Re: multihome network
On 19.11.2007, at 06:03, alexus wrote: how i can acomplish this with ipf? i have ipf on that box Write this in ipf.rules: pass out quick on fxp0 to fxp1:$fxp1_gw from $fxp1_ip to any keep state don't forget to replace $fxp1_*. This solution can be also accomplished with IPFW, options IPFIREWALL_FORWARD. On Nov 16, 2007 4:45 PM, Todor Dragnev [EMAIL PROTECTED] wrote: Hi, you must use advanced routing, this is very easy on linux with iproute2 but freebsd is far away for now(maybe forever) and you must use pf or ipf for this situation. So, enable pf in rc.conf pf_enable=YES Add this line to the end of pf.conf: pass out quick route-to (fxp1 $fxp1_gw) inet from $fxp1_ip to ! $fxp1_ip keep state Where $fxp1_gw must be your gateway on fxp1 interface and $fxp1_ip is your IP address on fxp1. Keep your default gateway via 192.168.1.1. With these settings you can access both 192.168.1.1 and $fxp1_ip from outside. Regards, Todor Dragnev On 16.11.2007, at 07:18, alexus wrote: Hello, I have two NICs on my box, one (primary) connected to switch and have private IP. that IP also have a static route on Cisco PIX for accessing this box from outside. the other interface has public IP that is connected to another switch, i configure both IPs through /etc/rc.conf, but I can not for some reason access my box through that public IP, no firewall rules would prevent me from doing so. here is my output for netstat -rn alexus# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 0 250 fxp0 127.0.0.1 127.0.0.1 UH 02lo0 192.168.1 link#1 UC 00 fxp0 192.168.1.100:0d:29:09:90:61 UHLW22 fxp0 1171 192.168.1.250 00:16:cb:94:10:e9 UHLW1 12 fxp0 1169 216.112.241.24/29 link#2 UC 00 fxp1 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#4 UHL lo0 ff01:4::/32 fe80::1%lo0 UC lo0 ff02::%lo0/32 fe80::1%lo0 UC lo0 alexus# what am I missing? -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: multihome network
how i can acomplish this with ipf? i have ipf on that box On Nov 16, 2007 4:45 PM, Todor Dragnev [EMAIL PROTECTED] wrote: Hi, you must use advanced routing, this is very easy on linux with iproute2 but freebsd is far away for now(maybe forever) and you must use pf or ipf for this situation. So, enable pf in rc.conf pf_enable=YES Add this line to the end of pf.conf: pass out quick route-to (fxp1 $fxp1_gw) inet from $fxp1_ip to ! $fxp1_ip keep state Where $fxp1_gw must be your gateway on fxp1 interface and $fxp1_ip is your IP address on fxp1. Keep your default gateway via 192.168.1.1. With these settings you can access both 192.168.1.1 and $fxp1_ip from outside. Regards, Todor Dragnev On 16.11.2007, at 07:18, alexus wrote: Hello, I have two NICs on my box, one (primary) connected to switch and have private IP. that IP also have a static route on Cisco PIX for accessing this box from outside. the other interface has public IP that is connected to another switch, i configure both IPs through /etc/rc.conf, but I can not for some reason access my box through that public IP, no firewall rules would prevent me from doing so. here is my output for netstat -rn alexus# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 0 250 fxp0 127.0.0.1 127.0.0.1 UH 02lo0 192.168.1 link#1 UC 00 fxp0 192.168.1.100:0d:29:09:90:61 UHLW22 fxp0 1171 192.168.1.250 00:16:cb:94:10:e9 UHLW1 12 fxp0 1169 216.112.241.24/29 link#2 UC 00 fxp1 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#4 UHL lo0 ff01:4::/32 fe80::1%lo0 UC lo0 ff02::%lo0/32 fe80::1%lo0 UC lo0 alexus# what am I missing? -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: multihome network
Girish Venkatachalam wrote: On 00:18:42 Nov 16, alexus wrote: Hello, I have two NICs on my box, one (primary) connected to switch and have private IP. that IP also have a static route on Cisco PIX for accessing this box from outside. the other interface has public IP that is connected to another switch, i configure both IPs through /etc/rc.conf, but I can not for some reason access my box through that public IP, no firewall rules would prevent me from doing so. here is my output for netstat -rn -- snip Your default route is 192.168.1.1 and not 216.112.241.24 Yes, but if he changes that, then he won't be able to access the box via the PIX (private) connection. I will make these assumptions, then elaborate: The box in question is at your office. You are at home trying to access it. The connection works by connecting to the public IP of the PIX (that gets port-forwarded back), but does not work when accessing the direct Internet facing port. I'm willing to bet that if you run a tcpdump on your machine at home you are attempting the connection to the 216.112.241.x IP, you will actually find that the machine is getting back to you just fine. However, many OS's will drop a 'spoofed' packet. Essentially what is likely happening is this: - you send from home a packet to 216.112.241.x. - the office router/box accepts it - the office router looks up in it's routing table a path back to your home IP - it has no particular route, so it sends it out the default gateway (192.168.1.1) - your pc at home notices that the packet was sent to a destination IP, but it came back from a different one (the outside IP of the PIX) - the packet is dropped as the source address is spoofed There are a couple ways to fix this. The first and easiest is if you are only trying to connect to this box's public IP from one location, add a static route on the office box to that network that routes to it's public upstream The other way is to utilize policy-based routing. IPFW can do this, and (from what I understand) so can PF. (In Cisco-land, you would use a route-map). Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: multihome network
yes, i know that, and i want my defaultroute to stay 192.168.1.1, what i also want is to be able to access it through 216.112.241.30 (fxp1) On Nov 16, 2007 1:38 AM, Girish Venkatachalam [EMAIL PROTECTED] wrote: On 00:18:42 Nov 16, alexus wrote: Hello, I have two NICs on my box, one (primary) connected to switch and have private IP. that IP also have a static route on Cisco PIX for accessing this box from outside. the other interface has public IP that is connected to another switch, i configure both IPs through /etc/rc.conf, but I can not for some reason access my box through that public IP, no firewall rules would prevent me from doing so. here is my output for netstat -rn alexus# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 0 250 fxp0 127.0.0.1 127.0.0.1 UH 02lo0 192.168.1 link#1 UC 00 fxp0 192.168.1.100:0d:29:09:90:61 UHLW22 fxp0 1171 192.168.1.250 00:16:cb:94:10:e9 UHLW1 12 fxp0 1169 216.112.241.24/29 link#2 UC 00 fxp1 Your default route is 192.168.1.1 and not 216.112.241.24 regards, Girish ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: multihome network
i'm pretty sure you can do it on freebsd, especially if its possible on Linux, routing works same way as on Linux On Nov 16, 2007 4:51 PM, Bram Van Steenlandt [EMAIL PROTECTED] wrote: alexus wrote: i dont see any difference as at the end i still get this 216.112.241.24/29 216.112.241.25 UGS 00 fxp1 in my netstat -rn, and no its still doesn't work... On Nov 16, 2007 12:07 PM, Steve Bertrand [EMAIL PROTECTED] wrote: alexus wrote: my private IP that eventually resolves to public IP through PIX is different then coming from my other public IP that assigned on my fxp1 that comes from another ISP, the fxp1 IP already configured this way so it pass everything to my box what i've tried is adding route on my box route add 216.112.241.24 216.112.241.25 255.255.255.248 Wait a minute...this doesn't look right... Try this: # route add $homeIP/$netmask $gateway Where: - if you have a static IP at 'home', $netmask should be /32, otherwise, you'll need to shorten the prefix (such like /24) This will depend on your 'home' Internet provider setup - $gateway is the next hop upstream on the interface that has 216.112.241.x address on it. Steve I'm kind of new to freebsd so forgive me if I'm wrong but I thought this was not possible with freebsd in a simple way. On linux you can create a default route for each interface thus packet get routed properly, on freebsd you can only have one default route (I think) so this is not really possible. -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: multihome network
my private IP that eventually resolves to public IP through PIX is different then coming from my other public IP that assigned on my fxp1 that comes from another ISP, the fxp1 IP already configured this way so it pass everything to my box what i've tried is adding route on my box route add 216.112.241.24 216.112.241.25 255.255.255.248 still not go:( On Nov 16, 2007 8:54 AM, Steve Bertrand [EMAIL PROTECTED] wrote: Girish Venkatachalam wrote: On 00:18:42 Nov 16, alexus wrote: Hello, I have two NICs on my box, one (primary) connected to switch and have private IP. that IP also have a static route on Cisco PIX for accessing this box from outside. the other interface has public IP that is connected to another switch, i configure both IPs through /etc/rc.conf, but I can not for some reason access my box through that public IP, no firewall rules would prevent me from doing so. here is my output for netstat -rn -- snip Your default route is 192.168.1.1 and not 216.112.241.24 Yes, but if he changes that, then he won't be able to access the box via the PIX (private) connection. I will make these assumptions, then elaborate: The box in question is at your office. You are at home trying to access it. The connection works by connecting to the public IP of the PIX (that gets port-forwarded back), but does not work when accessing the direct Internet facing port. I'm willing to bet that if you run a tcpdump on your machine at home you are attempting the connection to the 216.112.241.x IP, you will actually find that the machine is getting back to you just fine. However, many OS's will drop a 'spoofed' packet. Essentially what is likely happening is this: - you send from home a packet to 216.112.241.x. - the office router/box accepts it - the office router looks up in it's routing table a path back to your home IP - it has no particular route, so it sends it out the default gateway (192.168.1.1) - your pc at home notices that the packet was sent to a destination IP, but it came back from a different one (the outside IP of the PIX) - the packet is dropped as the source address is spoofed There are a couple ways to fix this. The first and easiest is if you are only trying to connect to this box's public IP from one location, add a static route on the office box to that network that routes to it's public upstream The other way is to utilize policy-based routing. IPFW can do this, and (from what I understand) so can PF. (In Cisco-land, you would use a route-map). Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: multihome network
alexus wrote: my private IP that eventually resolves to public IP through PIX is different then coming from my other public IP that assigned on my fxp1 that comes from another ISP, the fxp1 IP already configured this way so it pass everything to my box what i've tried is adding route on my box route add 216.112.241.24 216.112.241.25 255.255.255.248 Wait a minute...this doesn't look right... Try this: # route add $homeIP/$netmask $gateway Where: - if you have a static IP at 'home', $netmask should be /32, otherwise, you'll need to shorten the prefix (such like /24) This will depend on your 'home' Internet provider setup - $gateway is the next hop upstream on the interface that has 216.112.241.x address on it. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: multihome network
i dont see any difference as at the end i still get this 216.112.241.24/29 216.112.241.25 UGS 00 fxp1 in my netstat -rn, and no its still doesn't work... On Nov 16, 2007 12:07 PM, Steve Bertrand [EMAIL PROTECTED] wrote: alexus wrote: my private IP that eventually resolves to public IP through PIX is different then coming from my other public IP that assigned on my fxp1 that comes from another ISP, the fxp1 IP already configured this way so it pass everything to my box what i've tried is adding route on my box route add 216.112.241.24 216.112.241.25 255.255.255.248 Wait a minute...this doesn't look right... Try this: # route add $homeIP/$netmask $gateway Where: - if you have a static IP at 'home', $netmask should be /32, otherwise, you'll need to shorten the prefix (such like /24) This will depend on your 'home' Internet provider setup - $gateway is the next hop upstream on the interface that has 216.112.241.x address on it. Steve -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: multihome network
alexus wrote: i dont see any difference as at the end i still get this 216.112.241.24/29 216.112.241.25 UGS 00 fxp1 in my netstat -rn, and no its still doesn't work... This is not the point. You need a route via the gateway that 216 is connected to for the REMOTE IP/network. Say for instance your 'home' connection is: 64.39.177.22, then you need a route like this: route add 64.39.177.22/32 $isp_gateway What you have: 216.112.241.24/29 216.112.241.25 UGS 00 fxp1 ...says '206.112.241.24/29 should be routed to 216.112.241.25. That is ALL it will route via that path. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: multihome network
but then i'm going say route _ALL_ traffic for that, and i need to be able to get in through both interfaces, as if one ISP is down, i can access in through another... thats the whole point of this thing On Nov 16, 2007 4:04 PM, Steve Bertrand [EMAIL PROTECTED] wrote: alexus wrote: i dont see any difference as at the end i still get this 216.112.241.24/29 216.112.241.25 UGS 00 fxp1 in my netstat -rn, and no its still doesn't work... This is not the point. You need a route via the gateway that 216 is connected to for the REMOTE IP/network. Say for instance your 'home' connection is: 64.39.177.22, then you need a route like this: route add 64.39.177.22/32 $isp_gateway What you have: 216.112.241.24/29 216.112.241.25 UGS 00 fxp1 ...says '206.112.241.24/29 should be routed to 216.112.241.25. That is ALL it will route via that path. Steve -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: multihome network
Hi, you must use advanced routing, this is very easy on linux with iproute2 but freebsd is far away for now(maybe forever) and you must use pf or ipf for this situation. So, enable pf in rc.conf pf_enable=YES Add this line to the end of pf.conf: pass out quick route-to (fxp1 $fxp1_gw) inet from $fxp1_ip to ! $fxp1_ip keep state Where $fxp1_gw must be your gateway on fxp1 interface and $fxp1_ip is your IP address on fxp1. Keep your default gateway via 192.168.1.1. With these settings you can access both 192.168.1.1 and $fxp1_ip from outside. Regards, Todor Dragnev On 16.11.2007, at 07:18, alexus wrote: Hello, I have two NICs on my box, one (primary) connected to switch and have private IP. that IP also have a static route on Cisco PIX for accessing this box from outside. the other interface has public IP that is connected to another switch, i configure both IPs through /etc/rc.conf, but I can not for some reason access my box through that public IP, no firewall rules would prevent me from doing so. here is my output for netstat -rn alexus# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 0 250 fxp0 127.0.0.1 127.0.0.1 UH 02lo0 192.168.1 link#1 UC 00 fxp0 192.168.1.100:0d:29:09:90:61 UHLW22 fxp0 1171 192.168.1.250 00:16:cb:94:10:e9 UHLW1 12 fxp0 1169 216.112.241.24/29 link#2 UC 00 fxp1 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#4 UHL lo0 ff01:4::/32 fe80::1%lo0 UC lo0 ff02::%lo0/32 fe80::1%lo0 UC lo0 alexus# what am I missing? -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: multihome network
alexus wrote: i dont see any difference as at the end i still get this 216.112.241.24/29 216.112.241.25 UGS 00 fxp1 in my netstat -rn, and no its still doesn't work... On Nov 16, 2007 12:07 PM, Steve Bertrand [EMAIL PROTECTED] wrote: alexus wrote: my private IP that eventually resolves to public IP through PIX is different then coming from my other public IP that assigned on my fxp1 that comes from another ISP, the fxp1 IP already configured this way so it pass everything to my box what i've tried is adding route on my box route add 216.112.241.24 216.112.241.25 255.255.255.248 Wait a minute...this doesn't look right... Try this: # route add $homeIP/$netmask $gateway Where: - if you have a static IP at 'home', $netmask should be /32, otherwise, you'll need to shorten the prefix (such like /24) This will depend on your 'home' Internet provider setup - $gateway is the next hop upstream on the interface that has 216.112.241.x address on it. Steve I'm kind of new to freebsd so forgive me if I'm wrong but I thought this was not possible with freebsd in a simple way. On linux you can create a default route for each interface thus packet get routed properly, on freebsd you can only have one default route (I think) so this is not really possible. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
multihome network
Hello, I have two NICs on my box, one (primary) connected to switch and have private IP. that IP also have a static route on Cisco PIX for accessing this box from outside. the other interface has public IP that is connected to another switch, i configure both IPs through /etc/rc.conf, but I can not for some reason access my box through that public IP, no firewall rules would prevent me from doing so. here is my output for netstat -rn alexus# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 0 250 fxp0 127.0.0.1 127.0.0.1 UH 02lo0 192.168.1 link#1 UC 00 fxp0 192.168.1.100:0d:29:09:90:61 UHLW22 fxp0 1171 192.168.1.250 00:16:cb:94:10:e9 UHLW1 12 fxp0 1169 216.112.241.24/29 link#2 UC 00 fxp1 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#4UHL lo0 ff01:4::/32 fe80::1%lo0 UC lo0 ff02::%lo0/32 fe80::1%lo0 UC lo0 alexus# what am I missing? -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: multihome network
On 00:18:42 Nov 16, alexus wrote: Hello, I have two NICs on my box, one (primary) connected to switch and have private IP. that IP also have a static route on Cisco PIX for accessing this box from outside. the other interface has public IP that is connected to another switch, i configure both IPs through /etc/rc.conf, but I can not for some reason access my box through that public IP, no firewall rules would prevent me from doing so. here is my output for netstat -rn alexus# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 0 250 fxp0 127.0.0.1 127.0.0.1 UH 02lo0 192.168.1 link#1 UC 00 fxp0 192.168.1.100:0d:29:09:90:61 UHLW22 fxp0 1171 192.168.1.250 00:16:cb:94:10:e9 UHLW1 12 fxp0 1169 216.112.241.24/29 link#2 UC 00 fxp1 Your default route is 192.168.1.1 and not 216.112.241.24 regards, Girish ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
