you wrote:
> On Wed, 29 Jan 2003, Dave Cornejo wrote:
> 
> > local network is 192.168.1.0/24
> >
> >              192.168.1.4
> >                   |
> >                   |
> > 192.168.1.1 -- ethernet -- 192.168.1.2 / global IP addr -- internet
> >                   |
> >                   |
> >              192.168.1.3
> >
> > now, the rules:
> >
> > 1) .1 may directly exchange packets with .4 and .2 only, it may not
> >    exchange packets with .3 directly.
> >
> > 2) .2 may directly exchange packets with any host
> >
> > 3) .2 acts as the gateway to the internet
> >
> > the problem is that I need to be able to set up the routing tables so
> > that if .1 needs to connect to .3 that it goes through .2.
> 
> The "cleanest" way to do this would be by subnetting.  You could have .2
> on two subnets, with one of the subnets having only the .1 host, while the
> other subnet has the rest of the hosts.

I over-simplified the problem - I'm not talking about 4 hosts on pure
Ethernet here, I'm really talking about hundreds to thousands with
some portions running over radio.  The rules change dynamically and
pretty frequently (like potentially on the order of seconds) - I have
a routing daemon that knows how the rules are changing and I need to
get this into a routing table. 

Subnetting on this scale won't work, and since some hosts will need to
participate in multiple subnets, you run into the problem of
dynamically managing subnets and aliasing the interface (easy enough
at small scale)

We have this running on Linux, but it's my belief that we're actually
exploiting a bug or flaw in the Linux routing.  The closest I've
gotten is to set add a route like this on .1:

.1 has a netmask of 0xffffffff

route add 192.168.1.2 -interface fxp0

(hope I'm remembering this right) which yields the packets getting
transmitted with but with the MAC address of .1, so .2 never
recognizes the packet.

> However, you would want to tell .1 to route packets for .3 to .2.  This
> can be done with a simple entry in the routing table on .1.  If you don't
> "trust" .1 or can't modify it's routing table, then you would need to
> setup a transparent firewall.  Then you need to tell .2 to redirect
> packets from .1 to .3.  If you want packets from .3 to .1 to go through .2
> as well, you would do the same thing, but the other way around
> (change/reverse the addresses).  As for _how_ to do this with FreeBSD, you
> could use ipfw to redirect the packets.  This would be done with the "fwd"
> keyboard.  Check the manpage ipfw(8) for more details.

ipfw is an interesting suggestion, I'll have to look at that.

> You could also do some kind of layer 2 filtering/rewriting between .3 and
> the rest of the Ethernet.
> 
> However, if your goal is to have .2 see all of the packets from .3 to .1,
> then there's a better way of doing it.  If you are using an Ethernet hub,
> then every host on the LAN will already see every packet that is sent by
> every host. If you are using an Ethernet switch, you might be able to
> tell the switch that one of the ports should see every packet sent to the
> LAN.  In the world of cisco, this is known as 'port monitoring'.  I'm not
> sure about other vendors however.

Can't rely on that because as I noted above we're using some wireless
links in here and (having worked on the IOS code) port monitoring is
often busted anyway.

> > If it
> > needs to connect to .4 or .2 it can do that directly.  To make things
> > even more fun, any number of hosts may join or leave the network at
> > any point and the lists of which hosts have direct connectivity is
> > dynamic.  But I think that if I can solve the above problem that I'll
> > have what I need to solve the rest of it.
> 
> To be quite honest, I think you need to read up a bit more on how TCP/IP
> and Ethernet work.  In general (and this is not 100% true, since there
> are other rules), all hosts on a LAN (well, subnet) will have "direct
> connectivity" to each other.  There is no process for hosts to "join" an
> IP/Ethernet network, they simply just start sending and receiving
> > packets.

In a pure Etherenet environment yes, but the problem I'm trying to
solve is that I can't rely on the network connection being reliable or
static.  I've gotten the problem down to dealing with the FreeBSD
routing and interface driver code, but I don't quite have my brain
around the whole concept of BSD routing - I'm going through the 4.4BSD
internals book, but time is short and I'm being lazy here...

> > I have a solution that uses Linux, but I'm reasonably certain that it
> > really uses a flaw in the Linux kernel to work as it's dicey to set
> > up, requires a specific order of steps and requires a reboot when
> > things like the hosts IP address changes.
> >
> 
> Do you know what this is called?  Or can you atleast describe this method
> in more detail?  I might even have the completely wrong idea about what
> you're trying to accomplish.

Unfortunately, I've only witnessed it and it requires some voodoo -
you set the interface netmask to 0xffffffff and then there's something
with an entry to the subnet I think it may have been setting the
default route to the subnet (i.e. 192.168.1.0) but that doesn't sound
right.  Then add the route to the device with something like "route add
192.168.1.2 -dev eth0"  But this is flakey

> Hope this helps, and I hope I didn't confuse you. :)

No, the ipfw is an interesting idea - thanks for your reply...

dave c

-- 
Dave Cornejo @ Dogwood Media, Fremont, California (also [EMAIL PROTECTED])
  "There aren't any monkeys chasing us..." - Xochi

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to