This is probably pretty easy, but I'm a complete newbie regarding network
configuration, so please bear with me :-)

I've just had a nice LMDS (radio) connection installed, and my provider has
assigned me 16 IP addresses (A.B.C.0/28). After weighing different options
(and consulting a few friends), I decided to install a FreeBSD firewall
using IPFilter; since I have more internal interfaces than public IPs, I'm
also using IPNat.

At first, I configured NAT to map all private IP addresses to the firewall's
external interface's IP address (A.B.C.2), and everything worked as
expected. However, I want certain internal machines to have their own
external IP address, so I added some extra bimap entries to my
/etc/ipnat.rules to make this work. Now, NAT works fine, but my firewall
refuses to route packets from these specific IP addresses out into the real

Clearly, having gateway_enabled="YES" in /etc/rc.conf isn't enough, so I
though I could use a routing daemon. I configured routed (using "-s" as
recommended by sysinstall). Running netstat -rn reveals that the entire
A.B.C.0/28 subnet is routed to the router provided by my ISP (A.B.C.1):

Destination        Gateway            Flags    Refs      Use  Netif Expire
default            A.B.C.1            UGSc        2        0    if0
A.B.C/28           link#1             UC          2        0    if0
A.B.C.1            00:07:e3:50:e4:38  UHLW        1        0    if0   1234          UH          0        0    lo0
192.168.0          link#2             UC          3        0    if1       00:cd:ef:01:23:45  UHLW        0        0    if1   1234       00:ef:01:23:45:67  UHLW        0        0    if1   1234

I figured there was no need to add any static routes, but it still doesn't

I looked around the web, and I found a page that recommended that I added
all of the public IPs as aliases on the external interface. It specifically
gave two options:

1. Use: ifconfig if0 inet A.B.C.x netmask p.q.r.s alias
        route add -host A.B.C.x 0

2. Use: ifconfig if0 inet A.B.C.x netmask alias

If I use option 1, I run into problems because I can't add more than one IP
with the same broadcast address (and I don't know what broadcast address I
should use for the other IPs, other than the same one I'm using for the real
IP of the interface). Option 2 works fine, but I don't quite understand why
it works and why I should have to use it. After adding the aliased IP that I
need, the output of netstat -rn looks like this:

Destination        Gateway            Flags    Refs      Use  Netif Expire
default            A.B.C.1            UGSc        2        0    if0
A.B.C/28           link#1             UC          2        0    if0
A.B.C.1            00:07:e3:50:e4:38  UHLW        1        0    if0   1234
A.B.C.13/32        link#1             UC          0        0    if0
A.B.C.14/32        link#1             UC          0        0    if0          UH          0        0    lo0
192.168.0          link#2             UC          3        0    if1       00:b0:7d:9f:ba:40  UHLW        0        0    if1   1234       00:b0:7d:a0:9a:02  UHLW        0        0    if1   1234

So, what I don't understand is why it didn't work when it only had
A.B.C/28 -> link#1, but it works now that if explicitly has routes for
A.B.C.13 and A.B.C.14. Can anyone explain this?



PS. Just in case anyone is interested, this is my current ifconfig:

 inet A.B.C.2 netmask 0xfffffff0 broadcast A.B.C.15
 inet A.B.C.14 netmask 0xffffffff broadcast A.B.C.14
 inet A.B.C.13 netmask 0xffffffff broadcast A.B.C.13
 ether 00:b0:7d:de:52:a4
 media: Ethernet autoselect (10baseT/UTP)
 status: active
 inet netmask 0xffffff00 broadcast
 ether 00:b0:7d:de:52:b2
 media: Ethernet autoselect (100baseTX)
 status: active
lo0: flags=A49<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
 inet netmask 0xff000000

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to