Re: multihome network

From: Steve Bertrand <iaccounts@xxxxxxxxxx>
Date: Fri, 16 Nov 2007 08:54:17 -0500

Girish Venkatachalam wrote:

On 00:18:42 Nov 16, alexus wrote:

Hello,

I have two NICs on my box, one (primary) connected to switch and have
private IP. that IP also have a static route on Cisco PIX for
accessing this box from outside. the other interface has public IP
that is connected to another switch, i configure both IPs through
/etc/rc.conf, but I can not for some reason access my box through that
public IP, no firewall rules would prevent me from doing so. here is
my output for netstat -rn

-- snip

Your default route is 192.168.1.1 and not 216.112.241.24

Yes, but if he changes that, then he won't be able to access the box via
the PIX (private) connection.

I will make these assumptions, then elaborate:

The box in question is at your office. You are at home trying to access
it. The connection works by connecting to the public IP of the PIX (that
gets port-forwarded back), but does not work when accessing the direct
Internet facing port.

I'm willing to bet that if you run a tcpdump on your machine at home you
are attempting the connection to the 216.112.241.x IP, you will actually
find that the machine is getting back to you just fine. However, many
OS's will drop a 'spoofed' packet. Essentially what is likely happening
is this:

- you send from home a packet to 216.112.241.x.
- the office router/box accepts it
- the office router looks up in it's routing table a path back to your
home IP
- it has no particular route, so it sends it out the default gateway
(192.168.1.1)
- your pc at home notices that the packet was sent to a destination IP,
but it came back from a different one (the outside IP of the PIX)
- the packet is dropped as the source address is spoofed

There are a couple ways to fix this. The first and easiest is if you are
only trying to connect to this box's public IP from one location, add a
static route on the office box to that network that routes to it's
public upstream

The other way is to utilize policy-based routing. IPFW can do this, and
(from what I understand) so can PF. (In Cisco-land, you would use a
route-map).

Steve
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: multihome network
  - From: alexus

References:
- multihome network
  - From: alexus
- Re: multihome network
  - From: Girish Venkatachalam

Prev by Date: Re: bash and strings
Next by Date: Re: Ports with GUI configs
Previous by thread: Re: multihome network
Next by thread: Re: multihome network
Index(es):
- Date
- Thread

Relevant Pages

Re: RRAS Routing Problems
... When the connection binds to the dd interfaces the routes are added to the routing table using the tunnel endpoint addresses. ... They are something to use as a name for the interface in the static route which will be replaced by the IP address when the connection is made. ... So as long as the VPN router is the default gateway for each site, routing between the sites is automatic when the VPN link comes up and binds to both routers. ...
(microsoft.public.windows.server.networking)
Re: networking
... eth0 is giving static route of eth0 invalid static routes file is invalid ... I have set up on XP the Broadband connection does not connect plus ... One advance is that I have created a broadband connection set to WAN Mimiport ... properties are and here I'm not to sure IP 192.168.0.2 to linux and DNS the ...
(alt.os.linux)
Re: VPN Adding a static route to the client
... the problem is that the interface doesn't exist until the ... script which can get the "received" IP and plug it into the static route. ... And you can do it with CMAK (connection ... > I think what Rick is saying is that he doesn't want to have ALL of the VPN ...
(microsoft.public.windows.server.networking)
Re: GPRS modem connects but doesnt ping
... If you have two netwrork connections you may look into adding a static route ... so that all non remote display traffic goes through your dial up connection. ... ethernet and new GPRS connection? ...
(microsoft.public.windowsce.embedded)
Re: peer to peer messaging
... attempts to open a connection to port 80 of the server at that IP address. ... For example a packet from my machine might have source IP ... Packets from the sever to my laptop would have those reversed. ...
(comp.lang.java.programmer)