IP Aliases + Router

[mfeldheim]

Hello
I have a gateway server with several public IP adresses in several subnets configured via aliases.

Now I want that this server acts as a router for all servers in the private network via one default router in one of those public subnets.

Those machines dont need to be accessed from public but they need to be able to access public servers.

I have tried a default routed setup, but failed because I have a lack of knowledge with basic network stuff :stud.

Any help on adding static routes on my gateway machine appreciated.

--------------
- ISP Router -
--------------
      |
      | 88.123.12.3
      | alias 88.213.13.3
      | alias 88.213.14.3
      |
--------------
-  My Router -
-------------- 192.168.3.1
 |   |    | 
 |   |    |
--- ---  --- 
.10 .11  .12

 

[SirDice]

Did the ISP gave you a default gateway to use for each subnet?

You will at least need to set up NAT. By doing so all the internal hosts aren't accessible from the Internet unless you specifically set it up.

All three firewalls on freebsd should be capable of that. Pick one, try one. If it doesn't work for you, try another.

 

[mfeldheim]

Yes, I have gateways for each subnet, also the gateway server has an extra network card for the private LAN, so if we would not look at security right now.. How would I tell my gateway to route requests done by my machines in the local network?

I have actually tried NAT..

~ # cat /etc/rc.conf | grep "gateway_enable"
gateway_enable="YES"

~ # cat /etc/ipnat.rules
map bge0 192.168.3.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:65000
map bge0 192.168.3.0/24 -> 0.0.0.0/32

~ # ipnat -f /etc/ipnat.rules
~ # /etc/rc.d/routed start

The result was a ton of messages like ( assume 88.123.13.142 my ISP's router )

Dec 21 21:00:00 gateway-001 kernel: arplookup 88.123.13.142 failed: host is not on local network
Dec 21 21:00:00 gateway-001 kernel: arpresolve: can't allocate route for 88.123.13.142

I think this had to do something with the aliases in several subnets but I had to disable all router related config again and reboot the machine to be able to ssh on that machine from WAN again.

 

[phoenix]

First, don't use ipfilter. Use PF. IPF is pretty much dead on FreeBSD, replaced by PF.

Second, if you are using RFC1918 addresses on the private network (192.168.0.0/16, 172.16.0.0/20, 10.0.0.0/8, etc), then you cannot use routing. These are non-routable subnets by definition. You have to use NAT, to translate between the private addresses and a public/routable address.

Third, the simplest method to do so is via the binat keyword in PF. This will translate incoming and outgoing packets. If you just want to translate outgoing packets, use the nat keyword.

Fourth, you should read through the excellent PF handbook and FAQ. While it's written with OpenBSD in mind, most of it translates over to FreeBSD just fine.

 

[vivek]

Link - http://www.openbsd.org/faq/pf/
Also, try book called http://www.nostarch.com/pf.htm The Book of PF
A No-Nonsense Guide to the OpenBSD Firewall

 

[HaydenHarnet]

thanks for the help phoenix, this has solved the problem for me .