I had to do one more thing: I needed to bind the IP the box got to the other adapter too. So now the ip is bound twice, but once with a netmask of 255.255.255.255. It was needed to let the clients ping the bridge by its external ip.
-- Regards, Terrence Koeman MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Terrence Koeman > Sent: Sunday, July 11, 2004 17:38 > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: Network configuration > > Hi, > > Thank you all for the help and time. I finally got it all > working with bits > from most emails. > > I'll include my configuration here for others in the same > situation (any > comments are welcome): > > It's now: > > -------------- > | SDSL Modem | > | Bridged | > -------------- > | > -------------------------- > | xl1: 217.1.1.155, DHCP | > | Freebsd Box | > | xl0: UP, no ip | > -------------------------- > | > ---------- > |---------------| SWITCH |---------------| > | ---------- | > | | | > ------------------- ------------------- ------------------- > | C1: 217.1.1.156 | | C2: 217.1.1.157 | | C3: 217.1.1.158 | > ------------------- ------------------- ------------------- > > (Notice the switch of xl1 and xl0, this made it work). > > xl1 and xl0 are bridged so that all clients have full > internet connectivity. > Additionally the clients share the available bandwidth > fairly, with ssh, > telnet, dns and http having a higher priority than other traffic. > > Using a private ip on xl0 and adding natd is still possible > for use in the > future. > > > FreeBSD samsara.mediamonks.net 5.2-CURRENT FreeBSD > 5.2-CURRENT #5: Sat Jul > 10 22:13:16 CEST 2004 > [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SAMSARA i386 > > ************************************ > /sys/i386/conf/SAMSARA: > machine i386 > cpu I686_CPU > ident SAMSARA > > options SCHED_ULE # ULE scheduler > options INET # InterNETworking > options FFS # Berkeley Fast Filesystem > options SOFTUPDATES # Enable FFS soft > updates support > options UFS_DIRHASH # Improve performance on big > directories > options CD9660 # ISO 9660 Filesystem > options PROCFS # Process filesystem (requires > PSEUDOFS) > options PSEUDOFS # Pseudo-filesystem framework > options COMPAT_43 # Compatible with BSD > 4.3 [KEEP > THIS!] > options KBD_INSTALL_CDEV # install a CDEV entry in /dev > > options HZ=5000 > options ATA_STATIC_ID # Static device numbering > > options IPFIREWALL > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options DUMMYNET > options BRIDGE > > device isa > device pci > > device fdc > device ata > device atadisk # ATA disk drives > device atapicd # ATAPI CDROM drives > device atkbdc # AT keyboard controller > device atkbd # AT keyboard > device vga # VGA video card driver > device sc > device npx > > device miibus # MII bus support > device xl # 3Com 3c90x (``Boomerang'', > ``Cyclone'') > > device random # Entropy device > device loop # Network loopback > device ether # Ethernet support > device pty # Pseudo-ttys (telnet etc) > > device bpf # Berkeley packet filter > > ************************************ > /etc/rc.conf: > hostname="samsara.mediamonks.net" > > ifconfig_xl1="DHCP" > ifconfig_xl0="UP" > > jail_enable="NO" > kldxref_enable="NO" > > kern_securelevel="3" > kern_securelevel_enable="YES" > > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/ipfw.rules" > firewall_quiet="NO" > firewall_logging="YES" > firewall_flags="" > > nfs_server_enable="NO" > gateway_enable="NO" > > syslogd_flags="-ss" > > sendmail_enable="NO" > sshd_enable="YES" > usbd_enable="NO" > sshd_enable="YES" > squid_enable="NO" > apache2_enable="YES" > oidentd_enable="YES" > snmpd_enable="YES" > snmpd_flags="-a -Lsd -p /var/run/snmpd.pid 127.0.0.1:161" > > ************************************ > /etc/sysctl.conf: > security.bsd.see_other_uids=0 > security.bsd.see_other_gids=0 > kern.ipc.nmbclusters=65535 > net.inet.ip.fw.enable=0 > net.link.ether.bridge.enable=1 > net.link.ether.bridge_cfg=xl0,xl1 > net.link.ether.bridge_ipfw=1 > > ************************************ > /etc/ipfw.rules: > enable one_pass > > #incoming bandwidth > pipe 1 config bw 4500kbits/s queue 10Kbytes > #outgoing bandwidth > pipe 2 config bw 4500kbits/s queue 10Kbytes > > #incoming queues, group on dst-host > queue 10 config pipe 1 weight 50 mask dst-ip 0xffffffff #icmp > queue 11 config pipe 1 weight 99 mask dst-ip 0xffffffff #ssh, > telnet, dns, > http > queue 12 config pipe 1 weight 40 mask dst-ip 0xffffffff #all other ip > > #outgoing queues, group on src-host > queue 20 config pipe 2 weight 50 mask src-ip 0xffffffff #icmp > queue 21 config pipe 2 weight 99 mask src-ip 0xffffffff #ssh, > telnet, dns, > http > queue 22 config pipe 2 weight 40 mask src-ip 0xffffffff #all other ip > > #queues for local system > queue 30 config pipe 1 weight 50 mask dst-ip 0xffffffff > queue 31 config pipe 2 weight 50 mask src-ip 0xffffffff > > #allow traffic on loopback interface > add 00100 allow ip from any to any via lo0 > > #deny lost/hostile packets to the loopback addresses, return > host unreach > add 00110 unreach host log logamount 20 ip from any to > 127.0.0.0/8 via any > > #deny any private address, return host unreach > add 00301 unreach host log logamount 20 ip from 10.0.0.0/8 to > any in via any > add 00302 unreach host log logamount 20 ip from 172.16.0.0/12 > to any in via > any > add 00303 unreach host log logamount 20 ip from > 192.168.0.0/16 to any in via > any > > #deny windows networking, return RST > add 00500 reset log logamount 20 ip from any to any > 135,137-139 via any > > #for bridged traffic, skip > add skipto 20000 ip from any to any via any bridged > > #** natd divert is possible here, if xl0 gets a private IP. ** > > #deny packets with a source address known on a different > interface, return > host unreach > add 00800 unreach host log logamount 20 ip from any to any > not verrevpath in > > # for non-bridged traffic, skip > add skipto 30000 ip from any to any via any > > #push bridged traffic in appropriate queues > add 20000 queue 10 icmp from any to any in recv xl1 > add 20100 queue 11 ip from any 22,23,53,80 to any in recv xl1 > add 20200 queue 11 ip from any to any 22,23,53,80 in recv xl1 > add 20300 queue 12 ip from any to any in recv xl1 > > add 21000 queue 20 icmp from any to any in recv xl0 > add 21100 queue 21 ip from any to any 22,23,53,80 in recv xl0 > add 21200 queue 21 ip from any 22,23,53,80 to any in recv xl0 > add 21300 queue 22 ip from any to any in recv xl0 > > add skipto 50000 log logamount 20 ip from any to any via any > > #push non-bridged (local) traffic in appropriate queues > add 30000 queue 30 icmp from any to any in recv xl1 > add 30100 queue 30 ip from any to any in recv xl1 > > add 31000 queue 31 icmp from any to any out xmit xl1 > add 31100 queue 31 ip from any to any out xmit xl1 > > add 50000 pass all from any to any > > > I hope this helps someone in the future :) > > -- > Regards, > Terrence Koeman > > MediaMonks B.V. (www.mediamonks.com) > Please quote all replies in correspondence. > > > -----Original Message----- > > From: Randy Grafton [mailto:[EMAIL PROTECTED] > > Sent: Thursday, July 08, 2004 21:04 > > To: [EMAIL PROTECTED] > > Subject: RE: Network configuration > > > > I setup a little home network using my FreeBSD box as the > > 'router'. There > > are two boxes on my internal LAN that I wanted to have access > > to from the > > internet as well as provide full internet access to all internal > > clients/servers. > > > > Like I said, I recompiled my kernel with the nat options. > > I'll list the > > steps here, if you've already performed them then at least I > > got in some > > typing practice. > > > > Install the kernel sources. Insert your install disk and from > > the command > > line run /stand/sysinstall. > > Select the Configure option then the Distributions option > then src and > > finally sys. > > Once the sources are installed you will go to > > /usr/src/sys/i386/conf. Within > > this directory are two files, GENERIC and LINT. Make a copy > > of GENERIC with > > a name of your choosing. Edit the GENERIC copy and add the > > following lines: > > options IPFIREWALL > > options IPFIREWALL_VERBOSE > > options IPFIREWALL_VERBOSE_LIMIT=10 > > options IPDIVERT > > > > Save the modified file and compile your kernel. This is > done by doing: > > config <GENERIC COPY NAME> > > cd ../../<GENERIC COPY NAME> > > make > > make install > > reboot > > > > Now you'll edit your /etc/rc.conf file. > > Add these lines to it: > > gateway_enable="YES" > > ifconfig_xl0="inet 217.1.1.155 netmask <your netmask>" > > ifconfig_xl0_alias0="inet 217.1.1.155 netmask <your netmask>" > > ifconfig_xl0_alias1="inet 217.1.1.156 netmask <your netmask>" > > ifconfig_xl0_alias2="inet 217.1.1.157 netmask <your netmask>" > > ifconfig_xl0_alias3="inet 217.1.1.158 netmask <your netmask>" > > ifconfig_xl1="inet 192.168.1.1 netmask 255.255.255.0" > > firewall_type="OPEN" > > firewall_quiet="YES" > > firewall_logging="YES" > > natd_enable="YES" > > natd_interface="xl0" > > natd_flags="-f /etc/natd.conf" (explained below) > > > > Now create the /etc/natd.conf file with these lines: > > same ports yes > > dynamic yes > > redirect_port tcp 192.168.1.2 217.1.1.156 > > redirect_port udp 192.168.1.2 217.1.1.156 > > redirect_port tcp 192.168.1.3 217.1.1.157 > > redirect_port udp 192.168.1.3 217.1.1.157 > > redirect_port tcp 192.168.1.4 217.1.1.158 > > redirect_port udp 192.168.1.5 217.1.1.158 > > > > The redirect_port has this syntax: > > redirect_port tcp <dest_internal_address> <src_external_address> > > redirect_port udp <dest_internal_address> <src_external_address> > > > > -------------- > > | SDSL Modem | > > | Bridged | > > -------------- > > | > > -------------------------- > > | xl0: 217.1.1.155 | > > | xl0: 217.1.1.156 | > > | xl0: 217.1.1.157 | > > | xl0: 217.1.1.158 | > > | | > > | Freebsd Box | > > | | > > | xl1: 192.168.1.1 | > > -------------------------- > > | > > ---------- > > |---------------| SWITCH |---------------| > > | ---------- | > > | | | > > ------------------- ------------------- ------------------- > > | C1: 192.168.1.2 | | C2: 192.168.1.3 | | C3: 192.168.1.4 | > > ------------------- ------------------- ------------------- > > > > Once these changes are made you can run /etc/netstart. This > > little script is > > great, anytime that you make network config changes you can > > run this instead > > of having to restart the whole system. > > > > All of your internal clients will now need to have > > 192.168.1.1 listed as > > their default router/gateway. > > > > Whew! Did that help? > > > > -Randy > > > > > > > > -----Original Message----- > > From: Terrence Koeman [mailto:[EMAIL PROTECTED] > > Sent: Thursday, July 08, 2004 11:12 AM > > To: [EMAIL PROTECTED] > > Subject: RE: Network configuration > > > > Well, I can do the firewall part. It's just the gateway thing > > I can't figure > > out. > > > > The three 'clients' have to have a public IP address > because they are > > actually servers. > > > > I need; > > -the three servers to have full internet connectivity, in and out > > -the possibility to manipulate/block/prioritize the packets > > to and from them > > -the freebsd box needs to have an external IP address for access > > > > Currently I have no idea what to bind to xl1, what method to > > use to get the > > packets out (routing, bridging?), and what gateway to use on the > > 'clients'... > > > > Any help would be really appreciated. > > > > -- > > Regards, > > Terrence Koeman > > > > MediaMonks B.V. (www.mediamonks.com) > > Please quote all replies in correspondence. > > > > > -----Original Message----- > > > From: Randy Grafton [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, July 08, 2004 19:32 > > > To: [EMAIL PROTECTED] > > > Subject: RE: Network configuration > > > > > > I would recommend that your start out open and then start > > > closing things up. > > > > > > I'm not an ipfw expert but I can get you going with the > > > gateway thing. Since you said that you have nat running, I > > > assume that you recompiled your kernel? > > > If not then email me back and I'll provide a quick how to. > > > > > > Why are you looking to make the clients available from > the internet? > > > Your answer to this question could open some other > > > possibilities for configuration. > > > > > > -Randy > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > Terrence Koeman > > > Sent: Thursday, July 08, 2004 10:03 AM > > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > > > Subject: RE: Network configuration > > > > > > I haven't got any real config right now as I'm not sure about > > > how to start with this. > > > > > > -- > > > Regards, > > > Terrence Koeman > > > > > > MediaMonks B.V. (www.mediamonks.com) > > > Please quote all replies in correspondence. > > > > > > > -----Original Message----- > > > > From: JJB [mailto:[EMAIL PROTECTED] > > > > Sent: Thursday, July 08, 2004 17:58 > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: Network configuration > > > > > > > > Post the full content of your rc.conf file and your > ipfw rule set. > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] Behalf > Of Terrence > > > > Koeman > > > > Sent: Thursday, July 08, 2004 11:10 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: Network configuration > > > > > > > > Hi, > > > > > > > > I have been busy setting up a network the last 3 days, > > but I cannot > > > > get it working. > > > > > > > > Basically I have no clue what has to be setup etc. and > if I need > > > > bridging or not. > > > > > > > > The situation is as follows: > > > > > > > > -------------- > > > > | SDSL Modem | > > > > | Bridged | > > > > -------------- > > > > | > > > > -------------------------- > > > > | xl0: 217.1.1.155 | > > > > | | > > > > | Freebsd Box | > > > > | | > > > > | xl1 | > > > > -------------------------- > > > > | > > > > ---------- > > > > |---------------| SWITCH |---------------| > > > > | ---------- | > > > > | | | > > > > ------------------- ------------------- ------------------- > > > > | C1: 217.1.1.156 | | C2: 217.1.1.157 | | C3: 217.1.1.158 | > > > > ------------------- ------------------- ------------------- > > > > > > > > > > > > The FreeBSD box has full internet connectivity and I can > > > also get NAT > > > > working, but the thing is that I need those non-private > > > IP's bound to > > > > the clients and I need ipfw between the clients and the > > > modem. Also I > > > > need the FreeBSD machine to have a non-private IP address. > > > I have no > > > > clue as to getting the packets from those clients to the > > > internet. I > > > > tried bridging xl0 and xl1 and using 217.1.1.155 as > > > gateway, but that > > > > didn't work. > > > > > > > > Maybe someone that knows how to do something like this can > > > shed some > > > > light on it for me? > > > > > > > > Thanks in advance. > > > > > > > > -- > > > > Regards, > > > > Terrence Koeman > > > > > > > > MediaMonks B.V. (www.mediamonks.com) > > > > Please quote all replies in correspondence. > > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > >
smime.p7s
Description: S/MIME cryptographic signature
