[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: subnets, not routing etc.

To: josef.dyma@email.cz
Subject: RE: subnets, not routing etc.
From: Hakan Olsson <ho@crt.se>
Date: Thu, 16 Nov 2000 16:06:30 +0100 (MET)
Cc: "Jenkins, Michael" <Michael.Jenkins@disney.com>,tech@openbsd.org, misc@openbsd.org

Or just ask the ISP to change their interface netmask to /28 and route
C.C.C.32/27 via C.C.C.34. In my experience the ISPs, atleast most of the
Swedish ones, have no problems doing this (as soon as you've convinced
them you know IP routing, that is :).

Proxy arp is mostly an excuse for not doing things properly the first
time. Avoid unless you absolutely have to use it.

//Håkan

On Thu, 16 Nov 2000, Jenkins, Michael wrote:

> So the ISP gave you C.C.C.32/27 (32-63) and you further subnetted it
> to C.C.C.32/28 (32-47) and C.C.C.48/28 (48-63).  Since the ISP router
> thinks the entire C.C.C.32/27 is on the lan, it is arping and getting
> no reply for the hosts (49-62) you put behind the fw.  Put some proxy
> arp entries for the internal hosts with arp(8).  Another alternative
> is to use a bridge(4) firewall.
> 
> Mike
> 
> > -----Original Message-----
> > From: josef.dyma@email.cz [mailto:josef.dyma@email.cz]
> > Sent: Wednesday, November 15, 2000 10:51 PM
> > To: misc@openbsd.org; tech@openbsd.org
> > Subject: subnets, not routing etc.
> > 
> > 
> > Hi everybody,
> > 
> > trying to build a ipf on OpenBSD (2.7 on i386 with 2 fxp{0,1} 
> > eth cards,
> > from CD, patched, recompiled/ minimized kernel), it seems to 
> > be extremely
> > secure right now, since it is not even routing... -:). Any tideas
> > appreciated: 
> > 
> > 
> > 
> > stuff included:
> > 
> > .32 network (subnet), with .33 gateway from the ISP, .63 broadcast.
> > 
> > I have divided it into to subnets (.33 -- .46: unprotected, 
> > .49 -- .62: protected) in order to be able to put ipf in between them:
> >  
> > 
> > equipment etc.:
> > 
> > SW1 (D-LINK)
> > SW2 (CISCO 3524)
> > FW (OpenBSD ipf with fxp0 (external at .34) and fxp1 
> > (internal at .49))
> > my PC at .61
> > 
> > The gateway for the FW is .33 (/etc/mygate)
> > The gateway for myPC is . 49
> > 
> > =========================================================
> > ISP .33---SW1---(fxp0---FW---fxp1)---SW2---myPC
> > =========================================================
> > 
> > (BTW, ipf disabled (-D) for testing!, also 
> > net.inet.ip.forwarding is 1)
> > 
> > 
> > For testing I had a temporary link between SW1 & SW2 and it seemed to
> > route fine.  After unplugging it, it doesn't: this is what I 
> > see (mostly
> > tcpdump on fxp0 & fxp1):
> > 
> > 
> > 
> > 1) from myPC (.61) pinging out to 216.32.74.53: 
> > on FW, fxp1:	I see ".61 > 216.32.74.53: icmp: echo request"
> > on FW, fxp0:	I see the same... 
> > 
> > 
> > 2) from the FW: I can ping anything, get anywhere (including .61).
> > 
> > 3) from outside, pinging myPC at .61, I cannot see anything... any
> > activity on either fxp0 nor fxp1A
> > 
> > 
> > 
> > Any suggestions, ideas would be appreciated...
> > 
> > Thanks,
> > 
> > --JD
> > 
> > 
> 
> 
> 

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

References:
- RE: subnets, not routing etc.
  - From: "Jenkins, Michael" <Michael.Jenkins@disney.com>

Prev by Date: Re: old hardware, fatal reserved trap
Next by Date: Re: disable ssh/login for individual an account?
Prev by thread: Re: bridge firewall : a caveat
Next by thread: Re: subnets, not routing etc.
Index(es):
- Date
- Thread