[please stop top-posting]
John wrote:
Short version:
I am running an application that receives traffic on ranges of ports that
are already mapped from the current external interface to machines on my
network.
I was advised by the vendor that my options were to:
1) connect my workstation directly to the internet
or
2) See option #1
The vendor modifying the app is not an option.
That's unfortunate. Can you change the port ranges of the _other_ programs
to free up the ports required by the non-configurable one?
So.. as I see it, if I had another external interface I could direct these
ports coming into to the second external IP address (along with pretty much
all other network traffic destined for this workstation), to my workstation.
As I would like my workstation to access resources from other machines
within my lan, directly connecting it would cause some SERIOUS headaches..
especially considering this particular workstation is Windoze. I won't
touch the "s" word on this one...
I still don't see the need for an additional NIC. Just add an IP address to
it. If you're the one that wanted to use DHCP to get two different addys,
then I don't have an _easy_ solution for you. If you're running a server,
though, I should think that you could get a static IP.
Long version:
Convenience. At least I'd hoped there would be an easy answer to the
question. I would prefer to not have rules to direct traffic for specific
ranges of ports to multiple machines via NAT as this would require (most
likely) several dozen extra rules.
It would also be very nice to have an external interface directly mapped to
this workstation.
Sounds like you're getting into a fairly complex arrangement. To think that
there's any easy way to make it work would be a little niave (if you ask me).
But it still seems to me like you can do that simply by adding an alias to
your NIC.
...
One way to accomplish what I'm trying to do, would be to configure another
dual homed machine. The end result is more costly and time consuming than I
had hoped, but it would work.
Most folks I know would accomplish your goal by adding a second gateway/firewall
machine. Not to be rude, but I think you're trying to do a $5000 project with
a $1000 budget.
Or I suppose I could reload linux on the current box. (And of course learn
the goofy quirks of a particular distro.). This option would definitely be
time consuming. Linux is only free if your time has no value. Much lower
on the list of possible resolutions... but it is another method to make this
work.
True, but why not just use an alias?
But... In my fantasy world.. I guess I had hoped that rather than be asked
why I wanted to do something, I might hear from someone who has shared
similar experience in making something like this work. I do appreciate your
feedback. And I'm sure there is possibly a workaround, a hundred or so
IPNAT rules that could be written, a script or two, or some other hack for
it... but before taking that route, I ask again...
Any thoughts or suggestions as to how to get FreeBSD to simply allow for 2
interfaces on the same subnet???
Sorry. This is beyond my expertise. My recommendations are (in order)
1) Juggle port ranges until you free up the ports you need
2) add a second firewall/gateway
3) Use 1 NIC with an alias IP
4) Hack the FreeBSD kernel to allow what you want
5) Use Linux, if it does what you need
I know those aren't the answers that you want, and I wish I had better ones
to give you.
Good luck, I hope you find a solution that fits within everything you need.
Thanks,
John
----- Original Message -----
From: "Bill Moran" <[EMAIL PROTECTED]>
To: "John" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, January 13, 2003 6:21 PM
Subject: Re: Multiple network cards with IP addresses in the same network
John wrote:
I'm going to jump in here, because this question was my reason for
having
joined the Freebsd-questions list in the first place. Of all the time
I've
been running FreeBSD, this is my first post to this list... :P
Welcome.
I have a similar situation. Firewall/NAT machine with 3 nics. Only
rather
than using the two external interfaces for different services, I would
like
to use two nic's on the external subnet (using the FreeBSD machine as a
NAT/Firewall) for the following purpose:
--I would like one interface to be used for external IPF/NAT
connectivity
for my network computers, allowing my network connectivity to my ISP.
--I would like a second interface to acquire a SECOND ip address to be
set
up as bimap in NAT, to allow a second machine (my workstation) to be the
only machine to utilize the second external IP. Similar to being in a
DMZ,
but it would still use an internal address, as well as be subject to the
firewall rules in IPF.
I don't understand:
a) Why you need 3 NICs to do this?
b) Why you need 3 IPs to do this?
Just put an internal and external IP (2 NICs) and if you have a specific
machine within the network that you want treated specially, write special
ipfw rules for it. Why the need for 3 IPs/NICs?
Again, I have read that this is available on Linux. My searches have
shown
that there are ways to do this on RedHat w/ ipchains (etc.).. ... but I
digress...
That's fine. I'm sure there are lots of systems that have spiffy (or
maybe
not so spiffy) things that you can do that you can't in FreeBSD (or other
spiffy system).
My only question I have is why do you need it? There are other ways to
get
the end result.
I have tried putting two nics in and having dhclient obtain addresses
for
both on the same subnet. dhclient will get both addresses (shown in
dhclient.leases), but fails to assign an ip to the second interface,
failing
with the error "file already exists". I'm sure this is a different (but
related) issue.
Sounds very related.
In my situation, another solution might be to use an alias on a single
external interface.. only I'm not sure how to get dhclient to obtain the
second IP address and assign it to the alias, nor how to get IPF to
recognize the alias'd interface properly.
That sure seems to be beyond what the software was designed to do. You
could probably write some fancy scripts or something, but I ask my
original
question: What are you trying to accomplish in the end? Because it sure
seems like you're trying to use a wrench to hammer nails.
Bridging also comes to mind, but I'm not certain that if I bridge the
interface to my workstation computer it would correctly handle having an
internal as well as external address (other software application
complications would arise as well, I'm sure). That's not my intent
anyway,
so I have not and likely will not persue bridging as an option.
If you need NAT to get out, then bridging won't work.
Maybe I should have posted this on a diff. thread? :P But I believe
the
resolution to this issue is the same as the originally posted issue.
Hopefully something will come out of it.
I could be wrong, but I suspect the "resolution" of your problem is to
determine
what you want to accomplish, and then use FreeBSD in the manner it was
intended
to achieve your goal.
Thanks,
John
Addtn'l info: I have a FreeBSD 4.7 Stable #2 (updated yesterday).
---Previous messages snipped---
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
