does, but you'll get the IP addresses via IPCP, so it&
pppoe routing problem, default route isnt used for some hosts
Hello, I have an strange routing problem. I can't connect to some hosts in the internet till I add an explicit route for this hosts with my default gw as gateway. There aren't any other routes that could match the destination IP for "non-working hosts". So the connection should also without an explicit route for this Hosts use the default gw. My Setup: FreeBSD 7.2-RELEASE mppd to make an PPPOE connection to my internet service provider. PF as firewall To isolate the problem I used an minimal pf.conf: --- "inetif=ng0 lanif=vr0 scrub all max-mss 1492 pass quick on lo0 all pass out on $inetif proto { tcp udp icmp } all keep state" pass on $lanif from any to any --- I also tried pppd instead of mppd(dont helps). Hosts that I can't connect to, are ie spiegel.de, tagesschau.de, freebsd.org southparkstudios.com I.e TCP connections to Port 80 of southparkstudios.com dont work. If I add an explicit route: "route add southparkstudios.com 213.191.84.199" Connections with nc to port 80 works (the connections tests are made from the router, the iface MTUs are correct) Anybody have an idea what could be wrong? I have no idea anymore (its also not an provider problem, when i made the pppoe connection from windows I can connect to alls hosts) thanks for any hints:) best regards Fabian - My routing table: " # netstat -ra Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire defaultlo1.br04.weham.de. UGS 015505ng0 1.1.1.1&0x1010101 link#1 UC 00rl0 exxx45031.adsl.al lo0UHS 00lo0 localhost localhost UH 0 433lo0 192.168.113.0 link#2 UC 00vr0 xyz 00:30:18:ad:26:88 UHLW124005lo0 mail.xyz.ath.cx 00:30:18:ad:26:88 UHLW186400lo0 http.xyz.ath.cx 00:30:18:ad:26:88 UHLW1 770lo0 192.168.113.255ff:ff:ff:ff:ff:ff UHLWb 1 3228vr0 lo1.br04.weham.de. e176145031.adsl.al UH 10ng0 [... ipv6 stuff] " Interface infos: " # netstat -ira NameMtu Network Address Ipkts IerrsOpkts Oerrs Coll rl01492 00:02:2a:b0:4a:e0 26128479 0 19855993 0 0 01:00:5e:00:00:010 0 rl01492 1.1.1.1&0x101 1.1.1.1 0 - 2653 - - ALL-SYSTEMS.MCAST vr01500 00:30:18:ad:26:88 12662831 0 17678949 0 0 01:00:5e:00:00:01 2038 0 vr01500 192.168.113.0 xyz 9745471 - 13639692 - - ALL-SYSTEMS.MCAST vr01500 192.168.113.0 mail.xyz.a 291626 -86404 - - ALL-SYSTEMS.MCAST vr01500 192.168.113.0 http.xyz.a 6814 - 770 - - ALL-SYSTEMS.MCAST lo0 16384 113929 0 113929 0 0 lo0 16384 fe80:3::1 fe80:3::10 -0 - - ff01:3::1 (refs: 1) ff02:3::2:a61d:93b4(refs: 1) ff02:3::1 (refs: 1) ff02:3::1:ff00:1 (refs: 1) lo0 16384 localhost ::1 0 -0 - - ff01:3::1 (refs: 1) ff02:3::2:a61d:93b4(refs: 1) ff02:3::1 (refs: 1) ff02:3::1:ff00:1 (refs: 1) lo0 16384 your-net localhost 433 - 2433 - - ALL-SYSTEMS.MCAST pflog 332040 080567 0 0 tun0* 150078331 076381 0 0 tun99 1500 353 0 375 0 0 ng01492 17114096 0 13449463 0 0 ng01492 85.176.145.31 e176145031.adsl.a12398 -17011 - - ALL-SYSTEMS.MCAST " mpd.conf: " default: load PPPoE PPPoE: new -i ng0 PPPoE PPPoE set iface addrs 1.1.1.1 2.2.2.2 set iface route default set iface enable on-demand set iface idle 0 set bundle disable multilink set bundle authname "xxy" set iface disable tcpmssfix set link no acfcomp protocomp set link disable pap chap set link accept chap set link mtu 1492 set link mru 1492 set link keep-alive 10 60 set ipcp yes vjcomp set iface enable tcpmssfix#I know pf also do this in my setup, but Iam despaired:) set ipcp ranges 0.0.0.0/0 0.
Re: Dual NIC routing (?) problem
On Fri, Jun 20, 2008 at 4:50 AM, Yuri Pankov <[EMAIL PROTECTED]> wrote: > The MadDaemon wrote: >> >> On Tue, Jun 17, 2008 at 3:47 PM, Yuri Pankov <[EMAIL PROTECTED]> >> wrote: >>> >>> The MadDaemon wrote: List, I'm having a problem with a dual-homed host running 7.0-RELEASE with regards to traffic on one of the interfaces that I'm hoping someone knows something about. The goal of this box is to run Nessus on bge0 only (which is plugged into a trunk port on a switch), keeping fxp0 free as the admin interface and for serving web pages on my LAN. Here's ifconfig: bge0: flags=8802 metric 0 mtu 1500 options=9b ether 00:19:b9:22:a8:22 inet 0.0.0.0 netmask 0xff00 broadcast 0.0.0.255 media: Ethernet autoselect (100baseTX ) status: active fxp0: flags=8843 metric 0 mtu 1500 options=b ether 00:02:b3:bb:59:17 inet 10.20.10.24 netmask 0xff00 broadcast 172.20.10.255 inet 10.20.10.28 netmask 0x broadcast 172.20.10.28 inet 10.20.10.29 netmask 0x broadcast 172.20.10.29 media: Ethernet autoselect (100baseTX ) status: active /etc/rc.conf section: # Created: Mon Jun 9 09:32:52 2008 defaultrouter="10.20.10.254" hostname="darkhorse.mydomain.local" ifconfig_fxp0="inet 10.20.10.24 netmask 255.255.255.0" ifconfig_fxp0_alias0="inet 10.20.10.28 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet 10.20.10.29 netmask 255.255.255.255" ifconfig_bge0="inet 0.0.0.0 netmask 255.255.255.0" >>> >>> Try using ifconfig_bge0="up" in /etc/rc.conf instead of assigning bogus >>> (probably) address. >> >> Tried that as well and it didn't work. I found a few different things >> regarding VLAN setup, so my new (and not working) configuration is >> this (in part): >> >> ## >> # VLAN Configuration # >> ## >> cloned_interface="vlan2" >> ifconfig_vlan2="inet 10.21.1.245 netmask 255.255.255.0 vlan 2 vlandev >> bge0" >> cloned_interface="vlan5" >> ifconfig_vlan5="inet 10.20.8.245 netmask 255.255.255.0 vlan 5 vlandev >> bge0" > > So 10.20.8.245 is in tagged vlan 5. Yes.. >> cloned_interface="vlan6" >> ifconfig_vlan6="inet 10.20.7.245 netmask 255.255.255.0 vlan 6 vlandev >> bge0" >> >> (I got the VLAN IDs straight from the router, so they are correct for >> each VLAN.) >> >> [EMAIL PROTECTED] [~]# ifconfig bge0 inet 10.20.8.245 netmask 255.255.255.0 > > and here you are trying to set 10.20.8.245 on parent bge0 without 802.1q > tagging, how do you expect it to work? I didn't, actually - lack of sleep = brainfart :( >> [EMAIL PROTECTED] [~]# ifconfig bge0 up >> [EMAIL PROTECTED] [~]# ifconfig bge0 >> bge0: flags=8843 metric 0 mtu 1500 >>options=9b >>ether 00:19:b9:22:a8:22 >>inet 10.20.8.245 netmask 0xff00 broadcast 10.20.8.255 >>media: Ethernet autoselect (100baseTX ) >>status: active >> [EMAIL PROTECTED] [~]# ping -c 2 10.20.8.4 >> PING 10.20.8.4 (10.20.8.4): 56 data bytes >> >> --- 10.20.8.4 ping statistics --- >> 2 packets transmitted, 0 packets received, 100.0% packet loss >> > > Sorry if I understood you incorrectly. No problem.. I believe if fixed it by setting this in /etc/rc.conf: cloned_interfaces="vlan2 vlan5 vlan6 vlan7 vlan107 vlan201 vlan212" ifconfig_vlan2="inet 10.21.1.245 netmask 255.255.255.0 vlan 2 vlandev bge0" ifconfig_vlan5="inet 10.20.8.245 netmask 255.255.255.0 vlan 5 vlandev bge0" ifconfig_vlan6="inet 10.20.7.245 netmask 255.255.255.0 vlan 6 vlandev bge0" ifconfig_vlan7="inet 10.20.253.245 netmask 255.255.255.0 vlan 7 vlandev bge0" ifconfig_vlan107="inet 10.21.7.245 netmask 255.255.255.0 vlan 107 vlandev bge0" ifconfig_vlan201="inet 10.20.1.245 netmask 255.255.255.0 vlan 201 vlandev bge0" ifconfig_vlan212="inet 10.21.2.245 netmask 255.255.255.0 vlan 212 vlandev bge0" ## # Bring up bge0 manually to make sure it's up: ifconfig_bge0="up" ## ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Dual NIC routing (?) problem
(Sorry, I replied to Yuri only by mistake) On Thu, Jun 19, 2008 at 10:49 AM, The MadDaemon <[EMAIL PROTECTED]> wrote: > On Tue, Jun 17, 2008 at 3:47 PM, Yuri Pankov <[EMAIL PROTECTED]> wrote: >> The MadDaemon wrote: >>> >>> List, >>> >>> I'm having a problem with a dual-homed host running 7.0-RELEASE with >>> regards to traffic on one of the interfaces that I'm hoping someone >>> knows something about. >>> >>> The goal of this box is to run Nessus on bge0 only (which is plugged >>> into a trunk port on a switch), keeping fxp0 free as the admin >>> interface and for serving web pages on my LAN. >>> >>> Here's ifconfig: >>> >>> bge0: flags=8802 metric 0 mtu 1500 >>>options=9b >>>ether 00:19:b9:22:a8:22 >>>inet 0.0.0.0 netmask 0xff00 broadcast 0.0.0.255 >>>media: Ethernet autoselect (100baseTX ) >>>status: active >>> fxp0: flags=8843 metric 0 mtu 1500 >>>options=b >>>ether 00:02:b3:bb:59:17 >>>inet 10.20.10.24 netmask 0xff00 broadcast 172.20.10.255 >>>inet 10.20.10.28 netmask 0x broadcast 172.20.10.28 >>>inet 10.20.10.29 netmask 0x broadcast 172.20.10.29 >>>media: Ethernet autoselect (100baseTX ) >>>status: active >>> >>> /etc/rc.conf section: >>> >>> # Created: Mon Jun 9 09:32:52 2008 >>> defaultrouter="10.20.10.254" >>> hostname="darkhorse.mydomain.local" >>> ifconfig_fxp0="inet 10.20.10.24 netmask 255.255.255.0" >>> ifconfig_fxp0_alias0="inet 10.20.10.28 netmask 255.255.255.255" >>> ifconfig_fxp0_alias1="inet 10.20.10.29 netmask 255.255.255.255" >>> ifconfig_bge0="inet 0.0.0.0 netmask 255.255.255.0" >> >> Try using ifconfig_bge0="up" in /etc/rc.conf instead of assigning bogus >> (probably) address. > > Tried that as well and it didn't work. I found a few different things > regarding VLAN setup, so my new (and not working) configuration is > this (in part): > > ## > # VLAN Configuration # > ## > cloned_interface="vlan2" > ifconfig_vlan2="inet 10.21.1.245 netmask 255.255.255.0 vlan 2 vlandev bge0" > cloned_interface="vlan5" > ifconfig_vlan5="inet 10.20.8.245 netmask 255.255.255.0 vlan 5 vlandev bge0" > cloned_interface="vlan6" > ifconfig_vlan6="inet 10.20.7.245 netmask 255.255.255.0 vlan 6 vlandev bge0" > > (I got the VLAN IDs straight from the router, so they are correct for > each VLAN.) > > [EMAIL PROTECTED] [~]# ifconfig bge0 inet 10.20.8.245 netmask 255.255.255.0 > [EMAIL PROTECTED] [~]# ifconfig bge0 up > [EMAIL PROTECTED] [~]# ifconfig bge0 > bge0: flags=8843 metric 0 mtu 1500 >options=9b >ether 00:19:b9:22:a8:22 >inet 10.20.8.245 netmask 0xff00 broadcast 10.20.8.255 >media: Ethernet autoselect (100baseTX ) >status: active > [EMAIL PROTECTED] [~]# ping -c 2 10.20.8.4 > PING 10.20.8.4 (10.20.8.4): 56 data bytes > > --- 10.20.8.4 ping statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > -- It said "use Linux 2.4 kernel or better" so I installed FreeBSD. Now everything runs better. Why didn't they just tell me to do that to begin with? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Dual NIC routing (?) problem
The MadDaemon wrote: List, I'm having a problem with a dual-homed host running 7.0-RELEASE with regards to traffic on one of the interfaces that I'm hoping someone knows something about. The goal of this box is to run Nessus on bge0 only (which is plugged into a trunk port on a switch), keeping fxp0 free as the admin interface and for serving web pages on my LAN. Here's ifconfig: bge0: flags=8802 metric 0 mtu 1500 options=9b ether 00:19:b9:22:a8:22 inet 0.0.0.0 netmask 0xff00 broadcast 0.0.0.255 media: Ethernet autoselect (100baseTX ) status: active fxp0: flags=8843 metric 0 mtu 1500 options=b ether 00:02:b3:bb:59:17 inet 10.20.10.24 netmask 0xff00 broadcast 172.20.10.255 inet 10.20.10.28 netmask 0x broadcast 172.20.10.28 inet 10.20.10.29 netmask 0x broadcast 172.20.10.29 media: Ethernet autoselect (100baseTX ) status: active /etc/rc.conf section: # Created: Mon Jun 9 09:32:52 2008 defaultrouter="10.20.10.254" hostname="darkhorse.mydomain.local" ifconfig_fxp0="inet 10.20.10.24 netmask 255.255.255.0" ifconfig_fxp0_alias0="inet 10.20.10.28 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet 10.20.10.29 netmask 255.255.255.255" ifconfig_bge0="inet 0.0.0.0 netmask 255.255.255.0" Try using ifconfig_bge0="up" in /etc/rc.conf instead of assigning bogus (probably) address. I'm not sure what other changes need to be made or where, but when I assign an IP/netmask to bge0, bring up the interface, and try to ping the gateway (or anything else), I get 100% packet loss. I've even tried to assign a new default route, but I get an error stating there's already a default route. I know I'm completely missing something here, but I just can't figure out *what*. Any help would be most appreciated. -MD HTH, Yuri ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Dual NIC routing (?) problem
List, I'm having a problem with a dual-homed host running 7.0-RELEASE with regards to traffic on one of the interfaces that I'm hoping someone knows something about. The goal of this box is to run Nessus on bge0 only (which is plugged into a trunk port on a switch), keeping fxp0 free as the admin interface and for serving web pages on my LAN. Here's ifconfig: bge0: flags=8802 metric 0 mtu 1500 options=9b ether 00:19:b9:22:a8:22 inet 0.0.0.0 netmask 0xff00 broadcast 0.0.0.255 media: Ethernet autoselect (100baseTX ) status: active fxp0: flags=8843 metric 0 mtu 1500 options=b ether 00:02:b3:bb:59:17 inet 10.20.10.24 netmask 0xff00 broadcast 172.20.10.255 inet 10.20.10.28 netmask 0x broadcast 172.20.10.28 inet 10.20.10.29 netmask 0x broadcast 172.20.10.29 media: Ethernet autoselect (100baseTX ) status: active /etc/rc.conf section: # Created: Mon Jun 9 09:32:52 2008 defaultrouter="10.20.10.254" hostname="darkhorse.mydomain.local" ifconfig_fxp0="inet 10.20.10.24 netmask 255.255.255.0" ifconfig_fxp0_alias0="inet 10.20.10.28 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet 10.20.10.29 netmask 255.255.255.255" ifconfig_bge0="inet 0.0.0.0 netmask 255.255.255.0" I'm not sure what other changes need to be made or where, but when I assign an IP/netmask to bge0, bring up the interface, and try to ping the gateway (or anything else), I get 100% packet loss. I've even tried to assign a new default route, but I get an error stating there's already a default route. I know I'm completely missing something here, but I just can't figure out *what*. Any help would be most appreciated. -MD -- It said "use Linux 2.4 kernel or better" so I installed FreeBSD. Now everything runs better. Why didn't they just tell me to do that to begin with? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
On Sat, 24 Nov 2007, Alaor Barroso de Carvalho Neto wrote: > 2007/11/24, Ian Smith <[EMAIL PROTECTED]>: > > > > No I didn't mean that; use your own favourite packet filter, any of them > > can handle what you've described. Bill suggested pf - lots of people > > seem to like it a lot - and I use ipfw because I (mostly) know how to. > > > I always had linux servers, so I'm very familiar with iptables, I don't have > a favorite BSD firewall yet, so that's why I'm asking. I choose ipfilter > because I liked the tutorial in the FreeBSD handbook, but I don't know any > features of the others, I even don't know ipfilter yet. Yes, I suspect the handbook firewall sections were put together by an ipfilter fan, even the ipfw section contains some oddities indicating that, and the pf section so far lacks the basic and with-NAT firewall setups that might encourage more people unfamiliar with pf to try it. > Ok. Pasted output of 'ifconfig' and 'netstat -finet -nr' may help .. > > it's easier to parse familiar machine output than textual descriptions. > > > My BSD box don't have graphic interface and I must admit I'm suffering to > use it, so that's why I'm transcripting the configs, but I'm gonna change > that. You can mark and copy with the mouse in text terminals on non-X boxes, at a pinch. I then use (say) ee to save the paste, though of course it's a lot less tedious working from an xterm with multiple clipboard buffers .. I've pasted up to 2000 lines from a Konsole at times :) > Dunno. I'd just run tcpdump in a different terminal for each interface > > and watch the traffic; what gets forwarded, or not, what gets translated > > by NAT, or not. As you said, pings are a useful start, as can be adding > > temporary firewall rules to log everything in and out per interface .. > > > > I know next to nothing about routed(8) and RIP, nor why you might prefer > > it to static and cloned routing, but taking it out of the mix might help > > with debugging until your basic routing and filtering works right? > > > I think it's hard to be NAT even because I've disabled ipfilter and the > problem still. I thought I would just set gateway_enable="YES" and things > would start working, at least that was how I've seem in the docs, but like > it didn't, I tried to set static routes. I don't know anything about routed > too, I just know that it's supposed to build the routes on demand, or I think routed might only work in a network that's using RIP throughout, but that's only from what I've read in Hunt's TCP/IP Network Admin book, and I've seen next to no discussion of using RIP in recent times. I'm pretty sure you don't want to run routed(8) and that it would only add to confusion for anyone trying to help you spot your problem here. > something like that. I'll copy the result of netstat on monday but the > routes seems to be OK, they're there like they're supposed to be, at least I > think they are right. Probably the problem is very stupid, but I feel like Possibly just a little confusion re how freebsd routing tables are presented compared to Linux, especially re default routes, perhaps? > I've checked everything and I can't find the error, and like I'm not very > familiar with BSD I'm losing my hope. Next week I'll try some things and if > it don't work I think it's time to go back to linux. That's bad because I > liked a lot the freebsd way of do the things. I suggest ending this thread here, and that you come back with a fresh start on a fresh subject stating again what you want to do, your network setup and layout, ifconfig and your full IPv4 routing tables, and clear description of which packets via which interface/s are failing to get to where you want them to go (and back!). Your original message was fairly clear about that, though it's got lost in the mists of time by now .. Don't give up. Perhaps spend a little time browsing the freebsd-net list to see if that's worth joining for you, if you can't get sufficent answers here, but with enough basic info I'm sure someone here can help. Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
On Sat, 24 Nov 2007 13:41:51 -0200 "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > 2007/11/24, Ian Smith <[EMAIL PROTECTED]>: > > > > No I didn't mean that; use your own favourite packet filter, any of > > them can handle what you've described. Bill suggested pf - lots of > > people seem to like it a lot - and I use ipfw because I (mostly) > > know how to. > > > I always had linux servers, so I'm very familiar with iptables, I > don't have a favorite BSD firewall yet, so that's why I'm asking. I > choose ipfilter because I liked the tutorial in the FreeBSD handbook, > but I don't know any features of the others, I even don't know > ipfilter yet. IPFilter was OpenBSD's old firewall, but because of its restrictive licence PF was developed and IPFilter was dropped from OpenBSD. The two firewalls use a very similar syntax. Unless you have a good reason to use IPFilter, it's probably better to start with PF, the documentation on the OpenBSD site is pretty good. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
2007/11/24, Ian Smith <[EMAIL PROTECTED]>: > > No I didn't mean that; use your own favourite packet filter, any of them > can handle what you've described. Bill suggested pf - lots of people > seem to like it a lot - and I use ipfw because I (mostly) know how to. I always had linux servers, so I'm very familiar with iptables, I don't have a favorite BSD firewall yet, so that's why I'm asking. I choose ipfilter because I liked the tutorial in the FreeBSD handbook, but I don't know any features of the others, I even don't know ipfilter yet. Ok. Pasted output of 'ifconfig' and 'netstat -finet -nr' may help .. > it's easier to parse familiar machine output than textual descriptions. My BSD box don't have graphic interface and I must admit I'm suffering to use it, so that's why I'm transcripting the configs, but I'm gonna change that. Dunno. I'd just run tcpdump in a different terminal for each interface > and watch the traffic; what gets forwarded, or not, what gets translated > by NAT, or not. As you said, pings are a useful start, as can be adding > temporary firewall rules to log everything in and out per interface .. > > I know next to nothing about routed(8) and RIP, nor why you might prefer > it to static and cloned routing, but taking it out of the mix might help > with debugging until your basic routing and filtering works right? I think it's hard to be NAT even because I've disabled ipfilter and the problem still. I thought I would just set gateway_enable="YES" and things would start working, at least that was how I've seem in the docs, but like it didn't, I tried to set static routes. I don't know anything about routed too, I just know that it's supposed to build the routes on demand, or something like that. I'll copy the result of netstat on monday but the routes seems to be OK, they're there like they're supposed to be, at least I think they are right. Probably the problem is very stupid, but I feel like I've checked everything and I can't find the error, and like I'm not very familiar with BSD I'm losing my hope. Next week I'll try some things and if it don't work I think it's time to go back to linux. That's bad because I liked a lot the freebsd way of do the things. Thankz the attention guyz, hugs! Alaor ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
On Sat, 24 Nov 2007, Alaor Barroso de Carvalho Neto wrote: > 2007/11/24, Ian Smith <[EMAIL PROTECTED]>: > > > > ipfw works fine too for these sorts of network policy separation :) > > > So ipfilter is not recommended by you guyz? No I didn't mean that; use your own favourite packet filter, any of them can handle what you've described. Bill suggested pf - lots of people seem to like it a lot - and I use ipfw because I (mostly) know how to. > > I'm not saying this odd netmask explains your problem, nor that I fully > > understand the effect of non-contiguous netmasks, but it's worth fixing. > > > My fault again, the mask is 255.255.255.224, I messed up the things the 27 > come from XXX.XXX.XXX.XXX/27, you're right! But in the config file it's > .224. Ok. Pasted output of 'ifconfig' and 'netstat -finet -nr' may help .. it's easier to parse familiar machine output than textual descriptions. > On which machine/s is NAT translation taking place? Eg if 10.10/16 were > > allowed access to the internet via here, where would they get NAT'd to > > the external IP? > > > > Cheers, Ian > > > > The ipfilter was nating, but I'm not sure about the NAT rules inside the > config file, I must recheck it monday, I just tested the redirection rules, > do you think this can be the problem? Dunno. I'd just run tcpdump in a different terminal for each interface and watch the traffic; what gets forwarded, or not, what gets translated by NAT, or not. As you said, pings are a useful start, as can be adding temporary firewall rules to log everything in and out per interface .. I know next to nothing about routed(8) and RIP, nor why you might prefer it to static and cloned routing, but taking it out of the mix might help with debugging until your basic routing and filtering works right? HTH, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
2007/11/24, Ian Smith <[EMAIL PROTECTED]>: > > ipfw works fine too for these sorts of network policy separation :) So ipfilter is not recommended by you guyz? If that wasn't a typo, this is a non-contiguous netmask. I suspect you > want 255.255.255.224, assuming the default router is in the same subnet? > > Specifying CIDR notation with route and ifconfig can make netmask > fatfingering a bit less likely (eg here XXX.XXX.XXX.130/27) > > I'm not saying this odd netmask explains your problem, nor that I fully > understand the effect of non-contiguous netmasks, but it's worth fixing. My fault again, the mask is 255.255.255.224, I messed up the things the 27 come from XXX.XXX.XXX.XXX/27, you're right! But in the config file it's .224. On which machine/s is NAT translation taking place? Eg if 10.10/16 were > allowed access to the internet via here, where would they get NAT'd to > the external IP? > > Cheers, Ian > > The ipfilter was nating, but I'm not sure about the NAT rules inside the config file, I must recheck it monday, I just tested the redirection rules, do you think this can be the problem? Alaor ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
On Fri, 23 Nov 2007 12:33:26 -0200 "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > 2007/11/23, Bill Moran <[EMAIL PROTECTED]>: > > > > "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: [..] > > > > > em0 external world XXX.XXX.XXX.XXX > > > > > rl0 adm 192.168.1.80 > > > > > rl1 acad 192.168.2.90 > > > > > rl3 database 10.10.0.50 > > > > > > > > > > They are all separated networks. What I want: 192.168.2 should only > > > > > access > > > > > the internet, shouldn't have access to 192.168.1 or 10.10/16. > > > > > 192.168.1should access the internet and > > > > > 10.10/16, but shouldn't access the academic network. 10.10/16 should > > > > > access > > > > > only the 192.168.1 network, but it's not a problem if they had > > > > > access to > > > > > internet too. > > > > > > > > > > How I would set up my rc.conf with my static routes? > > > > > > > > This is beyond the scope of routing. You'll need to install a packet > > > > filter. The best at this time is probably pf: ipfw works fine too for these sorts of network policy separation :) > > > Yes, I have IPFIlTER installed, but if I would want to everybody ping to > > > everybody and then block the things in the firewall, it isn't about > > > routes? > > > because neighter of my networks are pinging to any other right now. By > > > ping > > > I mean have access. I thought it would have something to do with setting > > > routes. BTW, my ipfilter now just pass everything because I'm building > > > the > > > server, but I already have a config file with the blocks that I would > > > apply. > > > > That's a completely different scenario than the one you described in > > your previous message. > > > > Do you have gatetway_enable="YES" in /etc/rc.conf? > > > > -- > > Bill Moran > > http://www.potentialtech.com Just to add a couple of points to what Bill's pursuing here: > Yeah, I know, I was trying to make it work with only adm and external, but > the real scenario I have is this. Yes I have this line, my rc.conf is like > this: > [...] > gateway_enable="yes" > defaultrouter="XXX.XXX.XXX.158" (the external ip) > ifconfig_em0="inet XXX.XXX.XXX.130 netmask 255.255.255.227" If that wasn't a typo, this is a non-contiguous netmask. I suspect you want 255.255.255.224, assuming the default router is in the same subnet? Specifying CIDR notation with route and ifconfig can make netmask fatfingering a bit less likely (eg here XXX.XXX.XXX.130/27) I'm not saying this odd netmask explains your problem, nor that I fully understand the effect of non-contiguous netmasks, but it's worth fixing. > ifconfig_rl0="inet 192.168.1.80 netmask 255.255.255.0" > ifconfig_rl1="inet 192.168.2.90 netmask 255.255.255.0" > ifconfig_rl2="inet 10.10.0.50 netmask 255.255.0.0" > [...] On which machine/s is NAT translation taking place? Eg if 10.10/16 were allowed access to the internet via here, where would they get NAT'd to the external IP? Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
2007/11/23, Bill Moran <[EMAIL PROTECTED]>: > > > I'm going to the server room to test the command. And yes, the DNS is > > working properly. I just came from the room and I did the command dig @ > > 192.168.1.1 google.ca and it said no server reached, then I did dig @ > > 127.0.0.1 google.ca and it worked! > > Is this on the FreeBSD machine? I have a sneaking suspicion that your > ipfilter rules are blocking everything. Yes, that's on the FreeBSD machine. I'm not sure about the RIP, I must check. About the ipfilter, I disabled it in rc.conf and it still not working. I'm not in my work anymore, only in monday I'll be able to run the netstat, but I'm losing my hope. Have a nice weekend brother. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
"Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > > > > > First off, what's the output of "sysctl net.inet.ip.forwarding"? If > > it is 0, then reboot and see if it starts working. > > The return was: net.inet.ip.forwarding 1 OK. That's not the problem then ... did you disable ipfilter and try without it? > Routed is running, named is running, the server itself can ping to any > network, I don't know what else to test. Do you have RIP on your network? Based on your description, it seems unlikely that RIP is in use on your network ... I don't know what the default behaviour is for routed when it can't acquire routing information. What is the output of "netstat -rn"? -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
> > First off, what's the output of "sysctl net.inet.ip.forwarding"? If > it is 0, then reboot and see if it starts working. The return was: net.inet.ip.forwarding 1 Routed is running, named is running, the server itself can ping to any network, I don't know what else to test. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
> > By ping, mean ping. I don't know what "have access" means, but I know > what > "ping" means. Well I say have access because the icpm would be blocked, but I would still have communicationwith the network even if I didn't ping. But yeah, for meright now ping and have access is the same once the firewall s passing anything. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
2007/11/23, Bill Moran <[EMAIL PROTECTED]>: > > "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > > > > 2007/11/23, Bill Moran <[EMAIL PROTECTED]>: > > > > > > "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > > > > > > > Yes, I have IPFIlTER installed, but if I would want to everybody > ping to > > > > everybody and then block the things in the firewall, it isn't about > routes? > > > > because neighter of my networks are pinging to any other right now. > By ping > > > > I mean have access. > > By ping, mean ping. I don't know what "have access" means, but I know > what > "ping" means. > > So what do you really mean ... what are you actually doing? If you run > ping 192.168.1.[some working IP] from a machine on the 192.168.2.0/24 > network, what is the result? > > > > > I thought it would have something to do with setting > > > > routes. BTW, my ipfilter now just pass everything because I'm > building the > > > > server, but I already have a config file with the blocks that I > would apply. > > > > > > That's a completely different scenario than the one you described in > > > your previous message. > > > > > > Do you have gatetway_enable="YES" in /etc/rc.conf? > > > > Yeah, I know, I was trying to make it work with only adm and external, > but > > the real scenario I have is this. Yes I have this line, my rc.conf is > like > > this: > > [...] > > gateway_enable="yes" > > defaultrouter="XXX.XXX.XXX.158" (the external ip) > > ifconfig_em0="inet XXX.XXX.XXX.130 netmask 255.255.255.227" > > ifconfig_rl0="inet 192.168.1.80 netmask 255.255.255.0" > > ifconfig_rl1="inet 192.168.2.90 netmask 255.255.255.0" > > ifconfig_rl2="inet 10.10.0.50 netmask 255.255.0.0" > > [...] > > > > I don't know if that matters, but the yes should be YES to things work? > I'd > > kill myself if this is the problem. > > Don't kill yourself. At least, if you do, will me all your stuff. > > The parameter is case-insensitive, I just prefer the caps. > > First off, what's the output of "sysctl net.inet.ip.forwarding"? If > it is 0, then reboot and see if it starts working. > > Once you're sure that sysctl is being properly set (which is all that > gateway_enable="yes" does), if you're still having problems, disable > ipfilter altogether and see if it starts working. If it does, then > it becomes a discussion of firewall rules. > > Also, is your DNS working properly? I don't know how many times I've > seen DNS timeouts mistaken for network problems. 99% of the programs > out there will _seem_ to have a network problem if the DNS isn't working > properly. > > -- > Bill Moran > http://www.potentialtech.com > I don't have that much stuff at all, only some bills to pay, we have a deal? ;) I'm going to the server room to test the command. And yes, the DNS is working properly. I just came from the room and I did the command dig @ 192.168.1.1 google.ca and it said no server reached, then I did dig @ 127.0.0.1 google.ca and it worked! Then I gone to the DNS machine and tried to ping to the IP that dig gave me, it can't. I changed the ip of the FreeBSD box to 192.168.1.240 and turned on the linux machine back with the ip 192.168.1.80 and did dig @192.168.1.1 googla.ca and it worked! Gone to the DNS machine and pinged to the IP dig gave me and it worked. It seems like the dns machine have no access to the external network.. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
"Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > > 2007/11/23, Bill Moran <[EMAIL PROTECTED]>: > > > > "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > > > > > Yes, I have IPFIlTER installed, but if I would want to everybody ping to > > > everybody and then block the things in the firewall, it isn't about > > > routes? > > > because neighter of my networks are pinging to any other right now. By > > > ping > > > I mean have access. By ping, mean ping. I don't know what "have access" means, but I know what "ping" means. So what do you really mean ... what are you actually doing? If you run ping 192.168.1.[some working IP] from a machine on the 192.168.2.0/24 network, what is the result? > > > I thought it would have something to do with setting > > > routes. BTW, my ipfilter now just pass everything because I'm building the > > > server, but I already have a config file with the blocks that I would > > > apply. > > > > That's a completely different scenario than the one you described in > > your previous message. > > > > Do you have gatetway_enable="YES" in /etc/rc.conf? > > Yeah, I know, I was trying to make it work with only adm and external, but > the real scenario I have is this. Yes I have this line, my rc.conf is like > this: > [...] > gateway_enable="yes" > defaultrouter="XXX.XXX.XXX.158" (the external ip) > ifconfig_em0="inet XXX.XXX.XXX.130 netmask 255.255.255.227" > ifconfig_rl0="inet 192.168.1.80 netmask 255.255.255.0" > ifconfig_rl1="inet 192.168.2.90 netmask 255.255.255.0" > ifconfig_rl2="inet 10.10.0.50 netmask 255.255.0.0" > [...] > > I don't know if that matters, but the yes should be YES to things work? I'd > kill myself if this is the problem. Don't kill yourself. At least, if you do, will me all your stuff. The parameter is case-insensitive, I just prefer the caps. First off, what's the output of "sysctl net.inet.ip.forwarding"? If it is 0, then reboot and see if it starts working. Once you're sure that sysctl is being properly set (which is all that gateway_enable="yes" does), if you're still having problems, disable ipfilter altogether and see if it starts working. If it does, then it becomes a discussion of firewall rules. Also, is your DNS working properly? I don't know how many times I've seen DNS timeouts mistaken for network problems. 99% of the programs out there will _seem_ to have a network problem if the DNS isn't working properly. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
2007/11/23, Bill Moran <[EMAIL PROTECTED]>: > > "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > > > > 2007/11/23, Bill Moran <[EMAIL PROTECTED]>: > > > > > > "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > > > > > > > > OK guyz, I did some tests and I found the error, like you said, it's > a > > > > config problem with the routes, I thought the routed daemon would > care of it > > > > for me but it seems like it don't. Please I ask you to forget the > scenario I > > > > said before, now what i have is: > > > > > > > > The dns server is now with the IP 192.168.1.1. But to turn things > more easy > > > > I installed it in the FreeBSD box that is gonna be my gateway and > proxy > > > > machine, so the problem isn't about the dns anymore. > > > > > > > > I work in a school and I have now this sccenario two local networks, > > > > 192.168.1/24, an administrative network and 192.168.2/24, an > academic > > > > network, plus I must have access to a network of other school with > the ip > > > > 10.10/16, because they share their database serverwith us. So the > FreeBSD > > > > machine have four network cards: > > > > > > > > em0 external world XXX.XXX.XXX.XXX > > > > rl0 adm 192.168.1.80 > > > > rl1 acad 192.168.2.90 > > > > rl3 database 10.10.0.50 > > > > > > > > They are all separated networks. What I want: 192.168.2 should only > access > > > > the internet, shouldn't have access to 192.168.1 or 10.10/16. > > > > 192.168.1should access the internet and > > > > 10.10/16, but shouldn't access the academic network. 10.10/16 should > access > > > > only the 192.168.1 network, but it's not a problem if they had > access to > > > > internet too. > > > > > > > > How I would set up my rc.conf with my static routes? > > > > > > This is beyond the scope of routing. You'll need to install a packet > > > filter. The best at this time is probably pf: > > > > > > > http://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8&apropos=0&manpath=FreeBSD+6.2-RELEASE > > > > > > > http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html > > > > Yes, I have IPFIlTER installed, but if I would want to everybody ping to > > everybody and then block the things in the firewall, it isn't about > routes? > > because neighter of my networks are pinging to any other right now. By > ping > > I mean have access. I thought it would have something to do with setting > > routes. BTW, my ipfilter now just pass everything because I'm building > the > > server, but I already have a config file with the blocks that I would > apply. > > That's a completely different scenario than the one you described in > your previous message. > > Do you have gatetway_enable="YES" in /etc/rc.conf? > > -- > Bill Moran > http://www.potentialtech.com > Yeah, I know, I was trying to make it work with only adm and external, but the real scenario I have is this. Yes I have this line, my rc.conf is like this: [...] gateway_enable="yes" defaultrouter="XXX.XXX.XXX.158" (the external ip) ifconfig_em0="inet XXX.XXX.XXX.130 netmask 255.255.255.227" ifconfig_rl0="inet 192.168.1.80 netmask 255.255.255.0" ifconfig_rl1="inet 192.168.2.90 netmask 255.255.255.0" ifconfig_rl2="inet 10.10.0.50 netmask 255.255.0.0" [...] I don't know if that matters, but the yes should be YES to things work? I'd kill myself if this is the problem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
"Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > > 2007/11/23, Bill Moran <[EMAIL PROTECTED]>: > > > > "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > > > > > > OK guyz, I did some tests and I found the error, like you said, it's a > > > config problem with the routes, I thought the routed daemon would care of > > > it > > > for me but it seems like it don't. Please I ask you to forget the > > > scenario I > > > said before, now what i have is: > > > > > > The dns server is now with the IP 192.168.1.1. But to turn things more > > > easy > > > I installed it in the FreeBSD box that is gonna be my gateway and proxy > > > machine, so the problem isn't about the dns anymore. > > > > > > I work in a school and I have now this sccenario two local networks, > > > 192.168.1/24, an administrative network and 192.168.2/24, an academic > > > network, plus I must have access to a network of other school with the ip > > > 10.10/16, because they share their database serverwith us. So the FreeBSD > > > machine have four network cards: > > > > > > em0 external world XXX.XXX.XXX.XXX > > > rl0 adm 192.168.1.80 > > > rl1 acad 192.168.2.90 > > > rl3 database 10.10.0.50 > > > > > > They are all separated networks. What I want: 192.168.2 should only access > > > the internet, shouldn't have access to 192.168.1 or 10.10/16. > > > 192.168.1should access the internet and > > > 10.10/16, but shouldn't access the academic network. 10.10/16 should > > > access > > > only the 192.168.1 network, but it's not a problem if they had access to > > > internet too. > > > > > > How I would set up my rc.conf with my static routes? > > > > This is beyond the scope of routing. You'll need to install a packet > > filter. The best at this time is probably pf: > > > > http://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8&apropos=0&manpath=FreeBSD+6.2-RELEASE > > > > http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html > > Yes, I have IPFIlTER installed, but if I would want to everybody ping to > everybody and then block the things in the firewall, it isn't about routes? > because neighter of my networks are pinging to any other right now. By ping > I mean have access. I thought it would have something to do with setting > routes. BTW, my ipfilter now just pass everything because I'm building the > server, but I already have a config file with the blocks that I would apply. That's a completely different scenario than the one you described in your previous message. Do you have gatetway_enable="YES" in /etc/rc.conf? -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
"Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > > OK guyz, I did some tests and I found the error, like you said, it's a > config problem with the routes, I thought the routed daemon would care of it > for me but it seems like it don't. Please I ask you to forget the scenario I > said before, now what i have is: > > The dns server is now with the IP 192.168.1.1. But to turn things more easy > I installed it in the FreeBSD box that is gonna be my gateway and proxy > machine, so the problem isn't about the dns anymore. > > I work in a school and I have now this sccenario two local networks, > 192.168.1/24, an administrative network and 192.168.2/24, an academic > network, plus I must have access to a network of other school with the ip > 10.10/16, because they share their database serverwith us. So the FreeBSD > machine have four network cards: > > em0 external world XXX.XXX.XXX.XXX > rl0 adm 192.168.1.80 > rl1 acad 192.168.2.90 > rl3 database 10.10.0.50 > > They are all separated networks. What I want: 192.168.2 should only access > the internet, shouldn't have access to 192.168.1 or 10.10/16. > 192.168.1should access the internet and > 10.10/16, but shouldn't access the academic network. 10.10/16 should access > only the 192.168.1 network, but it's not a problem if they had access to > internet too. > > How I would set up my rc.conf with my static routes? This is beyond the scope of routing. You'll need to install a packet filter. The best at this time is probably pf: http://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8&apropos=0&manpath=FreeBSD+6.2-RELEASE http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
2007/11/23, Bill Moran <[EMAIL PROTECTED]>: > > "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > > > > OK guyz, I did some tests and I found the error, like you said, it's a > > config problem with the routes, I thought the routed daemon would care > of it > > for me but it seems like it don't. Please I ask you to forget the > scenario I > > said before, now what i have is: > > > > The dns server is now with the IP 192.168.1.1. But to turn things more > easy > > I installed it in the FreeBSD box that is gonna be my gateway and proxy > > machine, so the problem isn't about the dns anymore. > > > > I work in a school and I have now this sccenario two local networks, > > 192.168.1/24, an administrative network and 192.168.2/24, an academic > > network, plus I must have access to a network of other school with the > ip > > 10.10/16, because they share their database serverwith us. So the > FreeBSD > > machine have four network cards: > > > > em0 external world XXX.XXX.XXX.XXX > > rl0 adm 192.168.1.80 > > rl1 acad 192.168.2.90 > > rl3 database 10.10.0.50 > > > > They are all separated networks. What I want: 192.168.2 should only > access > > the internet, shouldn't have access to 192.168.1 or 10.10/16. > > 192.168.1should access the internet and > > 10.10/16, but shouldn't access the academic network. 10.10/16 should > access > > only the 192.168.1 network, but it's not a problem if they had access to > > internet too. > > > > How I would set up my rc.conf with my static routes? > > This is beyond the scope of routing. You'll need to install a packet > filter. The best at this time is probably pf: > > http://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8&apropos=0&manpath=FreeBSD+6.2-RELEASE > > http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html > > -- > Bill Moran > http://www.potentialtech.com > Yes, I have IPFIlTER installed, but if I would want to everybody ping to everybody and then block the things in the firewall, it isn't about routes? because neighter of my networks are pinging to any other right now. By ping I mean have access. I thought it would have something to do with setting routes. BTW, my ipfilter now just pass everything because I'm building the server, but I already have a config file with the blocks that I would apply. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
OK guyz, I did some tests and I found the error, like you said, it's a config problem with the routes, I thought the routed daemon would care of it for me but it seems like it don't. Please I ask you to forget the scenario I said before, now what i have is: The dns server is now with the IP 192.168.1.1. But to turn things more easy I installed it in the FreeBSD box that is gonna be my gateway and proxy machine, so the problem isn't about the dns anymore. I work in a school and I have now this sccenario two local networks, 192.168.1/24, an administrative network and 192.168.2/24, an academic network, plus I must have access to a network of other school with the ip 10.10/16, because they share their database serverwith us. So the FreeBSD machine have four network cards: em0 external world XXX.XXX.XXX.XXX rl0 adm 192.168.1.80 rl1 acad 192.168.2.90 rl3 database 10.10.0.50 They are all separated networks. What I want: 192.168.2 should only access the internet, shouldn't have access to 192.168.1 or 10.10/16. 192.168.1should access the internet and 10.10/16, but shouldn't access the academic network. 10.10/16 should access only the 192.168.1 network, but it's not a problem if they had access to internet too. How I would set up my rc.conf with my static routes? Thankz for the attention you're having with me guyz, hugs! 2007/11/21, Steve Bertrand <[EMAIL PROTECTED]>: > > Alaor Barroso de Carvalho Neto wrote: > > Sorry, > > searchdomain ... > > nameserver 192.168.1.2 > > > > not 192.168.1.1 as I've said before. > > What about: > > # dig @192.168.1.2 google.ca > > Also, I don't know if it has any impact, but my resolv.conf shows just > 'search mydomain.com' as opposed to searchdomain. Perhaps you could fix > that to see if it helps. > > Steve > > -- Atenciosamente, Alaor Neto CEFET Campos/UNED Macaé Coordenação de Tecnologia da Informação (22) 9217-3198 / (22) 2773-6530 ramal 2035 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
Alaor Barroso de Carvalho Neto wrote: > Sorry, > searchdomain ... > nameserver 192.168.1.2 > > not 192.168.1.1 as I've said before. What about: # dig @192.168.1.2 google.ca Also, I don't know if it has any impact, but my resolv.conf shows just 'search mydomain.com' as opposed to searchdomain. Perhaps you could fix that to see if it helps. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
The nameserver is the 192.168.1.2 in the resolv.conf, sorry my fault. I'm gonna copy the rc.conf and paste here. But the routes are OK and still OK for any time when the machine is not the main gateway and have some few clients using it as gateway, if it was a config problem it wouldn't work never, no? Is there any chance of the traffic of the network be the responsible for that??? Thankz the help 2007/11/21, Bill Moran <[EMAIL PROTECTED]>: > > In response to "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]>: > > > Sorry my english skills, I'm brazilian and I'm not very familiar with > the > > language, but I'm gonna try to explain it clearly: > > > > LINUX SERVER > > private network 192.168.1.1 > > external network x.x.x.x > > > > FREEBSD SERVER > > private network 192.168.1.240 > > external network x.x.x.x > > > > DNS SERVER > > private network 192.168.1.2 > > > > The LINUX machine is the network gateway, I want the FREEBSD to be the > > gateway, so I tested the freebsd machine configuring some clients > manually > > to use the 192.168.1.240 as gateway, 3 machines, everything worked. So I > > thought: time to replace the linux server. So I turned off the linux > machine > > and changed the ip of freebsd to 192.168.1.1, just it, and then it stop > > working, it can resolv dns for some seconds and then stop. Something > I've > > noticed, when it's not the network gateway in fact, with just some > machines > > using it as gateway, the return of netstat -r is ok, with the routes of > the > > machines accessing it, the active conections, if I just change the ip > and > > turn off the LINUX machine, the netstat -r return me no routes at all. > > Pretty strange. > > > > My nameserver is just > > searchdomain ... > > nameserver 192.168.1.1 > > You've pointed the FreeBSD machine at itself for DNS. Do you have a DNS > server running on this system? If not, you need to point it at a valid > DNS server. > > If routes are missing then something is configured wrong. If you'd post > the contents of /etc/rc.conf, it's more likely that we could provide > more detailed assistance. > > -- > Bill Moran > http://www.potentialtech.com > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > [EMAIL PROTECTED]" > -- Atenciosamente, Alaor Neto CEFET Campos/UNED Macaé Coordenação de Tecnologia da Informação (22) 9217-3198 / (22) 2773-6530 ramal 2035 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
In response to "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]>: > Sorry my english skills, I'm brazilian and I'm not very familiar with the > language, but I'm gonna try to explain it clearly: > > LINUX SERVER > private network 192.168.1.1 > external network x.x.x.x > > FREEBSD SERVER > private network 192.168.1.240 > external network x.x.x.x > > DNS SERVER > private network 192.168.1.2 > > The LINUX machine is the network gateway, I want the FREEBSD to be the > gateway, so I tested the freebsd machine configuring some clients manually > to use the 192.168.1.240 as gateway, 3 machines, everything worked. So I > thought: time to replace the linux server. So I turned off the linux machine > and changed the ip of freebsd to 192.168.1.1, just it, and then it stop > working, it can resolv dns for some seconds and then stop. Something I've > noticed, when it's not the network gateway in fact, with just some machines > using it as gateway, the return of netstat -r is ok, with the routes of the > machines accessing it, the active conections, if I just change the ip and > turn off the LINUX machine, the netstat -r return me no routes at all. > Pretty strange. > > My nameserver is just > searchdomain ... > nameserver 192.168.1.1 You've pointed the FreeBSD machine at itself for DNS. Do you have a DNS server running on this system? If not, you need to point it at a valid DNS server. If routes are missing then something is configured wrong. If you'd post the contents of /etc/rc.conf, it's more likely that we could provide more detailed assistance. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
Sorry, searchdomain ... nameserver 192.168.1.2 not 192.168.1.1 as I've said before. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
Sorry my english skills, I'm brazilian and I'm not very familiar with the language, but I'm gonna try to explain it clearly: LINUX SERVER private network 192.168.1.1 external network x.x.x.x FREEBSD SERVER private network 192.168.1.240 external network x.x.x.x DNS SERVER private network 192.168.1.2 The LINUX machine is the network gateway, I want the FREEBSD to be the gateway, so I tested the freebsd machine configuring some clients manually to use the 192.168.1.240 as gateway, 3 machines, everything worked. So I thought: time to replace the linux server. So I turned off the linux machine and changed the ip of freebsd to 192.168.1.1, just it, and then it stop working, it can resolv dns for some seconds and then stop. Something I've noticed, when it's not the network gateway in fact, with just some machines using it as gateway, the return of netstat -r is ok, with the routes of the machines accessing it, the active conections, if I just change the ip and turn off the LINUX machine, the netstat -r return me no routes at all. Pretty strange. My nameserver is just searchdomain ... nameserver 192.168.1.1 2007/11/21, Steve Bertrand <[EMAIL PROTECTED]>: > Alaor Barroso de Carvalho Neto wrote: > > If I turn off linux and set the rl0 to 192.168.1.1 it > > stop resolving names but can ping to anywhere. Help!!! > > in the rc.conf > > gateway_enable="YES" > > defaultrouter="X.X.X.X" > > I don't know if I quite understand on which machine things are breaking, > but if it is a FreeBSD box, can you post the output to: > > # cat /etc/resolv.conf > > ...and > > # dig @192.168.1.2 google.ca > > Steve > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: routing problem
Alaor Barroso de Carvalho Neto wrote: > If I turn off linux and set the rl0 to 192.168.1.1 it > stop resolving names but can ping to anywhere. Help!!! > in the rc.conf > gateway_enable="YES" > defaultrouter="X.X.X.X" I don't know if I quite understand on which machine things are breaking, but if it is a FreeBSD box, can you post the output to: # cat /etc/resolv.conf ...and # dig @192.168.1.2 google.ca Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
routing problem
Hi, I have some troubles building my internet gateway to my network. I already have a gateway machine running under linux, with two interfaces eth0 (192.168.1.1) and eth1 (external world), but I installed a new server running FreeBSD6.2 with ipfilter and squid, in the test time with had the ip 192.168.1.240 in the rl0 and a external ip on rl1, I've configured some machines in the network (3) to use it as gateway to test it and the transparent proxy, everything worked fine. So I turned off my linux machine and configured the BSD ip on rl0 to 192.168.1.1 and then it stop resolving names. I have a DNS server in my network with the ip 192.168.1.2, I still can ping to it and to the external world, but the names aren't resolved anymore, it work for some seconds and then stop. When I turn on the linuxmachine and plug it on the network with the ip 192.168.1.1 and change the bsd ip to anything else it work again, resolve names and everything stay just as suposed to be. If I turn off linux and set the rl0 to 192.168.1.1 it stop resolving names but can ping to anywhere. Help!!! in the rc.conf gateway_enable="YES" defaultrouter="X.X.X.X" etc... Everything seems to be OK. Thankz for the attention Hugs! Alaor Neto ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Policy - based Routing problem Need help
Narek Gharibyan wrote: Thank you very much, Relaying on your help reach to success but rules differ from yours a little bit. My working rules listed below: ipfw add fwd A all from ${inet1}:${imask1} to any out recv ${iif1} ipfw add fwd B all from ${inet}:${imask} to any out recv ${iif} the following two rules shouldnto be needed if your routes are correct. ipfw add fwd G all from any to ${inet1}:${imask1} out via ${iif1} ipfw add fwd H all from any to ${inet}:${imask} out via ${iif} I don't know what onet is.. ipfw add fwd A all from ${onet1}:${omask1} to any out ipfw add fwd B all from ${onet}:${omask} to any out ipfw add fwd A all from ${inet1}:${imask1} to any out ipfw add fwd B all from ${inet}:${imask} to any out The only problem last is when someone (from provider A) try to access ftp server via B it connects but didn't do "Get Directory" command. Ipfw doesn't matter I checked. I think it is specification of ftp- data 20 port (connection opening problem). Can you describe me how it take place via 20 port or find the wrong line in ipfw fwd rules? ftp is a problem as it negotiates new ports for data. That is why people use Passive mode FTP. it doesn't do that. Best regards, Narek -Original Message- From: Julian Elischer [mailto:[EMAIL PROTECTED] Sent: Monday, July 30, 2007 2:02 AM To: Narek Gharibyan Subject: Re: Policy - based Routing problem Need help Narek Gharibyan wrote: Yes your written rules are correct, You think exactly I want to do ALSO 1. Packets coming from ISP-B (B network)into C SHOULD go out only via xx0 (as they came) # make sure WE can talk to the back nets # and ourself ipfw add 1 allow ip from any to any via lo0 ipfw add 2 allow ip from me to G ipfw add 3 allow ip from me to H # the next 2 rules are not actually needed as any packets # going to G and H will go the right way anyhow. # ipfw add 4 fwd (G) ip from any to G out recv xx0 # ipfw add 5 fwd (H) ip from any to H out recv xx1 # The next rules ARE needed. ipfw add 6 fwd (A) ip from G to any out recv yy0 ipfw add 7 fwd (B) ip from H to any out recv yy1 ipfw add 8 fwd (A) ip from (C) to any out ipfw add 9 fwd (B) ip from (D) to any out 2. Packets coming from ISP-A (A network) into D Should go out only via xx1 (as they came) Saying by another words packets should leave my network via interface they came. 3. Packets coming from E should go out via xx0 4. Packets coming from F should go out via xx1 Also I try from inside to forward packets without default gateway using via A or B with the commands Ipfw add fwd A all from G to any xmit (or via) xx0 and it didn't work, I've compiled my kernel with IPFIREWALL, IPFIREWALL_FORWARD, and set net.inet.ip.forwarding=1 in sysctl.conf. Surely I will try your configuration on Monday, but it seems ipfw fwd nothing do forwarding. So how to write for reaching the results (1.,2.,3.,4.)? Regards, Narek -Original Message- From: Julian Elischer [mailto:[EMAIL PROTECTED] Sent: Sunday, July 29, 2007 1:49 PM To: Narek Gharibyan Subject: Re: Policy - based Routing problem Need help Narek Gharibyan wrote: The right drawing is that one below ___ ___ -[ISP-A](A)(C)[xx0 yy0](E)--(G)[NAT] [ FBSD ][ Windows ](X)-LAN -[ISP-B](B)(D)[xx1 yy1](F)--(H)[NAT] ~~~ ~~~ We can't use only FreeBSD box, we need also use Windows box, due to our company's policy. So you suggestion is not an option. I think we need a different solution. ok. now that we have established the exact layout, what is it exactly that you want to do? I gather that you want packets that come into D to go out of F and packets that come in through C should go out via E this is achieved by: ipfw add 1 fwd (G) ip from any to G out recv xx0 ipfw add 2 fwd (H) ip from any to H out recv xx1 what else do you wish it to do? Regards, Narek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Policy - based Routing problem Need help
Thank you very much, Relaying on your help reach to success but rules differ from yours a little bit. My working rules listed below: ipfw add fwd A all from ${inet1}:${imask1} to any out recv ${iif1} ipfw add fwd B all from ${inet}:${imask} to any out recv ${iif} ipfw add fwd G all from any to ${inet1}:${imask1} out via ${iif1} ipfw add fwd H all from any to ${inet}:${imask} out via ${iif} ipfw add fwd A all from ${onet1}:${omask1} to any out ipfw add fwd B all from ${onet}:${omask} to any out ipfw add fwd A all from ${inet1}:${imask1} to any out ipfw add fwd B all from ${inet}:${imask} to any out The only problem last is when someone (from provider A) try to access ftp server via B it connects but didn't do "Get Directory" command. Ipfw doesn't matter I checked. I think it is specification of ftp- data 20 port (connection opening problem). Can you describe me how it take place via 20 port or find the wrong line in ipfw fwd rules? Best regards, Narek -Original Message- From: Julian Elischer [mailto:[EMAIL PROTECTED] Sent: Monday, July 30, 2007 2:02 AM To: Narek Gharibyan Subject: Re: Policy - based Routing problem Need help Narek Gharibyan wrote: > Yes your written rules are correct, You think exactly > I want to do ALSO > > 1. Packets coming from ISP-B (B network)into C SHOULD go out only via xx0 > (as they came) # make sure WE can talk to the back nets # and ourself ipfw add 1 allow ip from any to any via lo0 ipfw add 2 allow ip from me to G ipfw add 3 allow ip from me to H # the next 2 rules are not actually needed as any packets # going to G and H will go the right way anyhow. # ipfw add 4 fwd (G) ip from any to G out recv xx0 # ipfw add 5 fwd (H) ip from any to H out recv xx1 # The next rules ARE needed. ipfw add 6 fwd (A) ip from G to any out recv yy0 ipfw add 7 fwd (B) ip from H to any out recv yy1 ipfw add 8 fwd (A) ip from (C) to any out ipfw add 9 fwd (B) ip from (D) to any out > 2. Packets coming from ISP-A (A network) into D Should go out only via xx1 > (as they came) > > Saying by another words packets should leave my network via interface they > came. > > 3. Packets coming from E should go out via xx0 > 4. Packets coming from F should go out via xx1 > > Also I try from inside to forward packets without default gateway using via > A or B with the commands > > Ipfw add fwd A all from G to any xmit (or via) xx0 > > and it didn't work, I've compiled my kernel with IPFIREWALL, > IPFIREWALL_FORWARD, and set net.inet.ip.forwarding=1 in sysctl.conf. Surely > I will try your configuration on Monday, but it seems ipfw fwd nothing do > forwarding. So how to write for reaching the results (1.,2.,3.,4.)? > > Regards, > Narek > > -Original Message- > From: Julian Elischer [mailto:[EMAIL PROTECTED] > Sent: Sunday, July 29, 2007 1:49 PM > To: Narek Gharibyan > Subject: Re: Policy - based Routing problem Need help > > Narek Gharibyan wrote: >> The right drawing is that one below >> >>___ ___ >> -[ISP-A](A)(C)[xx0 yy0](E)--(G)[NAT] >> [ FBSD ][ Windows ](X)-LAN >> -[ISP-B](B)(D)[xx1 yy1](F)--(H)[NAT] >> ~~~ ~~~ >> >> We can't use only FreeBSD box, we need also use Windows box, due to our >> company's policy. So you suggestion is not an option. I think we need a >> different solution. > > ok. > > now that we have established the exact layout, > what is it exactly that you want to do? > > I gather that you want packets that come into D to go out of F > and packets that come in through C should go out via E > > this is achieved by: > ipfw add 1 fwd (G) ip from any to G out recv xx0 > ipfw add 2 fwd (H) ip from any to H out recv xx1 > > what else do you wish it to do? > >> Regards, >> Narek >> ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Policy Based Routing problem help me
On Thu, Jul 26, 2007 at 01:26:17AM +0500, Narek Gharibyan wrote: > I have a firewall/router with FreeBSD 6.2 installed on it. 2 ISP connection > and 2 LAN connections. I need to do a policy-based routing. All I need that > packets coming from one ISP interface return to that interface (incoming > connections' source based routing) and the other hand do a IP based routing > from the LAN (Some packets will goes out via ISP 1 some others via ISP 2 > depending on IPs requested). I tried to do that with ipfw fwd but it didn't > work any way (e.g. with ip.forwarding enabled or no). Even I've disabled my > static routes, default gw. Just it do nothing. Sample configs are > > ipfw add fwd ISP_gw from ${my lan} to any via ${eif} > ipfw add fwd ISP_gw from ${my lan} to any out via ${eif} > ipfw add fwd ISP_gw from any to any xmit ${eif} > > Ipfw add fwd ISP_gw from any to any via ${eif} out > > I don't use nat, proxy. Just need to route. Have you compiled your kernel with the following options? | options IPFIREWALL_FORWARD | options IPFIREWALL_FORWARD_EXTENDED I found that this kind of forwarding silently failed until I enabled the EXTENDED option in addition to the typical option. `man ipfw' briefly mentions these two kernel options in the fwd section. -- Chris Cowart Lead Systems Administrator Network & Infrastructure Services, RSSP-IT UC Berkeley signature.asc Description: Digital signature
Policy Based Routing problem help me
Hi all, I have a firewall/router with FreeBSD 6.2 installed on it. 2 ISP connection and 2 LAN connections. I need to do a policy-based routing. All I need that packets coming from one ISP interface return to that interface (incoming connections' source based routing) and the other hand do a IP based routing from the LAN (Some packets will goes out via ISP 1 some others via ISP 2 depending on IPs requested). I tried to do that with ipfw fwd but it didn't work any way (e.g. with ip.forwarding enabled or no). Even I've disabled my static routes, default gw. Just it do nothing. Sample configs are ipfw add fwd ISP_gw from ${my lan} to any via ${eif} ipfw add fwd ISP_gw from ${my lan} to any out via ${eif} ipfw add fwd ISP_gw from any to any xmit ${eif} Ipfw add fwd ISP_gw from any to any via ${eif} out I don't use nat, proxy. Just need to route. Please help Regards, Narek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
weird routing problem
My network looks like this: +--+ +--+ +-+ +--+ | Internet | <-> | Tiny | <-> | linksys | <-> | Behemoth | +--+ +--+ +-+ +--+ \ (WiFi) \ +-+ | various | +-+ Tiny is my firewall, and it forwards all ssh and http traffic to Behemoth. I also forward port 3389 to one of the clients on the wireless network. I can get into the remote desktop on my machine running XP and ssh to behemoth from there, but can't from the outside. Once I am logged into Behemoth, I can't ping anything on the outside. If I try to ping my default gateway, 192.168.2.1, I get "Ping: Sendto: Host is down" If I try to ping anything else, I get "Ping: Sendto: No route to host" [EMAIL PROTECTED] ~]$ ifconfig dc0: flags=8843 mtu 1500 options=8 inet 192.168.2.10 netmask 0xff00 broadcast 192.168.2.255 ether 00:0c:41:e2:ae:75 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 pflog0: flags=0<> mtu 33208 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff00 [EMAIL PROTECTED] ~]$ netstat -rn Routing tables Ineternet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.2.1UGS 0 447dc0 127.0.0.1 127.0.0.1 UH 0 604lo0 192.168.2 link#1 UC 00dc0 192.168.2.1link#1 UHLW22dc0 192.168.2.10 00:0c:41:e2:ae:75 UHLW1 10lo0 168.168.2.100 00:12:17:6a:32:7e UHLW1 2239dc0623 [EMAIL PROTECTED] ~]$ ping google.com ping: cannot resolve google.com: Host name lookup failure [EMAIL PROTECTED] ~]$ ping 64.233.167.99 PING 64.233.167.99 (64.233.167.99): 56 data bytes ping: sendto: No route to host ping: sendto: No route to host ^C --- 64.233.167.99 ping statistics --- 2 packets transmitted, 0 packets recieved, 100% packet loss The weird thing is that I'm logged into this box over ssh. I shouldn't be able to connect to the box if there's something wrong with the routing, correct? I have already tried setting the mtu to 1400 with no result and rebooting, also with no result, but I'm really not sure where to go from here. Any help on this would be much appreciated. I've attached my pf.conf, but it hasn't changed in a few weeks and this just started happening a couple days ago. It coincided with me adding my new Wii to the wireless network, but I can't see how that could've messed up the routing on Behemoth. -- -- I'm nerdy in the extreme and whiter than sour cream # Macro definitions ext_if = "dc0" # replace with actual external interface name i.e., dc0 int_if = "dc1" # replace with actual internal interface name i.e., dc1 local_net = "192.168.0.0/16"# IP addresses used internally table persist file "/var/db/ssh-bruteforce" # Table of IP addresses blocked by bruteforce set skip on lo0 scrub all # Scrub Everything altq on $ext_if bandwidth 250Kb priq queue { tcp_ack, dns, ssh_fast, lan, http, ssh_bulk, torrent } # outgoing queues for prioritzation queue tcp_ack priority 7 priq # Queue for Tcp ack packets - low volume, high speed queue dns priority 6 priq # queue for dns queries and responses queue ssh_fast priority 4 priq # interactive ssh traffic queue lan priority 3 priq(default)# queue for lan clients queue http priority 2 priq # queue for http traffic queue ssh_bulk priority 1 priq # Queue for bulk (sftp, scp) ssh traffic queue torrent priority 0 qlimit 100 # The torrent queue nat on $ext_if from $local_net -> ($ext_if) # nat localnet's packets to the firewall's external interface rdr on $ext_if proto tcp from any to any port { 22, 80 } -> 192.168.2.10 rdr on $int_if proto tcp from $local_net to ($int_if) port 22 -> 192.168.1.1 rdr on $int_if proto tcp from any to ($ext_if) port { 80, 3150, 49160:49300 } -> 192.168.2.10 rdr on $ext_if proto tcp from any to any port { 32459, 4662 } -> 192.168.2.100 rdr on $ext_if proto udp from any to any port 4672 -> 192.168.2.100 rdr on $ext_if proto { tcp, udp } from any to any port 3389 -> 192.168.2.100 block log all # Default block rule block in log quick proto tcp from to any port { 22, 80 } # Antispoof rules antispoof for $ext_if # General Rules pass in log quick on $ext_if inet proto tcp from any to any port 22 \ flags S/SA keep state queue (ssh_bulk, ssh_fast) # pass in ssh logins pass in log quick on $ext_if inet proto tcp from any to any port { 80, 3150 } \ flags S/SA keep state queue http # pass i
FreeBSD IPSec VPN routing problem
Hello list! I've been playing around with IPSEC site-to-site VPN. The setup is as follows: [Home cisco 871w, A] -> (internet) -> [FreeBSD IPsec VPN-server] -> (internet) -> [Buddy's Home cisco 871w, B]. A and B can both reach the FreeBSD IPSec server, on their VPN IPs: A(10.10.10.1) to IPsec endpoint: Pinging 10.3.2.1 with 32 bytes of data: Reply from 10.3.2.1: bytes=32 time=84ms TTL=63 Reply from 10.3.2.1: bytes=32 time=85ms TTL=63 B(10.10.8.1) to IPsec endpoint: PING 10.3.2.1 (10.3.2.1): 56 data bytes 64 bytes from 10.3.2.1: icmp_seq=0 ttl=63 time=74.705 ms 64 bytes from 10.3.2.1: icmp_seq=1 ttl=63 time=74.547 ms This is what i use to setup the GIF interfaces: ifconfig gif0 create ifconfig gif0 tunnel A.B.C.D E.F.G.H ifconfig gif0 inet 10.3.2.1 10.10.10.1 netmask 0x route add 10.10.10.0/24 10.10.10.1 ifconfig gif1 create ifconfig gif1 tunnel A.B.C.D I.J.K.L ifconfig gif1 inet 10.3.2.1 10.10.8.1 netmask 0x route add 10.10.8.0/24 10.10.8.1 And here is my IPsec policy setup: #/usr/sbin/setkey -F /usr/sbin/setkey -c << EOF flush; spdflush; spdadd 10.3.2.0/24 10.10.8.0/24 any -P out ipsec esp/tunnel/A.B.C.D-I.J.K.L/unique; spdadd 10.10.8.0/24 10.3.2.1/24 any -P in ipsec esp/tunnel/I.J.K.L-A.B.C.D/unique; spdadd 10.3.2.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/A.B.C.D-E.F.G.H/unique; spdadd 10.10.10.0/24 10.3.2.0/24 any -P in ipsec esp/tunnel/E.F.G.H-A.B.C.D/unique; EOF Everything seems nice and dandy, however: Pinging 10.10.8.1 from 10.10.10.1 with 32 bytes of data: Request timed out. Request timed out. It appears the server is not routing it between the interfaces. I have net.inet.ip.forwarding: 1 with sysctl. Can anyone shed some light on what I am missing here to have packets from 10.10.10.1 hit 10.10.8.1 directly? Both IPs are reachable and reply on ping from the VPN server. -- Click for second home mortgage, fast & free, no fees, approval today: http://tags.bluebottle.com/fc/CAaCMPJkw6jI6BQN6DGBVISyCSRuFufs/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Routing problem
On Thu, Feb 08, 2007 at 12:10:07PM +0200, George Vanev wrote: > I have FreeBSD 6.2 box with 1 NIC and 2 IPs. > The first IP is to access internet, the second > is for the ISP's LAN. > Unfortunately I have internet, but no access to > the other network. We need network IP configuration details; ie addresses, netmasks, et al. -- Jonathan Chen <[EMAIL PROTECTED]> -- "Opportunity does not knock, it presents itself when you beat down the door" - W.E. Channing ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Routing problem
Nothing? You're able to arp 192.168.64.1 and 192.168.64.3, can you ping them? Since you have an RFC-1918 address on both the inside and the outside, I assume you're running nat on this machine to translate internal machine traffic. It looks like you have all the routes you need, so my _guess_ at this point is that when the public address is up, the nat is preventing traffic from going out that interface without being translated. Once it has a public address, it can't route properly on the 192.168.64/22 space. Have a look at what you're using for nat. If you can't see anything obviously at odds, post your nat/firewall/related config. -- Bill Moran Collaborative Fusion Inc. No I can't ping them. Just to be sure I switched off the natd... It's the same. I want the FreeBSD box to connect to both - internet and 192.168.64/22 and the I'll think of the nat -- George Vanev ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Routing problem
In response to "George Vanev" <[EMAIL PROTECTED]>: > On 2/8/07, Bill Moran <[EMAIL PROTECTED]> wrote: > > > > In response to "George Vanev" <[EMAIL PROTECTED]>: > > > > > I have FreeBSD 6.2 box with 1 NIC and 2 IPs. > > > The first IP is to access internet, the second > > > is for the ISP's LAN. > > > Unfortunately I have internet, but no access to > > > the other network. > > > > > > I made a test. I assigned to the NIC only the local > > > IP and removed the defaultrouter. Then, of course, > > > I have no internet but was able to access the ISP's > > > network. > > > > > > I've tried everything I know, but still nothing > > > > Consider providing more details, such as the output of ifconfig and > > netstat -rn. > > > > Sure sounds like a routing issue, but I doubt anyone can say anything > > more without details. > > You are right. > > ifconfig > -- > rl0: flags=8843 mtu 1500 > options=8 > inet 212.25.37.96 netmask 0xff00 broadcast 212.25.37.255 > inet 192.168.67.41 netmask 0xfc00 broadcast 192.168.67.255 > ether 00:17:31:e7:92:18 > media: Ethernet autoselect (100baseTX ) > status: active > rl1: flags=8843 mtu 1500 > options=8 > inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 > ether 00:50:bf:d5:f1:33 > media: Ethernet autoselect (100baseTX ) > status: active > plip0: flags=108810 mtu 1500 > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff00 > > > > > Routing tables > > Internet: > DestinationGatewayFlagsRefs Use Netif Expire > default212.25.37.1UGS 0 458268rl0 > 10/24 link#2 UC 00rl1 > 10.0.0.2 00:15:60:ae:f7:61 UHLW1 231827rl1922 > 10.0.0.3 00:17:08:2d:08:26 UHLW1 1686rl1 1004 > 10.0.0.255 ff:ff:ff:ff:ff:ff UHLWb 1 67rl1 > 127.0.0.1 127.0.0.1 UH 00lo0 > 192.168.64/22 link#1 UC 00rl0 > 192.168.64.1 00:02:a5:90:a9:b6 UHLW10rl0 1200 > 192.168.64.3 00:17:08:58:83:8d UHLW10rl0 1113 > 212.25.37 link#1 UC 00rl0 > 212.25.37.100:02:a5:90:a9:b6 UHLW20rl0 1195 > In this case I can't access nothing from 192.168.64/22 Nothing? You're able to arp 192.168.64.1 and 192.168.64.3, can you ping them? Since you have an RFC-1918 address on both the inside and the outside, I assume you're running nat on this machine to translate internal machine traffic. It looks like you have all the routes you need, so my _guess_ at this point is that when the public address is up, the nat is preventing traffic from going out that interface without being translated. Once it has a public address, it can't route properly on the 192.168.64/22 space. Have a look at what you're using for nat. If you can't see anything obviously at odds, post your nat/firewall/related config. -- Bill Moran Collaborative Fusion Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Routing problem
On 2/8/07, Bill Moran <[EMAIL PROTECTED]> wrote: In response to "George Vanev" <[EMAIL PROTECTED]>: > I have FreeBSD 6.2 box with 1 NIC and 2 IPs. > The first IP is to access internet, the second > is for the ISP's LAN. > Unfortunately I have internet, but no access to > the other network. > > I made a test. I assigned to the NIC only the local > IP and removed the defaultrouter. Then, of course, > I have no internet but was able to access the ISP's > network. > > I've tried everything I know, but still nothing Consider providing more details, such as the output of ifconfig and netstat -rn. Sure sounds like a routing issue, but I doubt anyone can say anything more without details. -- Bill Moran Collaborative Fusion Inc. You are right. ifconfig -- rl0: flags=8843 mtu 1500 options=8 inet 212.25.37.96 netmask 0xff00 broadcast 212.25.37.255 inet 192.168.67.41 netmask 0xfc00 broadcast 192.168.67.255 ether 00:17:31:e7:92:18 media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8843 mtu 1500 options=8 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 ether 00:50:bf:d5:f1:33 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff00 Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default212.25.37.1UGS 0 458268rl0 10/24 link#2 UC 00rl1 10.0.0.2 00:15:60:ae:f7:61 UHLW1 231827rl1922 10.0.0.3 00:17:08:2d:08:26 UHLW1 1686rl1 1004 10.0.0.255 ff:ff:ff:ff:ff:ff UHLWb 1 67rl1 127.0.0.1 127.0.0.1 UH 00lo0 192.168.64/22 link#1 UC 00rl0 192.168.64.1 00:02:a5:90:a9:b6 UHLW10rl0 1200 192.168.64.3 00:17:08:58:83:8d UHLW10rl0 1113 212.25.37 link#1 UC 00rl0 212.25.37.100:02:a5:90:a9:b6 UHLW20rl0 1195 In this case I can't access nothing from 192.168.64/22 rl0: flags=8843 mtu 1500 options=8 inet 192.168.67.41 netmask 0xfc00 broadcast 192.168.67.255 ether 00:17:31:e7:92:18 media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8843 mtu 1500 options=8 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 ether 00:50:bf:d5:f1:33 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff00 Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire 10/24 link#2 UC 00rl1 10.0.0.2 00:15:60:ae:f7:61 UHLW1 232034rl1784 10.0.0.3 00:17:08:2d:08:26 UHLW1 1712rl1866 10.0.0.255 ff:ff:ff:ff:ff:ff UHLWb 1 67rl1 127.0.0.1 127.0.0.1 UH 00lo0 192.168.64/22 link#1 UC 00rl0 In this case I don't have internet, but I can access 192.168.64/22 -- George Vanev ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Routing problem
In response to "George Vanev" <[EMAIL PROTECTED]>: > I have FreeBSD 6.2 box with 1 NIC and 2 IPs. > The first IP is to access internet, the second > is for the ISP's LAN. > Unfortunately I have internet, but no access to > the other network. > > I made a test. I assigned to the NIC only the local > IP and removed the defaultrouter. Then, of course, > I have no internet but was able to access the ISP's > network. > > I've tried everything I know, but still nothing Consider providing more details, such as the output of ifconfig and netstat -rn. Sure sounds like a routing issue, but I doubt anyone can say anything more without details. -- Bill Moran Collaborative Fusion Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Routing problem
I have FreeBSD 6.2 box with 1 NIC and 2 IPs. The first IP is to access internet, the second is for the ISP's LAN. Unfortunately I have internet, but no access to the other network. I made a test. I assigned to the NIC only the local IP and removed the defaultrouter. Then, of course, I have no internet but was able to access the ISP's network. I've tried everything I know, but still nothing -- George Vanev ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Routing problem
In answer to my own question. When I disable the firewall on the server the routing issue is instantly resolved. However for 90% of the time the firewall runs without any apparent problems... I will start a new thread of conversation and ask my now firewall related problem. Sorry for my apparent thickness :) > Hi, > > I am running a 5.4 box as a gateway server / firewall / mail relay at > our company. Previously we had a 4.3-beta server which although > horribly outdated hardly ever gave us any problems. Since replacing it > with a Dell 850 and installing 5.4 I have experienced intermittent > routing issues. The box will stop routing traffic correctly (I have > included the output of a ping below). I initially thought that the box > was just dropping the packets but after running a trafshow I saw that > this was not the case. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Routing problem
Hi, I am running a 5.4 box as a gateway server / firewall / mail relay at our company. Previously we had a 4.3-beta server which although horribly outdated hardly ever gave us any problems. Since replacing it with a Dell 850 and installing 5.4 I have experienced intermittent routing issues. The box will stop routing traffic correctly (I have included the output of a ping below). I initially thought that the box was just dropping the packets but after running a trafshow I saw that this was not the case. The server has four interfaces (2 X fxp (dual Intel card), 2 X onboard bge), bge0 connects directly to out hosted infrastructure, bge1 connects to our internal LAN, fxp0 connects to our ISP and, fxp1 is our old DMZ network. The routing issue affects all interfaces except bge1 which is also the only interface running at 1Gbit. Most of the traffic routed through any other interfaces is lost and this seriously impacts on the performance experienced by my users. We have two other identical servers in front of our commercially hosted infrastructure and neither of them is displaying this behavior. I was wondering whether anyone had any ideas as to what could be causing this or what I should be checking when next this occurs? Regards, Nicholas Uname -a output: FreeBSD cptgw01.korbitec.com 5.4-RELEASE-p11 FreeBSD 5.4-RELEASE-p11 #1: Mon Feb 27 09:03:21 SAST 2006 nicvw@:/usr/obj/usr/src/sys/KORBI i386 Ifconfig output: fxp0: flags=8843 mtu 1500 options=8 inet 196.31.9.186 netmask 0xfffc broadcast 196.31.9.187 ether 00:90:27:c3:ba:c0 media: Ethernet 10baseT/UTP status: active fxp1: flags=8843 mtu 1500 options=8 inet 192.96.88.225 netmask 0xffe0 broadcast 192.96.88.255 ether 00:90:27:c3:ba:c1 media: Ethernet autoselect (100baseTX ) status: active bge0: flags=8843 mtu 1500 options=1a inet 196.31.10.14 netmask 0xfff0 broadcast 196.31.10.15 ether 00:13:72:3b:d9:c5 media: Ethernet autoselect (100baseTX ) status: active bge1: flags=8843 mtu 1500 options=1a inet 10.0.0.1 netmask 0xfffc broadcast 10.0.0.3 ether 00:13:72:3b:d9:c6 media: Ethernet autoselect (1000baseTX ) status: active lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff00 Example of a ping to another 5.4 box connected directly to one of the bge interfaces: ping: sendto: No route to host ping: sendto: No route to host ping: sendto: No route to host ping: sendto: No route to host ping: sendto: No route to host 64 bytes from 196.31.10.2: icmp_seq=5 ttl=64 time=0.383 ms Output of trafshow: fw.in.company.com,ssh 10.4.3.2,2278 tcp 22K 742 10.4.3.2,echo-reqstfw.in.company.com icmp 1680 60 10.4.3.2,echo-reqst196.31.10.2 icmp 1680 60 fw.in.company.com,echo-reply 10.4.3.2 icmp 1680 60 196.31.10.2,echo-reply 10.4.3.2 icmp 900 20 fw.in.company.com,unrch-host 10.4.3.2 icmp 784 56 Output of netstat -rn: default196.31.9.185 UGS 089193 fxp0 10/30 link#4 UC 00 bge1 10.0.0.2 00:16:35:32:1c:00 UHLW639818 bge1 631 10.2/1610.0.0.2 UGS 0 108 bge1 10.3/1610.0.0.2 UGS 00 bge1 10.4/1610.0.0.2 UGS 068268 bge1 10.4.13/24 192.96.88.247 UGS 0 138 fxp1 10.5/1610.0.0.2 UGS 0 96 bge1 127.0.0.1 127.0.0.1 UH 0 10456566lo0 172.16 10.0.0.2 UGS 04 bge1 192.96.88.64/2610.0.0.2 UGS 01 bge1 192.96.88.128/26 196.31.10.2UGS 0 4791 bge0 192.96.88.224/27 link#2 UC 00 fxp1 192.96.88.227 00:02:b3:c2:59:2a UHLW0 33447909 fxp1 1010 192.96.88.229 00:02:b3:b4:bb:2d UHLW0 113042 fxp1 524 192.96.88.245 00:02:55:54:cb:81 UHLW0 92 fxp1 333 192.96.88.246 00:90:27:8b:3c:80 UHLW0 1615758 fxp1 1121 192.96.88.247 00:d0:b7:5e:79:7c UHLW1 868677 fxp1 828 192.96.88.249 00:90:27:8a:f6:82 UHLW0 13 fxp1 650 192.96.88.254 00:10:83:ef:2a:c0 UHLW0 192331 fxp1 371 196.7.154/27 196.31.10.2UGS 0 1664 bge0 196.7.156.144/28 196.31.10.3UGS 036538 bge0 196.31.9.184/30link#1 UC
Routing problem?
Ok, here´s the deal I have my Freebsd 4.10 gateway/nat/firewall on my network. On my LAN i have couple WIN machines and a Linux Redhat machine working ok to outside and other machine´s with IP 192.168.255.252 eth0 I have one software running on Redhat Machine that uses SLIP and i have configured sl0 with 192.168.255.252 P-t-P 192.168.0.6 The 192.168.0.6 is the IP of that Software Ok with these configurations i can connect from my Linuxbox locally to the software with 192.168.0.6 But the 192.168.0.6 Does´nt appear to be available for other computers on my LAN So i checked out some manuals and used command: ARP -Ds 192.168.0.6 sl0 pub and 92.168.0.6 came visible to other computers on my LAN. So now i thought that all i have to do is to put on my BSDBOX natd.confto redirect all requests from 23 and 81 to 192.168.0.6 right? and allow of course ports from Firewall (My software with the SLIP has entrance via HTTP and TELNET) Well nobody can´t still connect to my Linux software from outside?From my LAN it´works ok. I tried also adding allow ip from any to 192.168.0.6 via ep0 and that worked for a while (now anybody from outside can connect to my software) It works only for couple hours and the no response? I´cant understand how the allow ip from any to 192.168.0.6 can help. Well if anyone has understood what i´m trying to do here and wants to send couple hints i would be glad. :-) Thanks for your reply. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Routing Problem
Gustafson, Tim wrote: I know it "can" be done. I have a feeling that the FreeBSD TCP stack lacks the capability. If you are looking for multiple routes to the same destination, you are correct. I believe that if you see the thread on net@ from 03/01/04 with the subject "My planned work on networking stack": [] move IPv4 routing to its own optimized routing table structure and add multi-path and policy-routing options. (planned) I think this is the feature you are looking for: multi-path I am also not sure of the status of this. There are some hackish ways of dealing with this: eg. route add 0.0.0.0/1 router1 route add 128.0.0.0/1 router2 (or some such hideous incantation) If you want to get real nasty, I would try some jiggery pokery with vlans/ng_one2many: # receiving is done with public ips (all the same here as your current config) router1 vlan0 pubip1 router2 vlan0 pubip2 server vlan0 pubip1/2 #transmitting is done through faked gateway 50% load each router1 vlan1 10.0.0.1 router2 vlan2 10.0.0.1 server vlan1/2 10.0.0.2 route add default 10.0.0.1 You'll need to be sure that both upstream providers will route either ip address though. Also, there is no "dynamic" type of functionallity on this, if one of the links goes down, you'll lose 50% of your traffic. You could probably rig up a script to notify netgraph when the remote g/w goes down though. I've never tried this, but it seems this wouldn't be a bad way to start if you've got some time on your hands. Cheers, Derek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Routing Problem
Sounds like the man page for routed might be what you seek http://www.freebsd.org/cgi/man.cgi?query=routed&sektion=8 T - Original Message - From: "Gustafson, Tim" <[EMAIL PROTECTED]> To: "Thomas Foster" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, February 02, 2005 5:02 AM Subject: RE: Routing Problem Thomas (and John too), Let me clarify a little bit. What I have is this: A single FreeBSD web server with a single NIC in it Two T1 routers, each with a different subnet. My FreeBSD box has two IP addresses assigned to it, one from the first subnet and one from the second subnet. I want to use round-robin DNS to direct half my web traffic to the first IP and half to the second IP. As I said to John in a private e-mail earlier this morning, I have a Windows 2000 box that is doing exactly this with these two subnets right now. I know it "can" be done. I have a feeling that the FreeBSD TCP stack lacks the capability. By the way, this also works with Cisco hardware. I have used Cisco equipment in this same configuration in the past. I think they way it SHOULD work is that you should be able to give a FreeBSD box multiple default gateways. When FreeBSD gets a packet to an IP on the first subnet, it should use the default gateway that is also on that subnet. When FreeBSD gets a packet to an IP on the second subnet, it should use the second default gateway. This seems to be the logic that Windows (and Cisco) uses. Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ -Original Message- From: Thomas Foster [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 7:57 AM To: Gustafson, Tim Cc: [EMAIL PROTECTED] Subject: Re: Routing Problem Hi Tim.. If you have multiple interfaces and you configure a default gateway for each interface, the default metric determination that is based on the speed of the interface usually uses the fastest interface for default gateway traffic. This is usually desirable in configurations in which the computer is connected to the same network. This behavior can become a problem when the computer exists on two or more disjointed networks (networks that do not provide symmetric reachability on layer3). Symmetric reachability exists when packets can be sent to and received from an arbitrary destination. Because the TCP/IP version4 protocol uses a single default route in FreeBSD's routing table at any one time for default route traffic, default routers configured on multiple interfaces connected to two or more disjointed networks can wreak routing traffic havoc. In FreeBSD, you can manually configure the routing table for the individual interfaces.. but it sounds to me as if you are attempting to use two ethernet interfaces connected to two disjointed networks connected to routers with two seperate subnets in order to balance http requests to one server.. is this the case? I guess I am not fully understanding your configuration ... T. - Original Message - From: "Gustafson, Tim" <[EMAIL PROTECTED]> To: "Thomas Foster" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, February 02, 2005 4:06 AM Subject: RE: Routing Problem Thomas, No, I'm not using this box as a router. It is a web server, and I need to spread the load of my web traffic across two separate T1s. I can't just add routes. You need a default route, or parts of the internet would become inaccessible. In my case, you need TWO default routes. I have set up Cisco equipment and Windows workstations with two default routes in the past, and it has worked. In fact, I have one Windows box right now that is configured on both these networks with two default gateways, and it is working. There has to be a way to make it work on FreeBSD. Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ -Original Message- From: Thomas Foster [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 4:48 AM To: Gustafson, Tim Cc: [EMAIL PROTECTED] Subject: Re: Routing Problem Im confused.. if you have two T1s, then are using /30s dor the ranges? If so.. what about not giving a default gateway for either one and just add routes... Are you attempting utilize this as just a router.? Theres a section that covers setting up routing on interfaces in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routin g.html Hope this helps T - Original Message - From: "Gustafson, Tim" <[EMAIL PROTECTED]> To: Sent: Tuesday, February 01, 2005 5:35 PM Subject: Routing Problem I am having a problem setting up a multi-homed host. I have two separate T1 internet connections, and one physical NIC in my F
RE: Routing Problem
Thomas (and John too), Let me clarify a little bit. What I have is this: A single FreeBSD web server with a single NIC in it Two T1 routers, each with a different subnet. My FreeBSD box has two IP addresses assigned to it, one from the first subnet and one from the second subnet. I want to use round-robin DNS to direct half my web traffic to the first IP and half to the second IP. As I said to John in a private e-mail earlier this morning, I have a Windows 2000 box that is doing exactly this with these two subnets right now. I know it "can" be done. I have a feeling that the FreeBSD TCP stack lacks the capability. By the way, this also works with Cisco hardware. I have used Cisco equipment in this same configuration in the past. I think they way it SHOULD work is that you should be able to give a FreeBSD box multiple default gateways. When FreeBSD gets a packet to an IP on the first subnet, it should use the default gateway that is also on that subnet. When FreeBSD gets a packet to an IP on the second subnet, it should use the second default gateway. This seems to be the logic that Windows (and Cisco) uses. Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ -Original Message- From: Thomas Foster [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 7:57 AM To: Gustafson, Tim Cc: [EMAIL PROTECTED] Subject: Re: Routing Problem Hi Tim.. If you have multiple interfaces and you configure a default gateway for each interface, the default metric determination that is based on the speed of the interface usually uses the fastest interface for default gateway traffic. This is usually desirable in configurations in which the computer is connected to the same network. This behavior can become a problem when the computer exists on two or more disjointed networks (networks that do not provide symmetric reachability on layer3). Symmetric reachability exists when packets can be sent to and received from an arbitrary destination. Because the TCP/IP version4 protocol uses a single default route in FreeBSD's routing table at any one time for default route traffic, default routers configured on multiple interfaces connected to two or more disjointed networks can wreak routing traffic havoc. In FreeBSD, you can manually configure the routing table for the individual interfaces.. but it sounds to me as if you are attempting to use two ethernet interfaces connected to two disjointed networks connected to routers with two seperate subnets in order to balance http requests to one server.. is this the case? I guess I am not fully understanding your configuration ... T. - Original Message - From: "Gustafson, Tim" <[EMAIL PROTECTED]> To: "Thomas Foster" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, February 02, 2005 4:06 AM Subject: RE: Routing Problem > Thomas, > > No, I'm not using this box as a router. It is a web server, and I need > to spread the load of my web traffic across two separate T1s. > > I can't just add routes. You need a default route, or parts of the > internet would become inaccessible. In my case, you need TWO default > routes. I have set up Cisco equipment and Windows workstations with two > default routes in the past, and it has worked. In fact, I have one > Windows box right now that is configured on both these networks with two > default gateways, and it is working. > > There has to be a way to make it work on FreeBSD. > > Tim Gustafson > MEI Technology Consulting, Inc > [EMAIL PROTECTED] > (516) 379-0001 Office > (516) 480-1870 Mobile/Emergencies > (516) 908-4185 Fax > http://www.meitech.com/ > > > > -Original Message- > From: Thomas Foster [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 02, 2005 4:48 AM > To: Gustafson, Tim > Cc: [EMAIL PROTECTED] > Subject: Re: Routing Problem > > > Im confused.. if you have two T1s, then are using /30s dor the ranges? > If > so.. what about not giving a default gateway for either one and just add > > routes... > > Are you attempting utilize this as just a router.? > > Theres a section that covers setting up routing on interfaces in the > handbook: > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routin > g.html > > Hope this helps > > T > - Original Message - > From: "Gustafson, Tim" <[EMAIL PROTECTED]> > To: > Sent: Tuesday, February 01, 2005 5:35 PM > Subject: Routing Problem > > >>I am having a problem setting up a multi-homed host. I have two >> separate T1 internet connections, and one physical NIC in my FreeBSD >> box. The two networks are as follows: >>
Re: Routing Problem
Hi Tim.. If you have multiple interfaces and you configure a default gateway for each interface, the default metric determination that is based on the speed of the interface usually uses the fastest interface for default gateway traffic. This is usually desirable in configurations in which the computer is connected to the same network. This behavior can become a problem when the computer exists on two or more disjointed networks (networks that do not provide symmetric reachability on layer3). Symmetric reachability exists when packets can be sent to and received from an arbitrary destination. Because the TCP/IP version4 protocol uses a single default route in FreeBSD's routing table at any one time for default route traffic, default routers configured on multiple interfaces connected to two or more disjointed networks can wreak routing traffic havoc. In FreeBSD, you can manually configure the routing table for the individual interfaces.. but it sounds to me as if you are attempting to use two ethernet interfaces connected to two disjointed networks connected to routers with two seperate subnets in order to balance http requests to one server.. is this the case? I guess I am not fully understanding your configuration ... T. - Original Message - From: "Gustafson, Tim" <[EMAIL PROTECTED]> To: "Thomas Foster" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, February 02, 2005 4:06 AM Subject: RE: Routing Problem Thomas, No, I'm not using this box as a router. It is a web server, and I need to spread the load of my web traffic across two separate T1s. I can't just add routes. You need a default route, or parts of the internet would become inaccessible. In my case, you need TWO default routes. I have set up Cisco equipment and Windows workstations with two default routes in the past, and it has worked. In fact, I have one Windows box right now that is configured on both these networks with two default gateways, and it is working. There has to be a way to make it work on FreeBSD. Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ -Original Message- From: Thomas Foster [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 4:48 AM To: Gustafson, Tim Cc: [EMAIL PROTECTED] Subject: Re: Routing Problem Im confused.. if you have two T1s, then are using /30s dor the ranges? If so.. what about not giving a default gateway for either one and just add routes... Are you attempting utilize this as just a router.? Theres a section that covers setting up routing on interfaces in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routin g.html Hope this helps T - Original Message - From: "Gustafson, Tim" <[EMAIL PROTECTED]> To: Sent: Tuesday, February 01, 2005 5:35 PM Subject: Routing Problem I am having a problem setting up a multi-homed host. I have two separate T1 internet connections, and one physical NIC in my FreeBSD box. The two networks are as follows: Connection 1: LAN Address: 1.2.3.24/25 Router Address: 1.2.3.1 Connection 2: LAN Address: 4.5.6.106/29 Router Address: 4.5.6.105 I would like to set up my FreeBSD box so that I can connect to either LAN address from the outside world. The problem is that I cannot specify two default gateways. Right now, I have 1.2.3.1 set up as a default gateway, and I can get to the 1.2.3.24 IP from the outside world. However, I can't get to 4.5.6.106. I can't even ping it. From the FreeBSD box, I can ping 4.5.6.105, and from the outside world I can ping 4.5.6.105, but I can't ping 4.5.6.106 from the outside world. Is there any way to make this work? How can I make FreeBSD have two default gateways? I read somewhere about being able to set up source routing, but I haven't been able to find any HOWTO's about that. Any help is greatly appreciated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Routing Problem
Thomas, No, I'm not using this box as a router. It is a web server, and I need to spread the load of my web traffic across two separate T1s. I can't just add routes. You need a default route, or parts of the internet would become inaccessible. In my case, you need TWO default routes. I have set up Cisco equipment and Windows workstations with two default routes in the past, and it has worked. In fact, I have one Windows box right now that is configured on both these networks with two default gateways, and it is working. There has to be a way to make it work on FreeBSD. Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ -Original Message- From: Thomas Foster [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 02, 2005 4:48 AM To: Gustafson, Tim Cc: [EMAIL PROTECTED] Subject: Re: Routing Problem Im confused.. if you have two T1s, then are using /30s dor the ranges? If so.. what about not giving a default gateway for either one and just add routes... Are you attempting utilize this as just a router.? Theres a section that covers setting up routing on interfaces in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routin g.html Hope this helps T - Original Message - From: "Gustafson, Tim" <[EMAIL PROTECTED]> To: Sent: Tuesday, February 01, 2005 5:35 PM Subject: Routing Problem >I am having a problem setting up a multi-homed host. I have two > separate T1 internet connections, and one physical NIC in my FreeBSD > box. The two networks are as follows: > > Connection 1: > LAN Address: 1.2.3.24/25 > Router Address: 1.2.3.1 > > Connection 2: > LAN Address: 4.5.6.106/29 > Router Address: 4.5.6.105 > > I would like to set up my FreeBSD box so that I can connect to either > LAN address from the outside world. The problem is that I cannot > specify two default gateways. Right now, I have 1.2.3.1 set up as a > default gateway, and I can get to the 1.2.3.24 IP from the outside > world. However, I can't get to 4.5.6.106. I can't even ping it. From > the FreeBSD box, I can ping 4.5.6.105, and from the outside world I can > ping 4.5.6.105, but I can't ping 4.5.6.106 from the outside world. > > Is there any way to make this work? How can I make FreeBSD have two > default gateways? I read somewhere about being able to set up source > routing, but I haven't been able to find any HOWTO's about that. > > Any help is greatly appreciated. > smime.p7s Description: S/MIME cryptographic signature
Re: Routing Problem
Im confused.. if you have two T1s, then are using /30s dor the ranges? If so.. what about not giving a default gateway for either one and just add routes... Are you attempting utilize this as just a router.? Theres a section that covers setting up routing on interfaces in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html Hope this helps T - Original Message - From: "Gustafson, Tim" <[EMAIL PROTECTED]> To: Sent: Tuesday, February 01, 2005 5:35 PM Subject: Routing Problem I am having a problem setting up a multi-homed host. I have two separate T1 internet connections, and one physical NIC in my FreeBSD box. The two networks are as follows: Connection 1: LAN Address: 1.2.3.24/25 Router Address: 1.2.3.1 Connection 2: LAN Address: 4.5.6.106/29 Router Address: 4.5.6.105 I would like to set up my FreeBSD box so that I can connect to either LAN address from the outside world. The problem is that I cannot specify two default gateways. Right now, I have 1.2.3.1 set up as a default gateway, and I can get to the 1.2.3.24 IP from the outside world. However, I can't get to 4.5.6.106. I can't even ping it. From the FreeBSD box, I can ping 4.5.6.105, and from the outside world I can ping 4.5.6.105, but I can't ping 4.5.6.106 from the outside world. Is there any way to make this work? How can I make FreeBSD have two default gateways? I read somewhere about being able to set up source routing, but I haven't been able to find any HOWTO's about that. Any help is greatly appreciated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Routing Problem
I am having a problem setting up a multi-homed host. I have two separate T1 internet connections, and one physical NIC in my FreeBSD box. The two networks are as follows: Connection 1: LAN Address: 1.2.3.24/25 Router Address: 1.2.3.1 Connection 2: LAN Address: 4.5.6.106/29 Router Address: 4.5.6.105 I would like to set up my FreeBSD box so that I can connect to either LAN address from the outside world. The problem is that I cannot specify two default gateways. Right now, I have 1.2.3.1 set up as a default gateway, and I can get to the 1.2.3.24 IP from the outside world. However, I can't get to 4.5.6.106. I can't even ping it. From the FreeBSD box, I can ping 4.5.6.105, and from the outside world I can ping 4.5.6.105, but I can't ping 4.5.6.106 from the outside world. Is there any way to make this work? How can I make FreeBSD have two default gateways? I read somewhere about being able to set up source routing, but I haven't been able to find any HOWTO's about that. Any help is greatly appreciated. smime.p7s Description: S/MIME cryptographic signature
Re: Routing problem on 3 homed host
You should add on your router the following routes 192.168.1.0/24 192.168.2.0/24 with gateway 192.168.0.2 (interface firewall) Your router doesn't know where to return the packets to. And your firewall needs to route 0.0.0.0 to 192.168.0.1 (router interface) Your CIDR is good. These changes should make it work. Use tracert or traceroute to see at which hop it goes wrong. Regards Patrick > Hi, > > I am really having problems with this, any help appreciated. > > Amended repost of "ipnat port forwarding froblem" > > The configuration: > > Router: > This is a dedicated ADSL router with integrated firewall and nat > The firewall cannot be configured other than turning ports > on and off for traffic from the internet and routing traffic > to specific hosts. All traffic is sent to the firewall. > Firewall: > This firewall is an i386 arch FreeBSD 5.3 build currently running > ipf and ipnat and sits on the three networks 192.168.0.0/24, > 192.168.1.0/24 and 192.168.2.0/24 (This may be wrong, I am unsure > of CIDR - please advise if it is). > rc.conf: > gateway_enable="YES" > ipf_enable="YES" > ipnat_enable="YES" > No nameserver setup all info in hosts files except for 192.168.0.1 > for traffic to and from the internet. > resolv.conf: > domain somenet.com > nameserver 192.168.0.2 > nameserver 192.168.0.1 > ipnat.rules: > map dc0 192.168.2.0/24 -> 192.168.0.2/32 portmap tcp/udp > 1:2 > map dc0 192.168.2.0/24 -> 192.168.0.2/32 > map dc0 192.168.1.0/24 -> 192.168.0.2/32 portmap tcp/udp > 20001:4 > map dc0 192.168.1.0/24 -> 192.168.0.2/32 > ipf.rules: - wide open until I can get this working > pass out quick all > pass in quick all > > The setup: (simpified) > >-- >|Internet| >-- >| > IP: 192.168.0.10 | IP: x.x.x.x > ---- > | Laptop || Router | > ---- >| IP: 192.168.0.1 >| >| IP: 192.168.0.2 IF: dc0 > -- > | Firewall | > |- > IP: 192.168.1.2 IF: dc1 || IP 192.168.2.2 IF: rl0 > || > IP: 192.168.1.10|| > --- --- > | DMZ Host| | | Switch > --- | | > | | > --- > | > | > | > > | Pri Host | > > > The problem: > The firewall can ping the router, dmz host and private host > and can retrieve html pages from the internet. > The laptop can ping the firewall > The dmz host can ping the firewall > The private host can ping the firewall > The dmz host and private host cannot ping the router or > retrieve pages from the internet. (No route to host) > > Is there something else that I need to setup or do to enable routing > the packets between the 3 networks ? > > Any help greatly appreciated. > > - > Tim Preece. > > > > > > > > ___ > ALL-NEW Yahoo! Messenger - all new features - even more fun! > http://uk.messenger.yahoo.com > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Routing problem on 3 homed host
Hi, I am really having problems with this, any help appreciated. Amended repost of "ipnat port forwarding froblem" The configuration: Router: This is a dedicated ADSL router with integrated firewall and nat The firewall cannot be configured other than turning ports on and off for traffic from the internet and routing traffic to specific hosts. All traffic is sent to the firewall. Firewall: This firewall is an i386 arch FreeBSD 5.3 build currently running ipf and ipnat and sits on the three networks 192.168.0.0/24, 192.168.1.0/24 and 192.168.2.0/24 (This may be wrong, I am unsure of CIDR - please advise if it is). rc.conf: gateway_enable="YES" ipf_enable="YES" ipnat_enable="YES" No nameserver setup all info in hosts files except for 192.168.0.1 for traffic to and from the internet. resolv.conf: domain somenet.com nameserver 192.168.0.2 nameserver 192.168.0.1 ipnat.rules: map dc0 192.168.2.0/24 -> 192.168.0.2/32 portmap tcp/udp 1:2 map dc0 192.168.2.0/24 -> 192.168.0.2/32 map dc0 192.168.1.0/24 -> 192.168.0.2/32 portmap tcp/udp 20001:4 map dc0 192.168.1.0/24 -> 192.168.0.2/32 ipf.rules: - wide open until I can get this working pass out quick all pass in quick all The setup: (simpified) -- |Internet| -- | IP: 192.168.0.10 | IP: x.x.x.x ---- | Laptop || Router | ---- | IP: 192.168.0.1 | | IP: 192.168.0.2 IF: dc0 -- | Firewall | |- IP: 192.168.1.2 IF: dc1 || IP 192.168.2.2 IF: rl0 || IP: 192.168.1.10|| --- --- | DMZ Host| | | Switch --- | | | | --- | | | | Pri Host | The problem: The firewall can ping the router, dmz host and private host and can retrieve html pages from the internet. The laptop can ping the firewall The dmz host can ping the firewall The private host can ping the firewall The dmz host and private host cannot ping the router or retrieve pages from the internet. (No route to host) Is there something else that I need to setup or do to enable routing the packets between the 3 networks ? Any help greatly appreciated. - Tim Preece. ___ ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
multi-homed host routing problem
Hi all I have a fbsd 4.7 box that has 2 nics rl0 & rl1. On rl0 i have a public ip address and on rl1 I have a private 10.20.30.0/24, and I'm running squid proxy for my private ip's. Now i've added a 3rd nic rl2 which has an ADSL router connected to it (another internet source). What I wanted to do is use squid's tcp_outgoing_address to divide traffic by splitting the private ip class with squid's acl's. However this does not work. My question is: How do i route part of the private ip's trough rl0 and the other part trough rl2. Can it be done only by routing or should i use nat (on the rl2 side there is no need for nat, the adsl router has natd)? 10x ahead, -- <> ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Routing problem in IPv4/IPSec VPN environment
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html Essentially, once the gif tunnel has been established you just need to add an additional route for the specific gif interface from each server to the other's remote subnet using the external IP of the remote subnet as the gateway. I also found that "gateway_enable" sysctl option was be turned on for the packet traversal from behind a natted server. Hope this helps T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James P. Howard, II Sent: Tuesday, June 29, 2004 12:57 PM To: [EMAIL PROTECTED] Subject: Routing problem in IPv4/IPSec VPN environment As a personal favor, I am building a VPN for a small business. I have chosen FreeBSD for this due to my greater familiarity. The project will consist of linking four sites, each with a FreeBSD system providing DHCP, NAT, and VPN services. I have built DHCP and NAT servers before, but the IPSec and VPN is new to me. Right now, the first two systems are nearly complete. The two machines are named goldengate and waltwhitman. Here's the IP config, currently: goldengate: external 192.168.1.101 internal 10.1.1.1 waltwhitman: external 192.168.1.102 internal 10.1.2.1 The external interfaces are in the reserved space because testing is taking place behind a cable/DSL router providing NAT services. The output of "gifconfig -a; ifconfig -a; netstat -rn" for each will be provided at the end of this message. IPSec, with Racoon, is properly exchanging keys. From goldengate, I can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1. If a Windows computer is connected behind either system, they receive an IP (10.1.x.254, where x is the network number). The problem is, if behind the 10.1.2.1 firewall, I cannot ping 10.1.1.1 and vice-versa. I assume, at this point, this is some type of routing issue and not a problem with IPSec. This seems to be confirmed by the fact tracerouting to the local internal interface goes through the *other* internal interface first: waltwhitman$ ifconfig bge1; traceroute 10.1.2.1 bge1: flags=8843 mtu 1500 options=3 inet 10.1.2.1 netmask 0xff00 broadcast 10.1.2.255 inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2 ether 00:09:5b:60:e5:08 media: Ethernet autoselect (10baseT/UTP ) status: active traceroute to 10.1.2.1 (10.1.2.1), 64 hops max, 44 byte packets 1 10.1.1.1 (10.1.1.1) 0.848 ms 0.736 ms 0.783 ms 2 10.1.2.1 (10.1.2.1) 1.173 ms 1.262 ms 1.247 ms The other machine behaves identically, except the numbers are reversed. At this point, I have reached the limits of my knowledge. Any help would be appreciated. Thank you, James Notes on the output: IPv6 info removed from netstat output. There is a third interface in WALTWHITMAN which may break off to a DMZ in the future. No descision has been made and won't be for some time. The interface was given the IP 172.16.1.1. GOLDENGATE: goldengate$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051 mtu 1280 inet 10.1.1.1 --> 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 physical address inet 192.168.1.101 --> 192.168.1.102 bge0: flags=8843 mtu 1500 options=3 inet 10.1.1.1 netmask 0xff00 broadcast 10.1.1.255 inet6 fe80::209:5bff:fe62:714e%bge0 prefixlen 64 scopeid 0x1 ether 00:09:5b:62:71:4e media: Ethernet autoselect (100baseTX ) status: active xl0: flags=8843 mtu 1500 options=1 inet6 fe80::2b0:d0ff:fe23:5b8d%xl0 prefixlen 64 scopeid 0x2 inet 192.168.1.101 netmask 0xff00 broadcast 192.168.1.255 ether 00:b0:d0:23:5b:8d media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 faith0: flags=8002 mtu 1500 gif0: flags=8051 mtu 1280 tunnel inet 192.168.1.101 --> 192.168.1.102 inet 10.1.1.1 --> 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 scopeid 0x6 Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGSc3 6082xl0 10.1.1/24 link#1 UC 20 bge0 10.1.1.1 00:09:5b:62:71:4e UHLW0 306lo0 10.1.1.254 link#1 UHLW214933 bge0 10.1.2/24 10.1.2.0 UGSc015578xl0 10.1.2.1 10.1.1.1 UH 0 2060 gif0 127.0.0.1 127.0.0.1 UH 1 48lo0 192.168.1 link#2 UC 30xl0 192.168.1.100:0c:41:7f:8a:6e UHLW42xl0 1042 192.
Re: Routing problem in IPv4/IPSec VPN environment
- Original Message - From: "James P. Howard, II" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 29, 2004 2:57 PM Subject: Routing problem in IPv4/IPSec VPN environment > As a personal favor, I am building a VPN for a small business. I > have chosen FreeBSD for this due to my greater familiarity. The > project will consist of linking four sites, each with a FreeBSD > system providing DHCP, NAT, and VPN services. I have built DHCP and > NAT servers before, but the IPSec and VPN is new to me. > > Right now, the first two systems are nearly complete. The two > machines are named goldengate and waltwhitman. Here's the IP > config, currently: > > goldengate: external 192.168.1.101 internal 10.1.1.1 > waltwhitman: external 192.168.1.102 internal 10.1.2.1 > > The external interfaces are in the reserved space because testing is > taking place behind a cable/DSL router providing NAT services. The > output of "gifconfig -a; ifconfig -a; netstat -rn" for each will be > provided at the end of this message. > > IPSec, with Racoon, is properly exchanging keys. From goldengate, I > can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1. > > If a Windows computer is connected behind either system, they > receive an IP (10.1.x.254, where x is the network number). > > The problem is, if behind the 10.1.2.1 firewall, I cannot ping > 10.1.1.1 and vice-versa. I assume, at this point, this is some type > of routing issue and not a problem with IPSec. This seems to be > confirmed by the fact tracerouting to the local internal interface > goes through the *other* internal interface first: Not to be disrespectful, but did you do what I've done in the past and forget to enable forwarding so the systems can route traffic? [EMAIL PROTECTED]/>sysctl -a |grep forward net.inet.ip.forwarding: 1 If not, make sure that gateway_enable="YES" in rc.conf and reboot, or sysctl net.inet.ip.forwarding=1 from command line to enable it without a reboot. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Routing problem in IPv4/IPSec VPN environment
As a personal favor, I am building a VPN for a small business. I have chosen FreeBSD for this due to my greater familiarity. The project will consist of linking four sites, each with a FreeBSD system providing DHCP, NAT, and VPN services. I have built DHCP and NAT servers before, but the IPSec and VPN is new to me. Right now, the first two systems are nearly complete. The two machines are named goldengate and waltwhitman. Here's the IP config, currently: goldengate: external 192.168.1.101 internal 10.1.1.1 waltwhitman: external 192.168.1.102 internal 10.1.2.1 The external interfaces are in the reserved space because testing is taking place behind a cable/DSL router providing NAT services. The output of "gifconfig -a; ifconfig -a; netstat -rn" for each will be provided at the end of this message. IPSec, with Racoon, is properly exchanging keys. From goldengate, I can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1. If a Windows computer is connected behind either system, they receive an IP (10.1.x.254, where x is the network number). The problem is, if behind the 10.1.2.1 firewall, I cannot ping 10.1.1.1 and vice-versa. I assume, at this point, this is some type of routing issue and not a problem with IPSec. This seems to be confirmed by the fact tracerouting to the local internal interface goes through the *other* internal interface first: waltwhitman$ ifconfig bge1; traceroute 10.1.2.1 bge1: flags=8843 mtu 1500 options=3 inet 10.1.2.1 netmask 0xff00 broadcast 10.1.2.255 inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2 ether 00:09:5b:60:e5:08 media: Ethernet autoselect (10baseT/UTP ) status: active traceroute to 10.1.2.1 (10.1.2.1), 64 hops max, 44 byte packets 1 10.1.1.1 (10.1.1.1) 0.848 ms 0.736 ms 0.783 ms 2 10.1.2.1 (10.1.2.1) 1.173 ms 1.262 ms 1.247 ms The other machine behaves identically, except the numbers are reversed. At this point, I have reached the limits of my knowledge. Any help would be appreciated. Thank you, James Notes on the output: IPv6 info removed from netstat output. There is a third interface in WALTWHITMAN which may break off to a DMZ in the future. No descision has been made and won't be for some time. The interface was given the IP 172.16.1.1. GOLDENGATE: goldengate$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051 mtu 1280 inet 10.1.1.1 --> 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 physical address inet 192.168.1.101 --> 192.168.1.102 bge0: flags=8843 mtu 1500 options=3 inet 10.1.1.1 netmask 0xff00 broadcast 10.1.1.255 inet6 fe80::209:5bff:fe62:714e%bge0 prefixlen 64 scopeid 0x1 ether 00:09:5b:62:71:4e media: Ethernet autoselect (100baseTX ) status: active xl0: flags=8843 mtu 1500 options=1 inet6 fe80::2b0:d0ff:fe23:5b8d%xl0 prefixlen 64 scopeid 0x2 inet 192.168.1.101 netmask 0xff00 broadcast 192.168.1.255 ether 00:b0:d0:23:5b:8d media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 faith0: flags=8002 mtu 1500 gif0: flags=8051 mtu 1280 tunnel inet 192.168.1.101 --> 192.168.1.102 inet 10.1.1.1 --> 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 scopeid 0x6 Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGSc3 6082xl0 10.1.1/24 link#1 UC 20 bge0 10.1.1.1 00:09:5b:62:71:4e UHLW0 306lo0 10.1.1.254 link#1 UHLW214933 bge0 10.1.2/24 10.1.2.0 UGSc015578xl0 10.1.2.1 10.1.1.1 UH 0 2060 gif0 127.0.0.1 127.0.0.1 UH 1 48lo0 192.168.1 link#2 UC 30xl0 192.168.1.100:0c:41:7f:8a:6e UHLW42xl0 1042 192.168.1.100 00:30:65:2e:ae:f7 UHLW00xl0 1100 192.168.1.101 127.0.0.1 UGHS00lo0 192.168.1.102 00:b0:d0:a1:81:09 UHLW313842xl0 1054 WALTWHITMAN: waltwhitman$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051 mtu 1280 inet 10.1.2.1 --> 10.1.1.1 netmask 0x inet6 fe80::209:5bff:fe62:1ab2%gif0 prefixlen 64 physical address inet 192.168.1.102 --> 192.168.1.101 bge0: flags=8843 mtu 1500 options=3 inet 172.16.1.1 netmask 0xff00 broadcast 172.16.1.255 inet6 fe80::209:5bff:fe62:1ab2%bge0 prefixlen 64 scopeid 0x1 ether 00:09:5b:62:1a:b2 media: Ethernet autoselec
Routing problem in IPv4/IPSec VPN environment
(This message may reappear in the future, it was rejected by the lists from my webhost.) As a personal favor, I am building a VPN for a small business. I have chosen FreeBSD for this due to my greater familiarity. The project will consist of linking four sites, each with a FreeBSD system providing DHCP, NAT, and VPN services. I have built DHCP and NAT servers before, but the IPSec and VPN is new to me. Right now, the first two systems are nearly complete. The two machines are named goldengate and waltwhitman. Here's the IP config, currently: goldengate: external 192.168.1.101 internal 10.1.1.1 waltwhitman: external 192.168.1.102 internal 10.1.2.1 The external interfaces are in the reserved space because testing is taking place behind a cable/DSL router providing NAT services. The output of "gifconfig -a; ifconfig -a; netstat -rn" for each will be provided at the end of this message. IPSec, with Racoon, is properly exchanging keys. From goldengate, I can ping 10.1.2.1 and from waltwhitman I can ping 10.1.1.1. If a Windows computer is connected behind either system, they receive an IP (10.1.x.254, where x is the network number). The problem is, if behind the 10.1.2.1 firewall, I cannot ping 10.1.1.1 and vice-versa. I assume, at this point, this is some type of routing issue and not a problem with IPSec. This seems to be confirmed by the fact tracerouting to the local internal interface goes through the *other* internal interface first: waltwhitman$ ifconfig bge1; traceroute 10.1.2.1 bge1: flags=8843 mtu 1500 options=3 inet 10.1.2.1 netmask 0xff00 broadcast 10.1.2.255 inet6 fe80::209:5bff:fe60:e508%bge1 prefixlen 64 scopeid 0x2 ether 00:09:5b:60:e5:08 media: Ethernet autoselect (10baseT/UTP ) status: active traceroute to 10.1.2.1 (10.1.2.1), 64 hops max, 44 byte packets 1 10.1.1.1 (10.1.1.1) 0.848 ms 0.736 ms 0.783 ms 2 10.1.2.1 (10.1.2.1) 1.173 ms 1.262 ms 1.247 ms The other machine behaves identically, except the numbers are reversed. At this point, I have reached the limits of my knowledge. Any help would be appreciated. Thank you, James Notes on the output: IPv6 info removed from netstat output. There is a third interface in WALTWHITMAN which may break off to a DMZ in the future. No descision has been made and won't be for some time. The interface was given the IP 172.16.1.1. GOLDENGATE: goldengate$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051 mtu 1280 inet 10.1.1.1 --> 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 physical address inet 192.168.1.101 --> 192.168.1.102 bge0: flags=8843 mtu 1500 options=3 inet 10.1.1.1 netmask 0xff00 broadcast 10.1.1.255 inet6 fe80::209:5bff:fe62:714e%bge0 prefixlen 64 scopeid 0x1 ether 00:09:5b:62:71:4e media: Ethernet autoselect (100baseTX ) status: active xl0: flags=8843 mtu 1500 options=1 inet6 fe80::2b0:d0ff:fe23:5b8d%xl0 prefixlen 64 scopeid 0x2 inet 192.168.1.101 netmask 0xff00 broadcast 192.168.1.255 ether 00:b0:d0:23:5b:8d media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 faith0: flags=8002 mtu 1500 gif0: flags=8051 mtu 1280 tunnel inet 192.168.1.101 --> 192.168.1.102 inet 10.1.1.1 --> 10.1.2.1 netmask 0x inet6 fe80::209:5bff:fe62:714e%gif0 prefixlen 64 scopeid 0x6 Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGSc3 6082xl0 10.1.1/24 link#1 UC 20 bge0 10.1.1.1 00:09:5b:62:71:4e UHLW0 306lo0 10.1.1.254 link#1 UHLW214933 bge0 10.1.2/24 10.1.2.0 UGSc015578xl0 10.1.2.1 10.1.1.1 UH 0 2060 gif0 127.0.0.1 127.0.0.1 UH 1 48lo0 192.168.1 link#2 UC 30xl0 192.168.1.100:0c:41:7f:8a:6e UHLW42xl0 1042 192.168.1.100 00:30:65:2e:ae:f7 UHLW00xl0 1100 192.168.1.101 127.0.0.1 UGHS00lo0 192.168.1.102 00:b0:d0:a1:81:09 UHLW313842xl0 1054 WALTWHITMAN: waltwhitman$ gifconfig -a; ifconfig -a; netstat -rn gif0: flags=8051 mtu 1280 inet 10.1.2.1 --> 10.1.1.1 netmask 0x inet6 fe80::209:5bff:fe62:1ab2%gif0 prefixlen 64 physical address inet 192.168.1.102 --> 192.168.1.101 bge0: flags=8843 mtu 1500 options=3 inet 172.16.1.1 netmask 0xff00 broadcast 172.16.1.255 inet6 fe80::209:5bff:fe62:1ab2%bge0 pref
Routing problem 2 cable modems on 1 PC
Dear all I have a cable modem hooked up as my default gateway and running natd for my clients on XL0 I have another modem is I want to put on the same box on a different nic sis0 Problem is the remote gateway is the same for both IP's address due to the fact its the same ISP I get messages saying that xxx is on sis0 but got reply from xl0 xxx on xl0 etc Any ideas Thanks ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Routing problem 2 cable modems on 1 PC
Dear all I have a cable modem hooked up as my default gateway and runing natd for my clients on XL0 I have another modem is I want to put on the same box on a diffrent nic sis0 the problem is the remote gateway is the same for both IP's address and we get msgs saying that xxx is on sis0 but got reply from xl0 xxx on xl0 etc Any ideas Thanks ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
On Thu, 8 Jan 2004, Joe Marcus Clarke wrote: > > Good luck. I have tried to get this working, but have never been able > to get mpd encryption to work with the Concentrator's encryption > (neither has anyone else to my knowledge). If you disable encryption on > the concentrator, the tunnel will come up, and you will be able to pass > traffic across it. Any other combination does not work. I haven't > tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this > problem. This is a know issue. I've been in touch with Archie, I sent him some tcpdump traces, logs and the same stuff from a linux client with works OK. The bad news is Archie is horribly busy at this time and won't be able to look at it for some time. Fer ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
Original message from Joe Marcus Clarke: > I was able to get past the routing loop by readdressing the interface as > soon as it came up. This is a good starter howto on that procedure: > > http://www.cs.rpi.edu/~flemej/fbsd-cisco-vpn/fbsd-cisco-vpn.pdf Yeah I went through this, but my iface up-script doesn't seem to work, which was my original question. I didn't make it far enough to find out mppe is broken as well. > You might also consider trying out security/vpnc if the concentrator > also allows for IPSec clients using the Cisco VPN client. I'll check it out, thanks. I didn't have any luck with isakmpd because it apparently doesn't support xauth and some other things I need. -- Chris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
On Thu, 2004-01-08 at 03:34, Chris Jones wrote: > Oh. :( I thought it negotiated the encryption ok because I see this: > > [ciscovpn] CCP: LayerUp > Compress using: MPPE, 128 bit, stateless > Decompress using: MPPE, 128 bit, stateless This is fine. I get this, too. However, when trying to send data, I get decryption errors (the concentrator reports invalid packets). > > And capturing on the interface, I see echo req's coming in from the > concentrator, but I encounter a routing loop when I try to send across > the tunnel. I was able to get past the routing loop by readdressing the interface as soon as it came up. This is a good starter howto on that procedure: http://www.cs.rpi.edu/~flemej/fbsd-cisco-vpn/fbsd-cisco-vpn.pdf > > Disabling encryption isn't an option, even for testing, I'm afraid. Then you're probably not going have any luck getting this to work. You might also consider trying out security/vpnc if the concentrator also allows for IPSec clients using the Cisco VPN client. Joe > > > Original message from Joe Marcus Clarke: > > > On Thu, 2004-01-08 at 02:49, Chris Jones wrote: > > > Hi. I've gone over list archives and seen this issue discussed before, > > > but the sugggested solutions aren't working for me. I am using > > > mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN > > > Concentrator. I have negotiated CHAP and MPPE and the ng0 interface > > > comes up, but when I try to do anything I get this: > > > > > > $ ping 10.10.58.7 > > > PING 10.10.58.7 (10.10.58.7): 56 data bytes > > > ping: sendto: Resource deadlock avoided > > > ping: sendto: No buffer space available > > > > > > A little investigation showed that this is a known routing issue and > > > that it is possible to work around by re-addressing the ng0 interface > > > with the VPN concentrator's private IP and set a default route to it. I > > > did this, but I still have the same problem. :( > > > > > > Does anyone see what I am doing wrong here? Below are my routing table > > > and ifconfig before running mpd, after running mpd, and after running > > > the "fix". Below that is my mpd.conf and its output (verbose). > > > > > > I appreciate any help on this, I've been going crazy trying to figure > > > out what I'm doing wrong. I can get it to work using the OSX PPTP > > > client, but not mpd. > > > > Good luck. I have tried to get this working, but have never been able > > to get mpd encryption to work with the Concentrator's encryption > > (neither has anyone else to my knowledge). If you disable encryption on > > the concentrator, the tunnel will come up, and you will be able to pass > > traffic across it. Any other combination does not work. I haven't > > tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this > > problem. > > > > Joe > > > > -- > > PGP Key : http://www.marcuscom.com/pgp.asc -- PGP Key : http://www.marcuscom.com/pgp.asc signature.asc Description: This is a digitally signed message part
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
Oh. :( I thought it negotiated the encryption ok because I see this: [ciscovpn] CCP: LayerUp Compress using: MPPE, 128 bit, stateless Decompress using: MPPE, 128 bit, stateless And capturing on the interface, I see echo req's coming in from the concentrator, but I encounter a routing loop when I try to send across the tunnel. Disabling encryption isn't an option, even for testing, I'm afraid. Original message from Joe Marcus Clarke: > On Thu, 2004-01-08 at 02:49, Chris Jones wrote: > > Hi. I've gone over list archives and seen this issue discussed before, > > but the sugggested solutions aren't working for me. I am using > > mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN > > Concentrator. I have negotiated CHAP and MPPE and the ng0 interface > > comes up, but when I try to do anything I get this: > > > > $ ping 10.10.58.7 > > PING 10.10.58.7 (10.10.58.7): 56 data bytes > > ping: sendto: Resource deadlock avoided > > ping: sendto: No buffer space available > > > > A little investigation showed that this is a known routing issue and > > that it is possible to work around by re-addressing the ng0 interface > > with the VPN concentrator's private IP and set a default route to it. I > > did this, but I still have the same problem. :( > > > > Does anyone see what I am doing wrong here? Below are my routing table > > and ifconfig before running mpd, after running mpd, and after running > > the "fix". Below that is my mpd.conf and its output (verbose). > > > > I appreciate any help on this, I've been going crazy trying to figure > > out what I'm doing wrong. I can get it to work using the OSX PPTP > > client, but not mpd. > > Good luck. I have tried to get this working, but have never been able > to get mpd encryption to work with the Concentrator's encryption > (neither has anyone else to my knowledge). If you disable encryption on > the concentrator, the tunnel will come up, and you will be able to pass > traffic across it. Any other combination does not work. I haven't > tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this > problem. > > Joe > > -- > PGP Key : http://www.marcuscom.com/pgp.asc -- Chris ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: mpd PPTP to Cisco 3000 VPN Concentrator routing problem
On Thu, 2004-01-08 at 02:49, Chris Jones wrote: > Hi. I've gone over list archives and seen this issue discussed before, > but the sugggested solutions aren't working for me. I am using > mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN > Concentrator. I have negotiated CHAP and MPPE and the ng0 interface > comes up, but when I try to do anything I get this: > > $ ping 10.10.58.7 > PING 10.10.58.7 (10.10.58.7): 56 data bytes > ping: sendto: Resource deadlock avoided > ping: sendto: No buffer space available > > A little investigation showed that this is a known routing issue and > that it is possible to work around by re-addressing the ng0 interface > with the VPN concentrator's private IP and set a default route to it. I > did this, but I still have the same problem. :( > > Does anyone see what I am doing wrong here? Below are my routing table > and ifconfig before running mpd, after running mpd, and after running > the "fix". Below that is my mpd.conf and its output (verbose). > > I appreciate any help on this, I've been going crazy trying to figure > out what I'm doing wrong. I can get it to work using the OSX PPTP > client, but not mpd. Good luck. I have tried to get this working, but have never been able to get mpd encryption to work with the Concentrator's encryption (neither has anyone else to my knowledge). If you disable encryption on the concentrator, the tunnel will come up, and you will be able to pass traffic across it. Any other combination does not work. I haven't tried 3.16 yet, but looking at the ChangeLog, I doubt it addresses this problem. Joe -- PGP Key : http://www.marcuscom.com/pgp.asc signature.asc Description: This is a digitally signed message part
mpd PPTP to Cisco 3000 VPN Concentrator routing problem
Hi. I've gone over list archives and seen this issue discussed before, but the sugggested solutions aren't working for me. I am using mpd-3.15_1 on FreeBSD 4.9-STABLE to connect to a Cisco 3000 Series VPN Concentrator. I have negotiated CHAP and MPPE and the ng0 interface comes up, but when I try to do anything I get this: $ ping 10.10.58.7 PING 10.10.58.7 (10.10.58.7): 56 data bytes ping: sendto: Resource deadlock avoided ping: sendto: No buffer space available A little investigation showed that this is a known routing issue and that it is possible to work around by re-addressing the ng0 interface with the VPN concentrator's private IP and set a default route to it. I did this, but I still have the same problem. :( Does anyone see what I am doing wrong here? Below are my routing table and ifconfig before running mpd, after running mpd, and after running the "fix". Below that is my mpd.conf and its output (verbose). I appreciate any help on this, I've been going crazy trying to figure out what I'm doing wrong. I can get it to work using the OSX PPTP client, but not mpd. - Chris VPN External IP: C.O.R.P VPN Interal IP: 10.10.58.7 *** before running mpd DestinationGatewayFlagsRefs Use Netif Expire default192.168.131.254UGS 00de0 127.0.0.1 127.0.0.1 UH 00lo0 192.168.131link#1 UC 00de0 192.168.131.25400:00:0f:00:00:00 UHLW10de0 36 *** after running mpd ng0: flags=88d1 mtu 1494 inet 10.10.58.156 --> C.O.R.P netmask 0x inet6 fe80::203::fe73:504c%ng0 prefixlen 64 scopeid 0x3 DestinationGatewayFlagsRefs Use Netif Expire default192.168.131.254UGS 0 30de0 10.10.58.156 lo0UHS 00lo0 127.0.0.1 127.0.0.1 UH 00lo0 192.168.131link#1 UC 00de0 192.168.131.25400:00:0f:00:00:00 UHLW10de0 4 C.O.R.P10.10.58.156 UH 00ng0 *** run fix from iface up-script ifconfig ng0 inet 10.10.58.156 10.10.58.7 netmask 0x route delete default route add default -interface ng0 *** after running fix ng0: flags=88d1 mtu 1494 inet6 fe80::203::fe73:504c%ng0 prefixlen 64 scopeid 0x3 inet 10.10.58.156 --> 10.10.58.7 netmask 0x DestinationGatewayFlagsRefs Use Netif Expire defaultng0US 00ng0 10.10.58.7 10.10.58.156 UH 00ng0 10.10.58.156 lo0UHS 00lo0 127.0.0.1 127.0.0.1 UH 00lo0 192.168.131link#1 UC 00de0 192.168.131.25400:00:0f:00:00:00 UHLW00de0 ciscovpn: new -i ng0 ciscovpn work set bundle authname "user" set bundle password "password" set ipcp ranges 10.10.58.0/23 C.O.R.P/32 set link max-redial -1 set link keep-alive 0 0 set link disable acfcomp protocomp set bundle no crypt-reqd set bundle enable compression encryption set ccp yes mppc set ccp yes mpp-e128 set ccp no mpp-e40 set ccp yes mpp-stateless set link disable pap chap set link no chap-md5 set link no chap-msv2 set link no pap set link accept chap-msv1 set iface idle 0 set ipcp disable vjcomp set ipcp enable req-pri-dns req-sec-dns set iface up-script /usr/local/etc/mpd/ciscovpn-iface-up.sh open *** mpd.links work: set link type pptp set pptp peer C.O.R.P set pptp enable originate outcall *** mpd output # mpd Multi-link PPP for FreeBSD, by Archie L. Cobbs. Based on iij-ppp, by Toshiharu OHNO. mpd: pid 1033, version 3.15 ([EMAIL PROTECTED] 00:39 7-Jan-2004) [ciscovpn] ppp node is "mpd1033-ciscovpn" [ciscovpn] using interface ng0 [ciscovpn] IFACE: Open event [ciscovpn] IPCP: Open event [ciscovpn] IPCP: state change Initial --> Starting [ciscovpn] IPCP: LayerStart [ciscovpn:work] [ciscovpn] bundle: OPEN event in state CLOSED [ciscovpn] opening link "work"... [work] link: OPEN event [work] LCP: Open event [work] LCP: state change Initial --> Starting [work] LCP: LayerStart [work] device: OPEN event in state DOWN pptp0: connecting to C.O.R.P:1723 [work] device is now in state OPENING pptp0: connected to C.O.R.P:1723 pptp0: attached to connection with C.O.R.P:1723 pptp0-0: outgoing call connected at 1000 bps [work] PPTP call successful [work] device: UP event in state OPENING [work] device is now in state UP [work] link: UP event [work] link: origination is local [work] LCP: Up eve
fun routing problem
Well, I got this fun routing problem again; so here it goes. I have a router, which gets native ipv6 on xl0 with block 2001:a6x:2:1x::/64 and she has also lan-interface. My idea was to route 2001:a6x:2:1x:dead::/96 to lan interface so i thought doing as follows; added 2001:a6x:2:1x::3/64 to lan-interface, then routed 2001:a6x:2:1x:dead::/96 to it. Now the fun comes in, xl0 pings net fine, lan interface pings xl0 fine, but lan interface wont ping net. tcpdump says like this: 13:13:32.755545 2001:a6x:2:1x::1337 > 2001:a6x:2:1x::: icmp6: echo request 13:13:32.764543 2001:a6x:2:1x:220:48ff:fe5b:2d15 > ff02::1:ff00:1337: icmp6: neighbor sol: who has 2001:a6x:2:1x::1337 no answer. so gw-router is like "hmm. who the fck has this address." then asks it with multicast or similar thing (ff02-thing) but wont get reply? Why lan-if wont get that multicast-whateveritis request while it is on same net but different interface? all forwarding sysctls are 1. no firewalls harrassing or anything. Greets Markus Kovero ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Routing problem
From which interface? Try these: ping google.com (that will ping using the external interface) ping -S 10.0.0.1 google.com (that will ping using the internal interface) If one works, but not the other, post your firewall rules and natd command line. Hello, The FreeBSD machine is simply passing traffice for the time being, no ipfw, no NAT. I know the name, ut not much mre about the DSL modem I was given.It's an ARESCOM800, and the service is **wince** MSN DSL. The modem has a very simple html display that gives me the very basics; modem IP (192.168.1.1), netmask (255.255.255.252) and external IP. rl0 is the modem-facing interface (external) on a FreeBSD 4.9 "gateway". de0 is the LAN-facing (internal) interface on the same machine. /etc/rc.conf says: ifconfig_rl0="DHCP" ifconfig_de0="inet 10.0.0.1 netmask 255.255.255.0" gateway_enable="YES" defaultrouter="192.168.1.1" I can reach the outside world from both intrefaces on the gateway. rl0 is configured thusly (automatically via DHCP): inet 192.168.1.2 netmask 255.255.255.252, with a default gateway of 192.168.1.1. Clients are configured as follows: inet 10.0.0.x netmask 255.255.255.0 defaultrouter 10.0.0.1 From a client machine on the 10.0.0.0 network, I can ping both de0 and rl0 on the gateway, but I cannot get any traffic past rl0 to the cable modem from the LAN client. That is where my minimal understanding of routing ends. I do not know why I cannot pass traffic to the modem and out. I hope this makes my problem clearer, thanks for the help. After following up on the above reply, I find that I cannot ping out from the LAN interface (de0, 10.0.0.1). Hmmm, and again, no ipfw or NAT on the FreeBSD firewall. Joshua _ Browse styles for all ages, from the latest looks to cozy weekend wear at MSN Shopping. And check out the beauty products! http://shopping.msn.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Routing problem
You're right, I didn't explain thoroughly. The FreeBSD gateway can reach the internet. The cable modem and gateway addresses are assigned by the ISP. My rc.conf: ifconfig_rl0=DHCP ifconfig_de0="inet 10.0.0.1 netmask 255.255.255.0" gateway_enable="YES" ... Thank you. -- Best Regards, Joshua Lokken From: Clayton F <[EMAIL PROTECTED]> To: "joshua lokken" <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED] Subject: Re: Routing problem Date: Mon, 8 Dec 2003 12:52:47 -0800 This setup appears a little confusing. Does your ISP give you a static or dynamic IP address to the internet? It would also help to see the interface configuration info in your rc.conf file. generally speaking, your external interface should have the ip address assigned by your isp, not a private network address like you describe. You should also have a valid address to a dns server, rather than being referred to your dsl modem's private ip address. #my rc.conf (cable modem, with ip dynamically assigned - I'm using 192.168.1.0 as my private network range) gateway_enable="YES" defaultrouter="192.168.1.1" network_interfaces="fxp0 dc0 lo0" hostname="vesta.bitheaven.net" ifconfig_fxp0="DHCP" ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0" If this doesn't help, send more info On Dec 8, 2003, at 12:22 PM, joshua lokken wrote: Hello, Running 4.9-stable. Here is a brief overview of the network I'm setting up. ***Internet*** | DSL modem (192.168.1.1, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway external (192.168.1.2, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway internal (10.0.0.1, netmask 255.255.255.0) | LAN (clients, 10.0.0.x, netmask 255.255.255.0) LAN clients can access boh gateway interfaces by hostname and IP. Clients are setup to use 192.168.1.2 for DNS, and 192.168.1.2 uses 192.168.1.1 for DNS. I cannot get any traffic to reach (let alone pass) the DSL modem from the clients. I have tried this with the FreeBSD gateway, a Win2k gateway, and Linksys router. Under any setup, the result is the same. My ISP's support desk has been absolutely no help. Can anyone tell what the problem may be here? Thanks in advance for any help. -- Best Regards, Joshua Lokken _ Wonder if the latest virus has gotten to your computer? Find out. Run the FREE McAfee online computer scan! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" _ Cell phone switch rules are taking effect find out more here. http://special.msn.com/msnbc/consumeradvocate.armx ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Routing problem
This setup appears a little confusing. Does your ISP give you a static or dynamic IP address to the internet? It would also help to see the interface configuration info in your rc.conf file. generally speaking, your external interface should have the ip address assigned by your isp, not a private network address like you describe. You should also have a valid address to a dns server, rather than being referred to your dsl modem's private ip address. #my rc.conf (cable modem, with ip dynamically assigned - I'm using 192.168.1.0 as my private network range) gateway_enable="YES" defaultrouter="192.168.1.1" network_interfaces="fxp0 dc0 lo0" hostname="vesta.bitheaven.net" ifconfig_fxp0="DHCP" ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0" If this doesn't help, send more info On Dec 8, 2003, at 12:22 PM, joshua lokken wrote: Hello, Running 4.9-stable. Here is a brief overview of the network I'm setting up. ***Internet*** | DSL modem (192.168.1.1, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway external (192.168.1.2, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway internal (10.0.0.1, netmask 255.255.255.0) | LAN (clients, 10.0.0.x, netmask 255.255.255.0) LAN clients can access boh gateway interfaces by hostname and IP. Clients are setup to use 192.168.1.2 for DNS, and 192.168.1.2 uses 192.168.1.1 for DNS. I cannot get any traffic to reach (let alone pass) the DSL modem from the clients. I have tried this with the FreeBSD gateway, a Win2k gateway, and Linksys router. Under any setup, the result is the same. My ISP's support desk has been absolutely no help. Can anyone tell what the problem may be here? Thanks in advance for any help. -- Best Regards, Joshua Lokken _ Wonder if the latest virus has gotten to your computer? Find out. Run the FREE McAfee online computer scan! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Routing problem
> LAN clients can access boh gateway interfaces by hostname and IP. Clients > are > setup to use 192.168.1.2 for DNS, and 192.168.1.2 uses 192.168.1.1 for DNS. > I cannot get any traffic to reach (let alone pass) the DSL modem from the > clients. > > I have tried this with the FreeBSD gateway, a Win2k gateway, and Linksys > router. > Under any setup, the result is the same. My ISP's support desk has been > absolutely no help. Can anyone tell what the problem may be here? Thanks > in > advance for any help. > If your ISP is anything like this one, your modem will have NAT translation built in, meaning that is likely your default gateway. On your FBSD router, you never implied that it could/couldn't see the Internet. I take it that if you put a PC into the modem and set it's default gateway to 1.1 (the modem probably assigns this via DHCP anyway), then you can get online. If this is the case, then the secondary router is no use unless used as a firewall. In that case, you wouldn't need to route, and you could just set it up as an IP-less bridge firewall. Regards, Steve > > -- > Best Regards, > > Joshua Lokken > > _ > Wonder if the latest virus has gotten to your computer? Find out. Run the > FREE McAfee online computer scan! > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- Steve Bertrand President/CTO, Northumberland Network Services t: 905.352.2688 w: www.northnetworks.ca ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Routing problem
Hello, Running 4.9-stable. Here is a brief overview of the network I'm setting up. ***Internet*** | DSL modem (192.168.1.1, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway external (192.168.1.2, netmask 255.255.255.252, assigned by ISP) | FreeBSD gateway internal (10.0.0.1, netmask 255.255.255.0) | LAN (clients, 10.0.0.x, netmask 255.255.255.0) LAN clients can access boh gateway interfaces by hostname and IP. Clients are setup to use 192.168.1.2 for DNS, and 192.168.1.2 uses 192.168.1.1 for DNS. I cannot get any traffic to reach (let alone pass) the DSL modem from the clients. I have tried this with the FreeBSD gateway, a Win2k gateway, and Linksys router. Under any setup, the result is the same. My ISP's support desk has been absolutely no help. Can anyone tell what the problem may be here? Thanks in advance for any help. -- Best Regards, Joshua Lokken _ Wonder if the latest virus has gotten to your computer? Find out. Run the FREE McAfee online computer scan! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Routing problem
Hello My goals are: - to use an Win2k server (terminal server) in a lan over the internet (FreeBSD box with pptpd) My equipment: - Win2k server, SP4 (test machine) - file server - telnet server IP: 192.168.1.50 - FreeBSD 4.8 - firewall (all rules works very well, also ftp etc.) - VPN server (PopTop 1.1.4-b3). I have access from the Internet to this box over a VPN (=pptp) connection - ssh server - DynDNS client IP router side: 192.168.2.2 IP LAN (Win2k server) side: 192.168.1.1 - Router ADSL Router ZyXel Prestige 642R-I IP: 192.168.2.3 Here is the schema: client in FreeBSD Win2k the Internet Routerbox server xl1 xl0 | | ---> | | ---> | | --> | | (for example: Win2k, Win9x) If I start a pptp connect from the client in the internet (they receive an ip from 192.168.1.200 to .210), I can ping 192.168.1.1 without problem. Also I can ping from my FreeBSD box the remote client and the Win2k server. From the Win2k server I can alway ping the FreeBSD box but not the client in the internet. I also set manualy the arp resolution (MAC adress with ip adress) on both side but also no luck. I started also tcpdump on the FreeBSD box with the following result: Pings from the client to Win2k server. tcpdump start with options -n -i xl0 icmp: 23:18:20.217987 192.168.1.206 > 192.168.1.50: icmp: echo request 23:18:21.677929 192.168.1.206 > 192.168.1.50: icmp: echo request 23:18:22.693478 192.168.1.206 > 192.168.1.50: icmp: echo request 23:18:23.709587 192.168.1.206 > 192.168.1.50: icmp: echo request here the same with options -n -i xl0 arp: 23:20:28.412407 arp who-has 192.168.1.206 tell 192.168.1.50 23:20:29.685452 arp who-has 192.168.1.206 tell 192.168.1.50 23:20:30.701281 arp who-has 192.168.1.206 tell 192.168.1.50 23:20:31.717197 arp who-has 192.168.1.206 tell 192.168.1.50 Pings from the Win2k server to the client. tcpdump started like above (icmp): ... no output here the same like above (arp) 23:23:24.855173 arp who-has 192.168.1.206 tell 192.168.1.50 23:23:25.923374 arp who-has 192.168.1.206 tell 192.168.1.50 23:23:26.924785 arp who-has 192.168.1.206 tell 192.168.1.50 23:23:27.926212 arp who-has 192.168.1.206 tell 192.168.1.50 I also deactivetd the firewall but also no success. What the hell is going wrong here? -- Regards Martin Schweizer <[EMAIL PROTECTED]> PC-Service M. Schweizer; Gewerbehaus Schwarz; CH-8608 Bubikon Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch; public key : http://www.pc-service.ch/pgp/public_key.asc; fingerprint: EC21 CA4D 5C78 BC2D 73B7 10F9 C1AE 1691 D30F D239; pgp0.pgp Description: PGP signature
Re: Routing problem.. cisco -->fbsd-->Lan Experts??
HI and thanks, Cool! I am OK with the fbsd stuff ipfilter ipnat etc. I garee it is nice. The small matter of the cisco thing...hmmm! OK...so would it be ok to ask another question or 2 later if today is bad? I need to know how to "bridge" the /29 on the cisco. does it mean I simply install static routing on the cisco by doing something like... ip classless (default) ip route 203.44.288.0 255.255.255.248 ethernet0 10.0.0.2 no ip http server (default) (NOTE: 10.0.0.2 is the ip of the fbsd box, 10.0.0.1 is the ethernet0 ip of cisco router) I have read the cisco docs but is slightly foreign language to me. I would greatly appreciate it. My balls are now on the line here. I should never volunteer to help!? Am i close? Keith > [EMAIL PROTECTED] wrote: > >>I have a friend with a cisco 827 adsl router. It has config hassles but >> when that is sorted, we need to setup a freebsd box inside the cisco >> router to handle a /29 block of ips. 3 questions... >> > I'm running an identical setup here - a Cisco 827, a /29, and a FreeBSD > machine (or two) performing NAT for my LAN. > >>a) Should I assume the cisco is not the worlds greatest firewall and >> setup the freebsd machine as one (creating a dmz) >> > The Cisco will be "adequate," but I prefer the ease of use and added > functions a FreeBSD machine running IP Filter/IPNAT, but that's just me. > >>b) The /29 block is routed by the ISP to the cisco device. I guess we >> need to place a static route on the cisco gadget that directs any of >> the incoming /29 block request onto the freebsd box...Correct? >> > I have my 827 set up as a very basic bridge. This means that instead of > the /29 "terminating," so to speak, on the 827, each of my allocated IP > addresses is available directly on an ethernet interface on one of two > FreeBSD machines. > > As a partial answer to part C, if you bridge the /29 to the FreeBSD > machine, you can easily configure IPF and IPNAT to port-forward to > various internet servers as required. Personally, the machine I have > performing NAT (with my /29 on one interface and a private /24 on the > other) for my internal network also runs various services. It's not an > ideal setup, but it is functional and easy to maintain. > > Sorry I can't answer the rest of your questions, my brain is still > enjoying the aftereffects of a big Friday night :) > > --Steven > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Routing problem.. cisco -->fbsd-->Lan Experts??
[EMAIL PROTECTED] wrote: I have a friend with a cisco 827 adsl router. It has config hassles but when that is sorted, we need to setup a freebsd box inside the cisco router to handle a /29 block of ips. 3 questions... I'm running an identical setup here - a Cisco 827, a /29, and a FreeBSD machine (or two) performing NAT for my LAN. a) Should I assume the cisco is not the worlds greatest firewall and setup the freebsd machine as one (creating a dmz) The Cisco will be "adequate," but I prefer the ease of use and added functions a FreeBSD machine running IP Filter/IPNAT, but that's just me. b) The /29 block is routed by the ISP to the cisco device. I guess we need to place a static route on the cisco gadget that directs any of the incoming /29 block request onto the freebsd box...Correct? I have my 827 set up as a very basic bridge. This means that instead of the /29 "terminating," so to speak, on the 827, each of my allocated IP addresses is available directly on an ethernet interface on one of two FreeBSD machines. As a partial answer to part C, if you bridge the /29 to the FreeBSD machine, you can easily configure IPF and IPNAT to port-forward to various internet servers as required. Personally, the machine I have performing NAT (with my /29 on one interface and a private /24 on the other) for my internal network also runs various services. It's not an ideal setup, but it is functional and easy to maintain. Sorry I can't answer the rest of your questions, my brain is still enjoying the aftereffects of a big Friday night :) --Steven ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Routing problem.. cisco -->fbsd-->Lan Experts??
Hi all, I have a friend with a cisco 827 adsl router. It has config hassles but when that is sorted, we need to setup a freebsd box inside the cisco router to handle a /29 block of ips. 3 questions... a) Should I assume the cisco is not the worlds greatest firewall and setup the freebsd machine as one (creating a dmz) b) The /29 block is routed by the ISP to the cisco device. I guess we need to place a static route on the cisco gadget that directs any of the incoming /29 block request onto the freebsd box...Correct? c) Should I use IPNAT on the fbsd box an place all the /29 ips the NIC facing the cisco and NAT to the internal private IPs of the servers inside the fbsd Lan? I know I don't have to but if I do this would I have to config the fbsd as a router (routed or such). I will make it the gateway for the internal LAN. Is that enough? I think it should be? Ideas please. Here is the scheme...Will this work is it best? Thanks heaps Keith ISP (165.228.233.1) | [ADSL Internet] | (165.228.233.190) +CISCO ROUTER+ static route (10.0.0.1) | | (10.0.0.2,203.228.44.xxx,203.228.44.zzz,203.228.44.zzz..etc) +FREEBSD Gateway firewall+ NAT/PAT- (192.168.1.1) / \ / \ / \ / \ (192.168.1.2) (192.168.1.3) etc etc WWW server OTHER server ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Routing problem.. cisco -->fbsd-->Lan Experts??
Hi all, I have a friend with a cisco 827 adsl router. It has config hassles but when that is sorted, we need to setup a freebsd box inside the cisco router to handle a /29 block of ips. 3 questions... a) Should I assume the cisco is not the worlds greatest firewall and setup the freebsd machine as one (creating a dmz) b) The /29 block is routed by the ISP to the cisco device. I guess we need to place a static route on the cisco gadget that directs any of the incoming /29 block request onto the freebsd box...Correct? c) Should I use IPNAT on the fbsd box an place all the /29 ips the NIC facing the cisco and NAT to the internal private IPs of the servers inside the fbsd Lan? I know I don't have to but if I do this would I have to config the fbsd as a router (routed or such). I will make it the gateway for the internal LAN. Is that enough? I think it should be? Ideas please. Here is the scheme...Will this work is it best? Thanks heaps ISP (165.228.233.1) | [ADSL Internet] | (165.228.233.190) +CISCO ROUTER+ static route (10.0.0.1) | | (10.0.0.2,203.228.44.xxx,203.228.44.zzz,203.228.44.zzz..etc) +FREEBSD Gateway firewall+ NAT/PAT- (192.168.1.1) / \ / \ / \ / \ (192.168.1.2) (192.168.1.3) etc etc WWW server OTHER server ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Dual homed host routing problem
On Thu, 27 Mar 2003, Philip Payne wrote: > > I'm running FreeBSD 4.7-RELEASE and I have trouble routing between two > > NIC's. On one side I have a 192.168.1.0/24 network and on the > > other a 212.110.94.64/27 > > network on which I have mail and web servers, which the 192.168.1.0/24 > > hosts should be able to reach. > > > > Here are the ifconfig and netstat -r outputs: > > wb0: flags=8843 mtu 1500 > > inet 212.110.94.84 netmask 0xffe0 broadcast 212.110.94.95 > > inet6 fe80::280:48ff:feb5:af3%wb0 prefixlen 64 scopeid 0x1 > > ether 00:80:48:b5:0a:f3 > > media: Ethernet autoselect (100baseTX ) > > status: active > > rl0: flags=8843 mtu 1500 > > inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 > > inet6 fe80::202:44ff:fe4f:958e%rl0 prefixlen 64 scopeid 0x2 > > ether 00:02:44:4f:95:8e > > media: Ethernet autoselect (10baseT/UTP) > > status: active > > > > Routing tables > > Internet: > > DestinationGatewayFlagsRefs Use > > Netif Expire > > default 212.110.94.65 UGSc40wb0 > > localhost localhost UH 00lo0 > > 192.168.1 link#2 UC 1 > > 0 rl0 > > 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 1 45rl0 > > 212.110.94.64/27 link#1 UC 80wb0 > > > > and I have net.inet.ip.forwarding set to 1 > > > > How do I get my box to route packets between the two > > interfaces 192.168.1.1 > > and 212.110.94.84? > > It may not be the actual dual-homed boxes issue. For this to work > completely, the devices on the two networks you mention must also have the > correct routing. > > So, devices on 192.168.1.0/24 must have a route for 212.110.94.64/27 via > 192.168.1.1... most probably a default route as I assume the devices on > 192.168.1.0/24 are reaching the net via this box. > > In addition, any device on 212.110.94.64/27 that is supposed to reach > 192.168.1.0/24 devices must route 192.186.1.0/24 via 212.110.94.84. > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > I'm full down in networks,but you cat try to use routed,with strat up option -s .I think it must be work ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Dual homed host routing problem
> I'm running FreeBSD 4.7-RELEASE and I have trouble routing between two > NIC's. On one side I have a 192.168.1.0/24 network and on the > other a 212.110.94.64/27 > network on which I have mail and web servers, which the 192.168.1.0/24 > hosts should be able to reach. > > Here are the ifconfig and netstat -r outputs: > wb0: flags=8843 mtu 1500 > inet 212.110.94.84 netmask 0xffe0 broadcast 212.110.94.95 > inet6 fe80::280:48ff:feb5:af3%wb0 prefixlen 64 scopeid 0x1 > ether 00:80:48:b5:0a:f3 > media: Ethernet autoselect (100baseTX ) > status: active > rl0: flags=8843 mtu 1500 > inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 > inet6 fe80::202:44ff:fe4f:958e%rl0 prefixlen 64 scopeid 0x2 > ether 00:02:44:4f:95:8e > media: Ethernet autoselect (10baseT/UTP) > status: active > > Routing tables > Internet: > DestinationGatewayFlagsRefs Use > Netif Expire > default 212.110.94.65 UGSc40wb0 > localhost localhost UH 00lo0 > 192.168.1 link#2 UC 1 > 0 rl0 > 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 1 45rl0 > 212.110.94.64/27 link#1 UC 80wb0 > > and I have net.inet.ip.forwarding set to 1 > > How do I get my box to route packets between the two > interfaces 192.168.1.1 > and 212.110.94.84? It may not be the actual dual-homed boxes issue. For this to work completely, the devices on the two networks you mention must also have the correct routing. So, devices on 192.168.1.0/24 must have a route for 212.110.94.64/27 via 192.168.1.1... most probably a default route as I assume the devices on 192.168.1.0/24 are reaching the net via this box. In addition, any device on 212.110.94.64/27 that is supposed to reach 192.168.1.0/24 devices must route 192.186.1.0/24 via 212.110.94.84. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Dual homed host routing problem
> I'm running FreeBSD 4.7-RELEASE and I have trouble routing > between two NIC's. On one side I have a 192.168.1.0/24 > network and on the other a 212.110.94.64/27 network on which > I have mail and web servers, which the 192.168.1.0/24 hosts > should be able to reach. > > Here are the ifconfig and netstat -r outputs: > wb0: flags=8843 mtu 1500 > inet 212.110.94.84 netmask 0xffe0 broadcast 212.110.94.95 > inet6 fe80::280:48ff:feb5:af3%wb0 prefixlen 64 scopeid 0x1 > ether 00:80:48:b5:0a:f3 > media: Ethernet autoselect (100baseTX ) > status: active > rl0: flags=8843 mtu 1500 > inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 > inet6 fe80::202:44ff:fe4f:958e%rl0 prefixlen 64 scopeid 0x2 > ether 00:02:44:4f:95:8e > media: Ethernet autoselect (10baseT/UTP) > status: active > > Routing tables > Internet: > DestinationGatewayFlagsRefs Use > Netif Expire > default 212.110.94.65 UGSc40wb0 > localhost localhost UH 00lo0 > 192.168.1 link#2 UC 1 > 0 rl0 > 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 1 45rl0 > 212.110.94.64/27 link#1 UC 80wb0 > > and I have net.inet.ip.forwarding set to 1 > > How do I get my box to route packets between the two > interfaces 192.168.1.1 and 212.110.94.84? Log into 212.110.94.65 and tell it that 192.168.1.0/24 is behind 212.110.94.84. If it's a BSD box you could do on .94.65; route add -net 192.168.1.0/24 212.110.94.84 - Sten ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Dual homed host routing problem
Hi, I'm running FreeBSD 4.7-RELEASE and I have trouble routing between two NIC's. On one side I have a 192.168.1.0/24 network and on the other a 212.110.94.64/27 network on which I have mail and web servers, which the 192.168.1.0/24 hosts should be able to reach. Here are the ifconfig and netstat -r outputs: wb0: flags=8843 mtu 1500 inet 212.110.94.84 netmask 0xffe0 broadcast 212.110.94.95 inet6 fe80::280:48ff:feb5:af3%wb0 prefixlen 64 scopeid 0x1 ether 00:80:48:b5:0a:f3 media: Ethernet autoselect (100baseTX ) status: active rl0: flags=8843 mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::202:44ff:fe4f:958e%rl0 prefixlen 64 scopeid 0x2 ether 00:02:44:4f:95:8e media: Ethernet autoselect (10baseT/UTP) status: active Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default 212.110.94.65 UGSc40wb0 localhost localhost UH 00lo0 192.168.1 link#2 UC 10 rl0 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 1 45rl0 212.110.94.64/27 link#1 UC 80wb0 and I have net.inet.ip.forwarding set to 1 How do I get my box to route packets between the two interfaces 192.168.1.1 and 212.110.94.84? - ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Re: Routing problem ?
* Hasse ([EMAIL PROTECTED]) wrote: ==> On Friday 21 March 2003 15.32, Steve Bertrand wrote: ==> SB > > Thx everybody. ==> SB > > Problem solved. ==> SB > > /Hasse. ==> SB > ==> SB > It would be nice for the people who followed your thread to know what ==> SB > actually resolved the issue. If you could post your fix, it would be ==> SB > appreciated. ==> SB > ==> SB > Tks. ==> SB > ==> SB > Steve ==> SB > ==> Sorry, will offcourse do. ==> I just removed the line and the problem was gone. ==> ==> Subject: Re: Re: Routing problem ? ==> Date: Thursday 20 March 2003 21.37 ==> From: Joshua Lokken <[EMAIL PROTECTED]> ==> To: Hasse <[EMAIL PROTECTED]> ==> ==> * Hasse ([EMAIL PROTECTED]) wrote: ==> ==> blanktime="3000" ==> ==> gateway_enable="YES" ==> ==> defaultrouter="YES" ==> ==> I believe that you need to set defaultrouter to the IP ==> of your internal interface, ie ==> ==> defaultrouter="10.0.0.1" ==> ==> right now it's looking for YES as the default route, and ==> I'm pretty sure YES is not a viable route for your network. ==> ==> [snip - long list of rc.conf options] ==> ==> HTH, ==> ==> -- ==> Joshua I'm afraid that was my bad. I was having trouble sending mail to the list until a day or so ago, so I replied to the sender only. Things seems to work now. Apologies. -- Joshua To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Routing problem ?
On Friday 21 March 2003 15.32, Steve Bertrand wrote: SB > > Thx everybody. SB > > Problem solved. SB > > /Hasse. SB > SB > It would be nice for the people who followed your thread to know what SB > actually resolved the issue. If you could post your fix, it would be SB > appreciated. SB > SB > Tks. SB > SB > Steve SB > Sorry, will offcourse do. I just removed the line and the problem was gone. Subject: Re: Re: Routing problem ? Date: Thursday 20 March 2003 21.37 From: Joshua Lokken <[EMAIL PROTECTED]> To: Hasse <[EMAIL PROTECTED]> * Hasse ([EMAIL PROTECTED]) wrote: ==> blanktime="3000" ==> gateway_enable="YES" ==> defaultrouter="YES" I believe that you need to set defaultrouter to the IP of your internal interface, ie defaultrouter="10.0.0.1" right now it's looking for YES as the default route, and I'm pretty sure YES is not a viable route for your network. [snip - long list of rc.conf options] HTH, -- Joshua To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Routing problem ?
> Thx everybody. > Problem solved. > /Hasse. It would be nice for the people who followed your thread to know what actually resolved the issue. If you could post your fix, it would be appreciated. Tks. Steve > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Routing problem ?
Thx everybody. Problem solved. /Hasse. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Routing problem ?
On Thursday 20 March 2003 17.54, Steve Bertrand wrote: SB > > Hi everybody. SB > > I have small network at home with two machines connected to the net SB > > via ADSL. That means Dynamic IP, though not changing very often. SB > > - SB > > "odin.swedehost.com" running FreeBSD 4.8-RC #0 Sun Mar 16 2003 SB > > Two NICs. xl0 " DHCP " and "NAT-interface", acting as a gateway, doing NAT. SB > > > ifconfig SB > > fxp0: flags=8843 mtu 1500 SB > > inet 192.168.1.200 netmask 0xff00 broadcast 192.168.1.255 SB > > inet6 fe80::202:b3ff:fe8f:90fd%fxp0 prefixlen 64 scopeid 0x1 SB > > ether 00:02:b3:8f:90:fd SB > > media: Ethernet autoselect (100baseTX ) SB > > status: active SB > > xl0: flags=8843 mtu 1500 SB > > options=3 SB > > inet6 fe80::201:2ff:fef7:7de8%xl0 prefixlen 64 scopeid 0x2 SB > > inet 217.209.211.129 netmask 0xff00 broadcast 217.209.211.255 SB > > ether 00:01:02:f7:7d:e8 SB > > media: Ethernet autoselect (10baseT/UTP) SB > > status: active SB > > lp0: flags=8810 mtu 1500 SB > > lo0: flags=8049 mtu 16384 SB > > inet6 ::1 prefixlen 128 SB > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 SB > > inet 127.0.0.1 netmask 0xff00 SB > > ppp0: flags=8010 mtu 1500 SB > > sl0: flags=c010 mtu 552 SB > > faith0: flags=8002 mtu 1500 SB > > SB > > "thor.swedehost.com" running FreeBSD 4.8-RC #1: Fri Mar 7 23:23:21 CET 2003 SB > > Dualboot with W2k-Server. SB > > Two NICs xl0 and fxp0 but only one of them configured. SB > > thor# ifconfig SB > > xl0: flags=8843 mtu 1500 SB > > options=3 SB > > inet 192.168.1.220 netmask 0xff00 broadcast 192.168.1.255 SB > > inet6 fe80::204:76ff:fe19:3b1d%xl0 prefixlen 64 scopeid 0x1 SB > > ether 00:04:76:19:3b:1d SB > > media: Ethernet autoselect (100baseTX ) SB > > status: active SB > > fxp0: flags=8843 mtu 1500 SB > > inet6 fe80::202:b3ff:fe4c:13a4%fxp0 prefixlen 64 scopeid 0x2 SB > > ether 00:02:b3:4c:13:a4 SB > > media: Ethernet autoselect (none) SB > > status: no carrier SB > > lp0: flags=8810 mtu 1500 SB > > lo0: flags=8049 mtu 16384 SB > > inet6 ::1 prefixlen 128 SB > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 SB > > inet 127.0.0.1 netmask 0xff00 SB > > ppp0: flags=8010 mtu 1500 SB > > sl0: flags=c010 mtu 552 SB > > faith0: flags=8002 mtu 1500 SB > > - SB > > At bootup I get this message: SB > > SB > > Mar 20 16:50:26 natd[88]: Aliasing to 217.209.211.129, mtu 1500 bytes SB > > route: bad address: YES SB > > SB > > Additional routing options: ignore ICMP redirect=YES log ICMP redirect=YES SB > > IP gateway=YES TCP keepalive=YES. SB > > Routing daemons:. SB > > SB > > - SB > > What's worry me is the " route: bad address: YES " part. SB > > SB > > Does it mean that I have a bad address in my routingtable ? SB > > I have tried to do " route -n flush " several times and rebooting. SB > > Everything is working the way it's supposed to, I think :-) SB > > I mean routing, NAT, mailservices etc. SB > SB > I'm willing you have a mistyped entry in an rc file. Take a look in SB > /etc/rc.conf and or any other places where you may have manually SB > configured IP's and/or static routes. SB > SB > Steve SB > SB > SB > > SB > > Preciate some enlightenment on this subject. SB > > TiA SB > > Geir Svalland. SB > > SB > > SB > > To Unsubscribe: send mail to [EMAIL PROTECTED] SB > > with "unsubscribe freebsd-questions" in the body of the message SB > > SB > SB > SB > To Unsubscribe: send mail to [EMAIL PROTECTED] SB > with "unsubscribe freebsd-questions" in the body of the message SB > Hi again. And thx for the quick response to my question. As far as I know, I haven't configured any IP or routes any other places then /etc/rc.conf and here they come : First for odin ( gateway ) , then thor 2nd machine. -- # This file now contains just the overrides from /etc/defaults/rc.conf. blanktime="3000" gateway_enable="YES" defaultrouter="YES" hostname="odin.swedehost.com" firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="OPEN" firewall_logging="YES" ipv6_firewall_enable="YES" ipv6_firewall_type="OPEN" ipv6_firewall_script="/etc/rc.firewall6" ipv6_firewall_logging="YES" ifconfig_xl0="DHCP" ifconfig_fxp0="inet 192.168.1.200 netmask 255.255.255.0" inetd_enable="YES" ipv6_enable="YES" named_enable="YES" named_program="/usr/sbin/named" named_flags="-u bind -g bind" natd_enable="YES" natd_interface="xl0" natd_flags="-dynamic" kern_securelevel_enable="NO" keymap="swedish.iso" keyrate="fast" linux_enable="YES" lpd_enable="YES" moused_enable="YES" moused_port="/dev/psm0" ntpdate_enable="YES" ntpdate_flags="ntp.lth.se" portmap_enable="NO" enable_quotas="YES" check_quotas="NO" saver="logo" sendmail_enable="YES" sendmail_flags="-bd -q30m" sshd_enable="YES" usbd_enable="YES" syslogd_flags="-ss -m 0" icmp
Re: Routing problem ?
> Hi everybody. > I have small network at home with two machines connected to the net > via ADSL. That means Dynamic IP, though not changing very often. > - > "odin.swedehost.com" running FreeBSD 4.8-RC #0 Sun Mar 16 2003 > Two NICs. xl0 " DHCP " and "NAT-interface", acting as a gateway, doing NAT. > > ifconfig > fxp0: flags=8843 mtu 1500 > inet 192.168.1.200 netmask 0xff00 broadcast 192.168.1.255 > inet6 fe80::202:b3ff:fe8f:90fd%fxp0 prefixlen 64 scopeid 0x1 > ether 00:02:b3:8f:90:fd > media: Ethernet autoselect (100baseTX ) > status: active > xl0: flags=8843 mtu 1500 > options=3 > inet6 fe80::201:2ff:fef7:7de8%xl0 prefixlen 64 scopeid 0x2 > inet 217.209.211.129 netmask 0xff00 broadcast 217.209.211.255 > ether 00:01:02:f7:7d:e8 > media: Ethernet autoselect (10baseT/UTP) > status: active > lp0: flags=8810 mtu 1500 > lo0: flags=8049 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > inet 127.0.0.1 netmask 0xff00 > ppp0: flags=8010 mtu 1500 > sl0: flags=c010 mtu 552 > faith0: flags=8002 mtu 1500 > > "thor.swedehost.com" running FreeBSD 4.8-RC #1: Fri Mar 7 23:23:21 CET 2003 > Dualboot with W2k-Server. > Two NICs xl0 and fxp0 but only one of them configured. > thor# ifconfig > xl0: flags=8843 mtu 1500 > options=3 > inet 192.168.1.220 netmask 0xff00 broadcast 192.168.1.255 > inet6 fe80::204:76ff:fe19:3b1d%xl0 prefixlen 64 scopeid 0x1 > ether 00:04:76:19:3b:1d > media: Ethernet autoselect (100baseTX ) > status: active > fxp0: flags=8843 mtu 1500 > inet6 fe80::202:b3ff:fe4c:13a4%fxp0 prefixlen 64 scopeid 0x2 > ether 00:02:b3:4c:13:a4 > media: Ethernet autoselect (none) > status: no carrier > lp0: flags=8810 mtu 1500 > lo0: flags=8049 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > inet 127.0.0.1 netmask 0xff00 > ppp0: flags=8010 mtu 1500 > sl0: flags=c010 mtu 552 > faith0: flags=8002 mtu 1500 > - > At bootup I get this message: > > Mar 20 16:50:26 natd[88]: Aliasing to 217.209.211.129, mtu 1500 bytes > route: bad address: YES > > Additional routing options: ignore ICMP redirect=YES log ICMP redirect=YES > IP gateway=YES TCP keepalive=YES. > Routing daemons:. > > - > What's worry me is the " route: bad address: YES " part. > > Does it mean that I have a bad address in my routingtable ? > I have tried to do " route -n flush " several times and rebooting. > Everything is working the way it's supposed to, I think :-) > I mean routing, NAT, mailservices etc. I'm willing you have a mistyped entry in an rc file. Take a look in /etc/rc.conf and or any other places where you may have manually configured IP's and/or static routes. Steve > > Preciate some enlightenment on this subject. > TiA > Geir Svalland. > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Routing problem ?
Hi everybody. I have small network at home with two machines connected to the net via ADSL. That means Dynamic IP, though not changing very often. - "odin.swedehost.com" running FreeBSD 4.8-RC #0 Sun Mar 16 2003 Two NICs. xl0 " DHCP " and "NAT-interface", acting as a gateway, doing NAT. > ifconfig fxp0: flags=8843 mtu 1500 inet 192.168.1.200 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::202:b3ff:fe8f:90fd%fxp0 prefixlen 64 scopeid 0x1 ether 00:02:b3:8f:90:fd media: Ethernet autoselect (100baseTX ) status: active xl0: flags=8843 mtu 1500 options=3 inet6 fe80::201:2ff:fef7:7de8%xl0 prefixlen 64 scopeid 0x2 inet 217.209.211.129 netmask 0xff00 broadcast 217.209.211.255 ether 00:01:02:f7:7d:e8 media: Ethernet autoselect (10baseT/UTP) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 "thor.swedehost.com" running FreeBSD 4.8-RC #1: Fri Mar 7 23:23:21 CET 2003 Dualboot with W2k-Server. Two NICs xl0 and fxp0 but only one of them configured. thor# ifconfig xl0: flags=8843 mtu 1500 options=3 inet 192.168.1.220 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::204:76ff:fe19:3b1d%xl0 prefixlen 64 scopeid 0x1 ether 00:04:76:19:3b:1d media: Ethernet autoselect (100baseTX ) status: active fxp0: flags=8843 mtu 1500 inet6 fe80::202:b3ff:fe4c:13a4%fxp0 prefixlen 64 scopeid 0x2 ether 00:02:b3:4c:13:a4 media: Ethernet autoselect (none) status: no carrier lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 - At bootup I get this message: Mar 20 16:50:26 natd[88]: Aliasing to 217.209.211.129, mtu 1500 bytes route: bad address: YES Additional routing options: ignore ICMP redirect=YES log ICMP redirect=YES IP gateway=YES TCP keepalive=YES. Routing daemons:. - What's worry me is the " route: bad address: YES " part. Does it mean that I have a bad address in my routingtable ? I have tried to do " route -n flush " several times and rebooting. Everything is working the way it's supposed to, I think :-) I mean routing, NAT, mailservices etc. Preciate some enlightenment on this subject. TiA Geir Svalland. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Routing problem
On Fri, Feb 21, 2003 at 09:24:44PM +0200, molotov wrote: > I have a little problem with my home network. I had a Linux router > before and now I have FreeBSD set up and running on the same box. > The problem is, that I don't know what manual could speak about > that kind of routing: there are three additional IP addresses > routed to my gateway. I want an internal box to use the given > external IP address or an internal address, while gateway > configuration stays untouched. The external interface of > the gateway is a wireless orinoco card and I do not have an > ethernet-wireless converter, so the external interface should > be published to inside network in a way, that any chosen > machine from inside could use an external IP adress as it's IP > and the external IP address of the router as it's gateway. > Please help me to solve this problem. I know, that the solution > is trivial, but I admit, I still think in Linux... ;) Hmmm... the keywords here are "Static NAT". Start with the natd(8) manual page. That should give you a handle on the terminology used for the different concepts. There's basically three possibilities to do what you want: ipfw(8) + natd(8) ipf(8) + ipnat(8) ppp(8) The ppp(8) option of course, only applies if you're using PPP in some form for your internet connectivity. Otherwise, use which ever one of the other two suits you best. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Routing problem
Hello everyone, I have a little problem with my home network. I had a Linux router before and now I have FreeBSD set up and running on the same box. The problem is, that I don't know what manual could speak about that kind of routing: there are three additional IP addresses routed to my gateway. I want an internal box to use the given external IP address or an internal address, while gateway configuration stays untouched. The external interface of the gateway is a wireless orinoco card and I do not have an ethernet-wireless converter, so the external interface should be published to inside network in a way, that any chosen machine from inside could use an external IP adress as it's IP and the external IP address of the router as it's gateway. Please help me to solve this problem. I know, that the solution is trivial, but I admit, I still think in Linux... ;) -- regards, S. Kareiva To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: routing problem on 4.7 release
twig les wrote: Hey all, I have a 4.7 release box that needs to cvsup its ports. The problem is that this box never sees the outside world normally; it does IDS on an IP-less interface and of course has a backnet interface. So basically I added a temporary IP address to this box, edited my /etc/cvsupfile to use the IP address of the cvs server (to avoid dealing with DNS), added a few lines in IPFW and then used the route command to force packets out the correct interface. The problem is that packets destined for the legal gateway (I'll call it 1.1.1.1) are still going out the backnet interface. So if I ping 1.1.1.1, I can sit and watch access-list denies show up as the backnet interface tries to ping an IP that isn't even reachable. The fact that these pings are getting out tells me that IPFW isn't the problem and that the route table is screwed up. Please chime in if anyone has an answer, all I need to do is add a static route temporarily. My config looks like this below. As you may notice, I even tried adding a route to 1.1.1.1 out the specific interface "route -n add 1.1.1.1/26 -interface ti0". mas01# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.20.0.1 UGSc7 56 fxp0 10.20/25 link#1 UC 20 fxp0 10.20.0.1 00:00:0c:07:ac:60 UHLW54 fxp0 1196 10.20.0.14 00:60:ab:03:7d:2f UHLW00 fxp0938 1.1.1.1/32 00:00:00:00:00:00 ULSc0 12ti0 1.1.1.1/26 link#2 UC 00ti0 127.0.0.1 127.0.0.1 UH 0 604lo0 165.64.255/24 1.1.1.1UGSc00 fxp0 208.185.175.214/32 1.1.1.1UGSc10 fxp0 Ouch ... please configure your mailer so it doesn't wrap netstat -rn output. I feel like I'm decyphering a secret code. I'm a little confused by your explanation. I thought 1.1.1.1 was the IP of the gateway you want to use? My suggestion might be bogus, since I'm not 100% sure I understand, but try this: ifconfig ti0 inet 1.1.1.1 netmask 255.255.255.0 Set the IP address on the gateway to 1.1.1.2 route delete default route add default 1.1.1.2 If you really want 10.20.0.1 to be your default route, add it back in after the cvsup is done: route delete default route add default 10.20.0.1 Note that this might disrupt services not on the local network during the cvsup, so it might not be the solution you really want. But if it works, you'll be one step closer to a real solution. Do you have additional machines off fxp0 that this machine needs to go through a gateway to access? -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
routing problem on 4.7 release
Hey all, I have a 4.7 release box that needs to cvsup its ports. The problem is that this box never sees the outside world normally; it does IDS on an IP-less interface and of course has a backnet interface. So basically I added a temporary IP address to this box, edited my /etc/cvsupfile to use the IP address of the cvs server (to avoid dealing with DNS), added a few lines in IPFW and then used the route command to force packets out the correct interface. The problem is that packets destined for the legal gateway (I'll call it 1.1.1.1) are still going out the backnet interface. So if I ping 1.1.1.1, I can sit and watch access-list denies show up as the backnet interface tries to ping an IP that isn't even reachable. The fact that these pings are getting out tells me that IPFW isn't the problem and that the route table is screwed up. Please chime in if anyone has an answer, all I need to do is add a static route temporarily. My config looks like this below. As you may notice, I even tried adding a route to 1.1.1.1 out the specific interface "route -n add 1.1.1.1/26 -interface ti0". mas01# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.20.0.1 UGSc7 56 fxp0 10.20/25 link#1 UC 2 0 fxp0 10.20.0.1 00:00:0c:07:ac:60 UHLW5 4 fxp0 1196 10.20.0.14 00:60:ab:03:7d:2f UHLW0 0 fxp0938 1.1.1.1/3200:00:00:00:00:00 ULSc0 12ti0 1.1.1.1/26 link#2 UC 00 ti0 127.0.0.1 127.0.0.1 UH 0 604lo0 165.64.255/24 1.1.1.1 UGSc0 0 fxp0 208.185.175.214/32 1.1.1.1 UGSc1 0 fxp0 = --- Know yourself and know your enemy and you will never fear defeat. --- __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: routing problem
> today i tried to setup 4.7 gateway. It hastwo NICs (rl0 and rl1) on > different subnets (rl0 = 192.168.0.66, rl1 = 192.168.1.2). The rl0 is > connected to a cable-modem and gets an other IP (213.209.66.214) after > booting. > > After playing with routes, i can ping outside, can ping rl0 and rl1 and > 192.168.1.18 (a windows-box). The 192.168.1.18 can ping the 192.168.1.2 and > 213.209.66.214 (the other NIC in the server), but not any outside IP (wich > should be routed over 213.209.66.214 i think) > > gateway_enable="YES" in /etc/rc.config > and for testing router_enable="YES" > and natd_enable="YES" Thomas, The problem is to do with setting up natd. You don't need router_enable="YES". Firstly, natd listens on a divert socket for packets to 'translate' from the internet to your LAN. Therefore, you need to make sure that the IP packets going to and coming from your modem get sent to natd. The way to do this is using ipfw, the kernel firewall. If you're not already using it (which I would recommend doing anyhow), you'll need to recompile your kernel with "options IPFIREWALL" and "options IPDIVERT" (checkout man ipfw). Then simply do : ipfw add divert natd ip from any to any via rl0 Assuming rl0 is the interface that has your 213.209.66.214 address, this will pass all ip packets through natd, which will rewrite them transparently. Secondly, you need to tell natd which interface (IP address actually) to operate on. To do this just add 'natd_interface="rl0"' to you /etc/rc.conf , if rl0 is your internet interface. If you have a dynamic IP address, you may want to add 'natd_flags="-dynamic"' aswell. See man natd for details. Then it should all work fine! A couple of points to check for : make sure you add a default route for your ISP's IP (the one the modem connects to) and be careful the connection with the public IP address is indeed on rl0 (if you use PPPOE for example, another interface is used...) Hope this helps, Jonathan To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
routing problem
Hi, today i tried to setup 4.7 gateway. It hastwo NICs (rl0 and rl1) on different subnets (rl0 = 192.168.0.66, rl1 = 192.168.1.2). The rl0 is connected to a cable-modem and gets an other IP (213.209.66.214) after booting. The problem ist, that boxes in 192.168.1.* cannot connect to the outside world. After playing with routes, i can ping outside, can ping rl0 and rl1 and 192.168.1.18 (a windows-box). The 192.168.1.18 can ping the 192.168.1.2 and 213.209.66.214 (the other NIC in the server), but not any outside IP (wich should be routed over 213.209.66.214 i think) gateway_enable="YES" in /etc/rc.config and for testing router_enable="YES" and natd_enable="YES" Thanks, Thomas 'Neo' Weber --- [EMAIL PROTECTED] [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
jail routing problem
Hi, With the following setup I don't understand why ip from the jail 192.168.1.2 cannot reach hosts in 192.168.2.0/24. Can I use a fancy ipfw fwd rule to make it work? Anything routes that use the default gateway is fine. Here is the setup: = Host system = default gateway 192.168.1.254 fxp0: inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet 192.168.1.2 netmask 0x broadcast 192.168.1.255 inet 192.168.1.3 netmask 0x broadcast 192.168.1.255 inet 192.168.1.4 netmask 0x broadcast 192.168.1.255 fxp1: inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 = First Jail = fxp0: inet 192.168.1.2 netmask 0x broadcast 192.168.1.2 fxp1: cheers, Derek. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Routing Problem- interface to alias
I'm trying to something a little bizarre with routing, so I suppose it bears some explanation. I recently purchased one of those all-in-one firewall/NAT/ethernet switch/801.11b access point boxes for my home use. 802.11b security being what it is (useless), I'm planning on setting up IPSec for my WLAN for authentication and encryption. However, I haven't gotten that far yet. I've set up two subnets behind my firewall. One is 10.10.10.0/24 and is for the wired LAN. The other is 10.0.0.0/24 and is for the wireless LAN. I've got a FreeBSD box with a single NIC ethernetted to one of the ports on the firewall's switch. I'm planning to use it as my 10.0.0.0/24 to 10.10.10.0/24 gateway. Two subnets on one segment. So I have: ifconfig ed0 inet 10.10.10.1 netmask 0xff00 ifconfig ed0 inet 10.10.10.10 netmask 0x alias ifconfig ed0 inet 10.0.0.1 netmask 0xff00 alias The 10.10.10.10 is simply an alias I'm using since I'm running dnscache on 10.10.10.1 and tinydns on 10.10.10.10. I have IP forwarding compiled into the kernel and enabled. With my wireless laptop set to 10.0.0.50 using the 10.0.0.1 gateway as its default route I am able to ping 10.0.0.1, 10.10.10.1, but no other hosts on or off the LAN. traceroute from the laptop reveals a hop to 10.0.0.1 and then the packets are simply lost. 10.10.10.1's routing table looks like this (with 10.0.0.50 not connected): DestinationGatewayFlagsRefs Use Netif Expire default10.10.10.254 UGSc 12 30ed0 10/24 link#1 UC 00ed0 10.10.10/24link#1 UC 30ed0 10.10.10.1 00:4f:49:0a:1e:85 UHLW1 753lo0 10.10.10.1000:4f:49:0a:1e:85 UHLW1 52lo0 => 10.10.10.10/32 link#1 UC 10ed0 10.10.10.254 00:30:f1:18:84:3c UHLW 13 25ed0 1175 127.0.0.1 127.0.0.1 UH 00lo0 Notice that the 10/24 subnet is listed, but not the 10.0.0.1 IP number. I'm sure what I'm trying to do is possible; the FreeBSD handbook section on routing even alludes to it. I just can't seem to get it to work. Any ideas? -Jon To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message