Internal and External Traffic separated in two different network cards

E

EffEPi

Here is what I have to configure:

  • 1 server with FreeBSD 9.0 and 2 network cards
  • 1 network card for internal IP addresses (em0: 192.168.1.231)
  • 1 network card for external IP addresses (em1: I can assign any IP to this, currently is 172.16.1.10)
  • the server is a DNS server, a Proxy Server, and a Samba server
  • one router Netgear SRX5308 (SNMP enabled)
  • A GB Cisco switch 48 ports (SNMP enabled)
  • I want the internal traffic (192.168.1.1/255.255.252.0) to be routed in one card and any other traffic on the other network card.

I was able to configure the server and the router to work as wanted all using em0 in this way:

Server
In /etc/rc.conf I have:

Code: 
defaultrouter="192.168.1.1"
ifconfig_em0="inet 192.168.1.231 netmask 255.255.252.0 broadcast 192.168.3.255"
gateway_enable="NO"
router_enable="NO"

Router
in Network Configuration > Lan Setup

Code: 
queenVLan   1   192.168.1.1/255.255.252.0   DHCP Enabled
Port 1: queenVLan
Port 2: queenVLan
Port 3: queenVLan
Port 4: queenVLan
in Security > Firewall > Lan Wan Rules > Inbound Services

Code: 
Filter          IP Address      WAN Users   Destination
Allow Always    192.168.1.231   ANY         174.141.36.53

Cables
  • Server em0 is connected to switch
  • Switch is connectiong to LAN1 on router

Tests
  • From the server I can ping 192.168.1.1
  • From the server I can ping 172.16.1.1
  • Everything works, I can access 174.141.36.53 and reach the server, from the server I can ping out and use it as a proxy and everything is dandy

At this point I wanted to start using the second network card and have the internal traffic 192.168.#.# be on one card and anything else on the second card.

Those are the changes that I made thinking it would work:

Server
In /etc/rc.conf I added/changed
Code: 
defaultrouter="172.16.1.1"
static_routes="office"
route_office="-net 192.0.0.0/8 192.168.1.1"
ifconfig_em1="inet 172.16.1.10 netmask 255.255.255.0 broadcast 172.16.1.255"

Router
in Network Configuration > Lan Setup

Code: 
queenVLan   1   192.168.1.1/255.255.252.0   DHCP Enabled
queenVLan10 10  172.16.1.1/255.255.255.0    DHCP Disabled
Port 1: queenVLan
Port 2: queenVLan
Port 3: queenVLan10
Port 4: queenVLan

in Security > Firewall > Lan Wan Rules > Inbound Services

Code: 
Filter          IP Address      WAN Users   Destination
Allow Always    172.16.1.10     ANY         174.141.36.54

Cables
  • Server em0 is connected to switch
  • Switch is connectiong to LAN1 on router
  • Server em1 is connected to LAN3 on router

Tests
  • From the server I can ping 192.168.1.1
  • From the server I cannot ping 172.16.1.1
  • Any attempt to reach outside the internal network fails.
  • Changing the default_router back to 192.168.1.1 allows me to be able to access the outside world, but I still cannot ping 172.16.1.1
  • Hardware has already been tested and all is working

I am not a network expert and I am kind of lost here. What am I doing wrong?
 
Can you post the output of netstat -rn? I've done something quite similar and might be able to assist. Also, just a heads up, the private address ranges are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Based on a quick glance, your 192.0.0.0/8 route should be set to 192.168.0.0/16.
 
Each network card should be plugged into a seperate VLAN or physical network.

What is your physical network topology?

i.e., what plugs into what, do you have any VLANs configured, etc.?


From the sounds of it, to me you actually want to have the external IP of your FreeBSD machine visible on the internet, yes?

Specifically, what are you trying to achieve? This influence how to go about it.


I do this network stuff for a living...



edit:
Looks like the OP was updated...



Looks like the firewall on your router is not allowing traffic from your server's 172.16.1.10 IP to 172.16.1.1?
 
junovitch said:
Can you post the output of netstat -rn? I've done something quite similar and might be able to assist. Also, just a heads up, the private address ranges are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Based on a quick glance, your 192.0.0.0/8 route should be set to 192.168.0.0/16.
Click to expand...

Thanks, I changed the route to 192.168.0.0/16.

This is the result of [cmd=]netstat -rn[/cmd]

Code: 
# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.1        UGS         0       87    em0
127.0.0.1          link#10            UH          0        0    lo0
172.16.1.0/24      link#2             U           0        0    em1
172.16.1.2         link#2             UHS         0        0    lo0
192.168.0.0/16     192.168.1.1        UGS         0      108    em0
192.168.1.0/24     link#1             U           1      108    em0
192.168.1.231      link#1             UHS         0       22    lo0
 
throAU said:
[cut]
Looks like the firewall on your router is not allowing traffic from your server's 172.16.1.10 IP to 172.16.1.1?
Click to expand...

I have tried to shut the firewall down and allow all the traffic but still nothing.

Every time I turn on the em1 to point to 172.16.1.10 (or 172.16.1.2) I lose the ability to ping 172.16.1.1
 
OK, my router just died and I replaced it with an old Linksys RV082 that has a limited VLAN support.
What I found is that the RV082 has a port based VLAN so the routing between each VLAN will need to be done elsewhere.

Everything works as the first configuration that I reported, except that I still cannot figure out how to create the routing between the 172.16.1.[2-10] and the router.
 
Forgot to mention that the new router has the following configuration:

  • Device IP: 192.168.1.1/255.255.255.0
  • Added Subnets:
    • 192.168.1.1/255.255.248.0
    • 172.16.1.1/255.255.255.0

Cables are:
  • em0 connected to VLAN1
  • em1 connected to VLAN2

Code: 
# ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether 00:25:90:4d:b4:74
        inet6 fe80::225:90ff:fe4d:b474%em0 prefixlen 64 scopeid 0x1 
        inet 192.168.1.231 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
        ether 00:25:90:4d:b4:75
        inet6 fe80::225:90ff:fe4d:b475%em1 prefixlen 64 scopeid 0x2 
        inet 172.16.1.2 netmask 0xffffff00 broadcast 172.16.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8149<UP,LOOPBACK,RUNNING,PROMISC,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 ::1 prefixlen 128 
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa 
        inet 127.0.0.1 netmask 0xff000000 
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.1        UGS         0   474860    em0
127.0.0.1          link#10            UH          0      179    lo0
172.16.1.0/24      link#2             U           0       32    em1
172.16.1.2         link#2             UHS         0        3    lo0
192.168.0.0/16     192.168.1.1        UGS         0   192223    em0
192.168.1.0/24     link#1             U           1   678503    em0
192.168.1.231      link#1             UHS         0   176557    lo0
 
Alright, I'm still confused as to what's happening. My setup is similar so here's an example of my netstat -rn. You can see that the default route uses 192.168.102.1 on em0 and my LAN route uses uses 10.100.102.1 and em1. You can see arp -an can see the gateway on both networks (although on this Netgear router is is the same MAC). My rc.conf is at the bottom.

I'm thinking whatever is going on has to deal with 172.16.1.0/24 pointing to "Link#2" rather than the gateway. Does your system kick up any error when it adds the routes upon a reboot?

Code: 
# netstat -rn
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.102.1      UGS         0   213094    em0
10.100.0.0/16      10.100.102.1       UGS         0   200096    em1
10.100.102.0/24    link#3             U           0  4099561    em1
10.100.102.2       link#3             UHS         0     4157    lo0
127.0.0.1          link#5             UH          0    22194    lo0
192.168.102.0/24   link#1             U           0    30043    em0
192.168.102.2      link#1             UHS         0        0    lo0

Code: 
# arp -an
? (10.100.102.1) at e0:91:f5:cc:2b:82 on em1 expires in 1145 seconds [ethernet]
? (10.100.102.2) at 00:25:90:26:3b:f4 on em1 permanent [ethernet]
? (192.168.102.2) at 00:25:90:26:3b:f5 on em0 permanent [ethernet]
? (192.168.102.1) at e0:91:f5:cc:2b:82 on em0 expires in 1145 seconds [ethernet]

Code: 
static_routes="lan"
route_lan="-net 10.100.0.0/16 10.100.102.1"
# DMZ/External Interface Configuration
ifconfig_em0="DHCP"
# LAN/Internal Interface Configuration
ifconfig_em1="inet 10.100.102.2 netmask 0xffffff00"
 
So, you want to route between interfaces, correct? Then, why do you have
Code: 
gateway_enable="NO"
in rc.conf?

Edit: Actually re-reading your post only makes me more puzzled. Are you just trying to have a multihomed server?
 
You must log in or register to reply here.
Back
Top