2nd nic won't setup properly, ?aliasing?

sidney6

New Member

Reaction score: 1
Messages: 19

Maybe hosts needs to be written differently.

etc/hosts
::1 localhost.dom.asdf localhost
127.0.0.1 localhost.dom.asdf localhost
192.168.0.2 fwBox.dom.asdf fwBox
192.168.0.3 fwBox.dom.asdf fwBox
192.168.0.4 browser.dom.asdf browser

if there is an obvious problem in having two nic cards represented this way in hosts then that's my problem, else read on (please).


given
box with 2 nics for fbsd firewall

this works
sysinstall / eth0 dev config / ipv6 config / dhcp config
can ping itself and the internet (through qwest dsl modem)

2nd nic fails to configure
sysinstall / eth1 dev config / ipv6 config / skip dhcp config
not sure what to put in for gateway
this card is hooked up to a switch to allow another pc to browse
select dsl modem as gateway and it screws up what used to work;
select card out to dsl modem (eth0) for gateway, and same;
select itself, again it messes up what's allready working;
select browser box as gateway, same result.
...actually it's a different problem that's created with each of the above attempts, but a problem just the same.

There are only two boxes and 4 network devices here. That's all the choices.

Each time I retry to get the 2nd card to configure I delete the lines from rc.conf added by sysinstall, rewrite the hosts file and run rc.d/netif restart, then setup the dhcp (that works), then whatever I put in for the 2nd card hoses up my hosts file. Maybe hosts needs to be written differently.

etc/hosts
::1 localhost.dom.asdf localhost
127.0.0.1 localhost.dom.asdf localhost
192.168.0.2 fwBox.dom.asdf fwBox
192.168.0.3 fwBox.dom.asdf fwBox
192.168.0.4 browser.dom.asdf browser

(deja vu dude)

I am guessing its the 2nd line for fwBox in hosts that is the problem, or maybe I need a line in the box for extra config information for ifconfig when configuring the 2nd nic.

Please tell me what to select for the gateway of the 2nd card in the fwBox and I will post the netstat -nr, etc/hosts, ifconfig

Thanks
sid
 

vivek

Aspiring Daemon

Reaction score: 195
Messages: 805

You need to add all networking configuration to /etc/rc.conf only. You need to configure NAT by adding following line to /etc/rc.conf along with network configuration:
Code:
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN" 
natd_enable="YES"
natd_interface="em1" 
natd_flags="
You also, need to create firewall rules using pf or other firewall provided by FreeBSD. Finally, turn on ip forwarding on box itself via /etc/sysctl.conf (add line net.inet.ip.forwarding=1 ).

See NAT : http://www.freebsd.org/doc/en/books/handbook/network-natd.html

Routing : http://www.freebsd.org/doc/en/books/handbook/network-routing.html

Also, if it is just going to be a router, you can try webbased config and special FreeBSD based system called pfsense http://www.pfsense.org/
 

MG

Active Member

Reaction score: 17
Messages: 191

Please tell me what to select for the gateway of the 2nd card in the fwBox and I will post the netstat -nr, etc/hosts, ifconfig
Why does your 2nd card need a gateway and hostname? If natd is enabled on this card all @-requests on your lan are translated by natd to the real gateways ip.
For local LAN-nodes the configured gateway should be the ip of your 2nd nic.
 
OP
OP
S

sidney6

New Member

Reaction score: 1
Messages: 19

Yes, my problem is nat. Qwest said the dsl device performed ip masquerading so I thought I would try networking without it. Whoops.

Thanks a lot Vivek and Mg.

sid
 
OP
OP
S

sidney6

New Member

Reaction score: 1
Messages: 19

I have setup ipf ipfw (ipfw with nat) and nat, and compiled a new kernel. The fwall/router box is responding differently to my attempts to get it running so I think natd is now running ok, hopefully.

sysinstall writes routing/networking stuff to rc.conf but doesn't seem able to add the static route lines to configure the lan. Are these the right lines for me to add to rc.conf:

static_routes="lan"
route_lan="192.168.0.4/24 192.168.0.3"

where 4 is the lan member and 3 is the interior nic on the router

or should it be
static_routes="lan"
route_lan="192.168.0.0/24 192.168.0.3"


or should it be
static_routes="lan"
route_lan="192.168.0./24 192.168.0.3"


or should it be
static_routes="lan"
route_lan="192.168.0/24 192.168.0.3"

and do I put these lines in rc.conf before doing sysinstall to add the nics, or between adding nic1 and nic2 or after adding both nics and then run rc.d/netif restart?

Naturally it doesn't work any of these ways. Tell me which way to do it and then I'll send the ifconfig netstat -nr output.

Thanks
sid
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,050
Messages: 31,626

Don't use sysinstall to configure your system, just edit /etc/rc.conf. It's not that hard. The defaults are in /etc/default/rc.conf. If you want to change any of the defaults just put the entry in /etc/rc.conf.

You don't need to add a static route for so-called 'directly connected networks', which is 192.168.0.0/24 in your case.
Use the netstat -rn command to have a look at your routing table.

You only have to add static routes if:

a) The network is not directly connected.
b) Not reachable via the default gateway.
 

phoenix

Administrator
Staff member
Administrator
Moderator

Reaction score: 1,262
Messages: 4,099

What are the two IPs you are trying to configure on the two NICs in the FW box?

Looking at what you originally posted, it looks like you are trying to use the same subnet on two separate NICs, which is a very big no-no. You should have two separate subnets, one for each physical NIC.

A little more info on your network topology/layout, and the subnets you are trying to use, would be helpful.
 
OP
OP
S

sidney6

New Member

Reaction score: 1
Messages: 19

big no-no?

yeah, now we're talking.

192.168.0.1 qwest says must use this adr for dsl
192.168.0.2 input to fwall/gw/router box from dsl
192.168.0.3 output to switch and lan from fwall/gw/router

so does 0.3 need to be 1.0 so as to utilize a different netmask?

Is that what you are saying?

I had shifted to thinking it was an irq conflict. Can't get two nics on old presario box to come up on different irqs so am using the built in lan port which shares with usb driver. Seems to work, but I am working on getting a bios update. And maybe I should get a non mii phy card like a 3com590 595 (vortex), tulip, or typhoon.

Yes I do not understand the implications of routing commands. I have read, but it's not yet clear to me.

sid
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,050
Messages: 31,626

sidney6 said:
192.168.0.2 input to fwall/gw/router box from dsl
192.168.0.3 output to switch and lan from fwall/gw/router
These 2 are on different interfaces and hence need to be on different subnets.

You seem to be lacking some basic tcp/ip (routing) knowledge.
 

phoenix

Administrator
Staff member
Administrator
Moderator

Reaction score: 1,262
Messages: 4,099

sidney6 said:
yeah, now we're talking.

192.168.0.1 qwest says must use this adr for dsl
192.168.0.2 input to fwall/gw/router box from dsl
192.168.0.3 output to switch and lan from fwall/gw/router

so does 0.3 need to be 1.0 so as to utilize a different netmask?

Is that what you are saying?
Correct. You have two physical networks, so you need two separate subnets. In this situation, I would use two completely different private subnets, to make the distinction more apparent:

192.168.0.0/24 for the NIC connected to the ADSL router, using 192.168.0.2 as the IP. Use 192.168.0.1 as the default gateway.

10.0.0.0/24 for the NIC connected to your local network, using 10.0.0.1 as the IP.

Then give all the computers on the local network IPs in the 10.0.0.2 to 10.0.0.254 range. Configure them to use 10.0.0.1 as the default gateway.

Configure the firewall to do NAT on the public interface (192.168.0.2).
 
OP
OP
S

sidney6

New Member

Reaction score: 1
Messages: 19

I have integrated all of the good advice from this thread and it still doesn't work. I think the dsl modem and associated handshaking with ppp and natd are the problem. To recap I am setting up a freebsd firewall/gateway to route packets to my lan of one pc (for now). I am told that this is called setting up a router.

The modem is an actiontek m1000, supplied by qwest, and the service is windows live and it comes preset to perform nat and dhcp. Either or both of these can be disabled, and alternatively it can be configured to work as a transparent bridge.

The m1000 router setup page says:
Your DSL Modem will automatically assign an IP Address to each device in your network. If you are using an additional Router to assign these IP Addresses, you will need to turn this function Off (sound applicable, but then how would my router get the dynamic ip?).

The m1000 nat setup page warns that it is a security hazzard to disable nat, and offers no advice as to when to disable nat.

Should I be running the m1000 in default configuration or disabling dhcp as they advice? Should I disable nat? Should I (alternatively) configure it to do rfc 1483 transparent bridging as advised by qwest and some guy with a blog? And should the nat line be the normal router nat line per the handbook of:

map publicNIC 10.0.0.0/24 -> 0/32

or should it be

map publicNIC 10.0.0.0/24 -> 192.168.0.1/0

When ppp sets up handshaking should I expect it to create a tun0 device that requires me to edit all my firewall rules replaceing the publicNIC driverID with tun0?

Hopefully once I understand for certain how to utilize the m1000 I can move on to posting some ifconfig netstat stuff if it doesn't work. I think there are too many setup permutations at this point to bother with that now.

sid
 
OP
OP
S

sidney6

New Member

Reaction score: 1
Messages: 19

I meant to say "service is windows live dynamic ip". I left out the dynamic part.

sid
 
OP
OP
S

sidney6

New Member

Reaction score: 1
Messages: 19

still can't ping the internet

messages
Code:
May 13 16:45:29 porter kernel: dc0: dc_setcfg: failed to force tx to idle state
May 13 16:45:29 porter kernel: dc0: dc_setcfg: failed to force tx to idle state
May 13 16:45:31 porter kernel: dc1: link state changed to UP
May 13 16:45:32 porter ppp[379]: tun0: Warning: deflink: PPoE: unknown host
May 13 16:45:32 porter ppp[379]: tun0: Warning: deflink: PPoE: unknown host
May 13 16:45:32 porter ppp[379]: tun0: Warning: deflink: Device (PPoE:dc1) must begin with a '/', a '!' or contain at least one ':'
May 13 16:46:02 porter ppp[379]: tun0: Warning: deflink: PPoE: unknown host
May 13 16:46:02 porter ppp[379]: tun0: Warning: deflink: PPoE: unknown host
May 13 16:46:02 porter ppp[379]: tun0: Warning: deflink: Device (PPoE:dc1) must begin with a '/', a '!' or contain at least one ':'
netstat -nr
Code:
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
10/24              link#1             UC          0        0    dc0
10.0.0.207         mac addr           UHLW        1       10    lo0
127.0.0.1          127.0.0.1          UH          0        0    lo0
192.168.0          link#2             UC          0        0    dc1
192.168.0.1        link#2             UHLW        1       18    dc1
192.168.0.134      mac addr           UHLW        1        6    lo0
I disabled IPv6 by removing the kernel option

ifconfig
Code:
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 10.0.0.207 netmask 0xffffff00 broadcast 10.0.0.255
        ether "mac addr"
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 192.168.0.134 netmask 0xffffff00 broadcast 192.168.0.255
        ether "mac addr"
        media: Ethernet autoselect (10baseT/UTP <full-duplex>)
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000 
tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
        Opened by PID 379
notes
dc0 is private nic, don't care now about it
need to get dc1 with ppp and tun0 ?tun0? nat'ing to dsl modem
test = ping http://www.google.com, fails


ppp.conf
Code:
default:
 set log Phase tun command
 set ifaddr 192.168.0.134/0 255.255.255.0 0.0.0.0

qwest:
  set device PPoE:dc1
  set authname XXXXXXXXXXX
  set authkey XXXXXXXXXXX
  set dial
  set login
  add default 192.168.0.1

note
dsl modem 192.168.0.1
public nic 192.168.0.134
private nic 10.0.0.207
From the router, I can ping the public and private nics, but the dsl modem and internet are unreachable.

ipnat.rules for lan
Code:
map tun0 10.0.0.0/24 -> 192.168.0.134/0

rc.conf:
Code:
# -- PPoE setup ---------------------------
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="qwest"
# ---------------------
# pppoed_enable="YES"
# pppoed_provider="qwest"
# pppoed_flags="-P /var/run/ppoed.pid"
# pppoed_interface="dc1"
# -----------------------------------------
# -- ipf & nat setup ----------------------
ipfilter_enable="YES"           # start ipf firewall
ipfilter_rules="/etc/ipf.rules" # loads rules
ipmon_enable="YES"              # starts ip monitoring log
ipmon_flags="-Ds"               # D = start as daemon
#                               # s = log to syslog
#                               # v = log tcp window, ack, seq
#                               # n = map IP & port to names
gateway_enable="YES"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
# -----------------------------------------
# -- ipfw & nat setup ---------------------
firewall_enable="YES"           # ipfw
firewall_script="/etc/ipfw.rules"
# firewall_type="OPEN"          # line above is better
# type: OPEN, CLIENT, SIMPLE, UNKNOWN, <flname>; from rc.firewall
firewall_logging="YES"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-dynamic -m"        # 
# -----------------------------------------


# -- route & dev setup --------------------
ifconfig_dc1="inet 192.168.0.134  netmask 255.255.255.0"
# ifconfig_dc1="DHCP"
defaultrouter="192.168.0.1"
ifconfig_dc0="inet 10.0.0.207  netmask 255.255.255.0"
hostname="porter.domain.actdsltmp"
# -----------------------------------------
# -- security setup -----------------------
kern_securelevel_enable="YES"
kern_securelevel="1"
note
I changed the kern.securelevel to -1 in hopes that some ppp module would load but it didn't help. same error.

Questions
what does the ppp error message mean?
is the nat rule correct?
routing ok?

Thanks in advance
sid
 
Top