GATEWAY

How can I make a FreeeBSD box (with 2 NIC) become a gateway ? Do I need to use ipfw ?

Andrew
andrewyuAsked:
Who is Participating?
 
ahoffmannConnect With a Mentor Commented:
route add -net IP-of-you-local-net
route add -net 0.0.0.0 IP-of-NIC-to-ISP
0
 
andrewyuAuthor Commented:
Thank you very much, but, does IP-of-you-local-net mean "192.168.1" ?

Do I need to setup a default gateway interface first ?

Andrew
0
 
ahoffmannCommented:
> .. but, does IP-of-you-local-net mean "192.168.1" ?
NO.
But probably 192.168.1.1
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
andrewyuAuthor Commented:
So, it is the ip address of the NIC to the LAN ?

Andrew
0
 
ahoffmannCommented:
ops, didn't read carefully.

Yes 192.168.1 is fine according to a netmask 255.255.255.0
0
 
andrewyuAuthor Commented:
Thank you very much for your kind attendion !

Andrew
0
 
andrewyuAuthor Commented:
Do I need to run these when I would use ipfw ?

Andrew
0
 
ahoffmannCommented:
yes.
Things may get more complicated if you use IP masquerading too.
0
 
andrewyuAuthor Commented:
Thank you very much !

But, how can I use static NAT ?

Or can you help at http://www.experts-exchange.com/jsp/qShow.jsp?ta=unixnet&qid=10230213  ?

Andrew
0
 
andrewyuAuthor Commented:
So, all inbound and outbound packets can pass though ?

Andrew
0
 
ahoffmannCommented:
if you set ipfw up to do so, yes
But is this really what you want to do?
0
 
andrewyuAuthor Commented:
If I only use the "route add", does it mean that everyone in the LAN can only send a packet through that gateway and the source address of the packet will become the address of the gateway ?

But, if a Internet user want to send a packet to a machine in that LAN, must I need to set a ipfw and natd ?

By the way, can you help me at http://www.experts-exchange.com/jsp/qShow.jsp?ta=unixnet&qid=10230213  as well ?

Andrew
0
 
ahoffmannCommented:
> .. Q.10230213 ..
even I use FreeBSD, I never have done NAT with it, so cann't give usefull suggestions

> .. everyone in the LAN ..
unless you want the local, LAN, traffic go through the firewall, you should have a route for you local net, see my answer. Then the LAN address is not replaced by NAT (or whatever).

> .. set a ipfw and natd?
depends on you LAN address, if it uses internet IPs (not 10.x.x.x, 192.168.x.x, etc) then you need neither, otherwhise either NAT or a proxy
0
 
andrewyuAuthor Commented:
So, I should set up a ipfw and natd if anyone in Internet can touch the machine in that LAN for best way ?

Otherwise, only LAN machines can send packets to the Internet through the gateway (using "route add") in simplest way ?

Anyway, do you mean that I can use the public IP inside the LAN (same network as the domain) ? BUT, how can I setup the two NICs and routing table ? By the way, can I use ipfw later in this case ?

Andrew
0
 
ahoffmannCommented:
Yes.

No. "route add" enables packes in both ways, ipfwadm is the tool to make filters for this behaviour (allow one direction, block the other).

> ..  I can use the public IP inside the LAN  ..
You can. But it's more safe to have private RFC addresses instead..
> .. same network as the domain
Yes, as long as you use IPs within you netmask.
> .. how can I setup the two NICs and routing table ?
You mean when you use you public (domain) IPs within the LAN? Then you have to split the net into at least 2 parts with an appropriate netmask.
0
 
andrewyuAuthor Commented:
Which IPs do I use in both NICs when I use the same domain IP in LAN ? And how do I set up the gateway by "route add" then ?

Thank you very much indeed, but, where can I get reference for gateway setup, ipfw and natd ?

Andrew
0
 
ahoffmannCommented:
> Which IP's do I use ...
Assming you have 195.1.1.0 as class C net from your ISP, you set up you gateway's NICs as

      eth0 195.1.1.1 mask 255.255.255.128
      eth1 195.1.1.129 mask 255.255.255.128

where eth0 is connected to your ISP, and eth1 to the LAN. Routing then is:

      route add -net 195.1.1.0 mask 255.255.255.128 gw 195.1.1.1
      route add -net 195.1.1.128 mask 255.255.255.128 gw 195.1.1.129
      route add -net 0.0.0.0 gw 195.1.1.1

(for exact sysntax of route command please see man-pages)

You LAN IPs the are 195.1.1.129 .. 195.1.1.254 and they use as gateway

      route add -net 0.0.0.0 gw 195.1.1.129
0
 
andrewyuAuthor Commented:
What is the meaning of "route add -net 0.0.0.0 gw 195.1.1.1" ? Why do I need to use "route add -net 0.0.0.0 gw 195.1.1.129" again ?

What can I do if I have 7 machines in LAN and the 1 NIC of the gateway is connect to those machines through a 8-ports hub, but, the netmask of this domain is 255.255.255.240 (16 IPs only and of them is router's IP) ?

Andrew
0
 
ahoffmannCommented:
you need to make yourself used to routing !
Means what a netmask is what a router and what a gateway (and don't get confused with M$'s term of gateways:)

Please read man route, then follow my suggestions, you last questions still have been answered
0
 
andrewyuAuthor Commented:
Thank you very much !

I think I should use the first method you teach me !

Anyway, is the following two lines enough for routing inbound and outbound ?
route add -net IP-of-you-local-net
route add -net 0.0.0.0 IP-of-NIC-to-ISP


Andrew
0
 
ahoffmannCommented:
on the 2-NICs machine, yes.
0
 
andrewyuAuthor Commented:
Anyway, which startup file do I put these two lines ?

Andrew
0
 
ahoffmannCommented:
/etc/rc.conf  (not shure if still true for FreeBSD > 3.x)
0
 
andrewyuAuthor Commented:
Where can I put these two lines in this file ?

Andrew
0
 
ahoffmannCommented:
don't know
you must read and understand the file, it's a sh script, then add the lines at the appropriate location (usually somewhere near the end shouldn't harm)
0
 
andrewyuAuthor Commented:
Ok, I will try to add this to the end of this script !!

Thank you very much !!

Andrew
0
 
andrewyuAuthor Commented:
Anyway, can I edit the "defaultrouter" for outbound and "static_routes" for inbound to achieve it ?

But, is "defaultrouter" the ip address of the router or NIC to router ?

Andrew
0
 
ahoffmannCommented:
you can edit.
If you like to use it as inbound or outbound, depends on you ;-)
0
 
andrewyuAuthor Commented:
Is there any hidden problem ?

Andrew
0
 
ahoffmannCommented:
AFAIK not
0
 
andrewyuAuthor Commented:
Thank you very much !

Andrew
0
 
andrewyuAuthor Commented:
How can I check the machine can perform as a gateway ?

Andrew
0
 
andrewyuAuthor Commented:
Do I need to start other daemon ?

Andrew
0
 
andrewyuAuthor Commented:
Do I need to create "/etc/gateways" ? If yes, what do I need to do ?

Andrew
0
 
ahoffmannCommented:
> How can I check the machine can perform as a gateway ?
any UNIX can act as gateway (but don't get confused with the terms router vs. gateway)

> Do I need to start other daemon?
not for a router if you use static routes (as described in my answer), things get complicated if it is a gateway in its traditional meaning

> .. /etc/gateways"
not shure about this file, my FreeBSD does not have it.

Please note that you must make yourself used to the terms router and gateway, which are used interchangable (mainly 'cause M$ used the term gateway where they meant router)
0
 
andrewyuAuthor Commented:
Do I need to rebuild the ketnel ?

After I setup the ip address and gateway to the FreeBSD box in all the Windows 9x clients in the LAN, the workstations still cannot connect to the Internet ? Actually, what do I need to configure after the installation of FreeBSD 3.3 in order to achieve this issue ?

If ip address of the one NIC is the subnet as Router and others is that of the LAN ip (192.168.1.1), is there any problem ?

ANYWAY, THANK YOU VERY MUCH INDEED !!!

Andrew
0
 
ahoffmannCommented:
> Do I need to rebuild the ketnel
no.
assuming all W9x boxes in the 192.168.1.0 net, it should work if you have set the netmask to 255.255.255.0.
Of corse you cannot connect t the internet with these IP's 'cause they will not be routed in the Internet anyhow. You need a proxy or NAT or IP-maquerading to archive this
0
 
andrewyuAuthor Commented:
Actually, do you mean that the packet can route outside but ISP cannot route it back into the LAN ?

Andrew
0
 
ahoffmannCommented:
RFC IPs, like 192.168.x.x are rejected by any ISP
0
 
andrewyuAuthor Commented:
I understood !!!!!!

Thank you very much !!!!!!

Andrew
0
All Courses

From novice to tech pro — start learning today.