Two Networks on one System
Jon Radel
jon at radel.com
Tue Jun 21 13:10:12 UTC 2011
On 6/21/11 7:28 AM, Martin McCormick wrote:
> The problem I have, probably due to a misunderstanding
> of what I need to do, is easy to describe.
>
> The defaultrouter statement in rc.conf or
>
> route add default x.x.x.x
>
> from the command line sets an interface to know that packets
> whose destinations or sources that are outside the subnet go to
> that default gateway.
There is only one default gateway per FreeBSD machine.
>
> When I set up the secondary interface, I have not been
> able to come up with a statement or statements that tell fxp1
> that it's default router is y.y.y.y so you can't ever reach it
> from outside the new subnet.
>
This, in of itself, doesn't follow. In the absence of stateful
firewalls and anti-spoofing filtering (blocking packets that don't have
a source IP address on the "expected" list), or a complete disconnect
between your networks, any packet coming in fxp1 can have a reply go out
fxp0, to the default gateway, and get where it's going just fine. We
can quibble over the finer details of the evils of asymmetrical routing
some other day, but fundamentally an IP network doesn't care in the
SLIGHTEST which route a packet takes to get where it's going.
> I have tried both a second physical connection and an
> alias and have ended up with the same behavior each time. Since
> we have the second NIC active, I prefer to use it if I can ever
> get it to use its router just like the primary interface does.
As hinted at above, this is possibly not a FreeBSD issue at all.
Without knowledge of how your network actually works, there's not too
much more to be said, but one of the following should be true:
1) You don't have stateful firewalling and anti-spoofing filtering in
the way, and something on your network is broken, as the default FreeBSD
behavior should simply work if you've got a network that is simply
transitioning from one set of addresses to another.
2) If you really can't reply to the same default gateway for
everything, you'll need to do either policy-based routing or add more
specific routes, depending on whether outgoing traffic can be segregated
by source address, destination address, etc.
However, since it appears that you don't actually have 2 networks at
all, given your clarification that you've tried an interface alias, I'm
left with one key question:
Are your two gateways two different interfaces, or one interface with
two different IP addresses?
If the former, I'd try policy-based routing. If the latter, I'd check
my firewall rules really carefully.
Next step in any case should probably be to do some packet sniffing to
confirm that packets from the outside world to the new address actually
get to you in the first place. Or have you confirmed this from DNS logs
or something else?
--Jon Radel
jon at radel.com
More information about the freebsd-questions
mailing list