routing problem

Ian Smith smithi at nimnet.asn.au
Fri Nov 23 20:12:13 PST 2007 

On Fri, 23 Nov 2007 12:33:26 -0200
 "Alaor Barroso de Carvalho Neto" <alaorneto at gmail.com> wrote:
 > 2007/11/23, Bill Moran <wmoran at potentialtech.com>:
 > >
 > > "Alaor Barroso de Carvalho Neto" <alaorneto at gmail.com> wrote:

[..]

 > > > > > em0 external world XXX.XXX.XXX.XXX
 > > > > > rl0 adm 192.168.1.80
 > > > > > rl1 acad 192.168.2.90
 > > > > > rl3 database 10.10.0.50
 > > > > >
 > > > > > They are all separated networks. What I want: 192.168.2 should only access
 > > > > > the internet, shouldn't have access to 192.168.1 or 10.10/16.
 > > > > > 192.168.1should access the internet and
 > > > > > 10.10/16, but shouldn't access the academic network. 10.10/16 should access
 > > > > > only the 192.168.1 network, but it's not a problem if they had access to
 > > > > > internet too.
 > > > > >
 > > > > > How I would set up my rc.conf with my static routes?
 > > > >
 > > > > This is beyond the scope of routing.  You'll need to install a packet
 > > > > filter.  The best at this time is probably pf:

ipfw works fine too for these sorts of network policy separation :)

 > > > Yes, I have IPFIlTER installed, but if I would want to everybody ping to
 > > > everybody and then block the things in the firewall, it isn't about routes?
 > > > because neighter of my networks are pinging to any other right now. By ping
 > > > I mean have access. I thought it would have something to do with setting
 > > > routes. BTW, my ipfilter now just pass everything because I'm building the
 > > > server, but I already have a config file with the blocks that I would apply.
 > >
 > > That's a completely different scenario than the one you described in
 > > your previous message.
 > >
 > > Do you have gatetway_enable="YES" in /etc/rc.conf?
 > >
 > > --
 > > Bill Moran
 > > http://www.potentialtech.com

Just to add a couple of points to what Bill's pursuing here:

 > Yeah, I know, I was trying to make it work with only adm and external, but
 > the real scenario I have is this. Yes I have this line, my rc.conf is like
 > this:
 > [...]
 > gateway_enable="yes"
 > defaultrouter="XXX.XXX.XXX.158" (the external ip)
 > ifconfig_em0="inet XXX.XXX.XXX.130 netmask 255.255.255.227"

If that wasn't a typo, this is a non-contiguous netmask.  I suspect you
want 255.255.255.224, assuming the default router is in the same subnet?

Specifying CIDR notation with route and ifconfig can make netmask
fatfingering a bit less likely (eg here XXX.XXX.XXX.130/27)

I'm not saying this odd netmask explains your problem, nor that I fully
understand the effect of non-contiguous netmasks, but it's worth fixing.

 > ifconfig_rl0="inet 192.168.1.80 netmask 255.255.255.0"
 > ifconfig_rl1="inet 192.168.2.90 netmask 255.255.255.0"
 > ifconfig_rl2="inet 10.10.0.50 netmask 255.255.0.0"
 > [...]

On which machine/s is NAT translation taking place?  Eg if 10.10/16 were
allowed access to the internet via here, where would they get NAT'd to
the external IP? 

Cheers, Ian

More information about the freebsd-questions mailing list