2

This might sound like a noob question, but here is what I have to configure:

  • FreeBSD
  • 1 server with 2 network cards
  • 1 network card for internal IP addresses (5 of them)
  • 1 network card for external IP addresses (3 of them)
  • the server is the DNS server as well as the Proxy Server and Samba server
  • one router Netgear SRX5308 (SNMP enabled)
  • A GB Cisco switch 48 ports (SNMP enabled)

I want the internal traffic (192.168..) to be routed in one card and the "external" traffic on the other network card.

my rc.conf looks something like this:

defaultrouter="174.###.49"
static_routes="office"
route_office="-net 192.0.0.0/8 192.168.1.1"
ifconfig_em0="inet 192.168.1.9 netmask 255.255.0.0 broadcast 192.168.1.255"
ifconfig_em0_alias0="inet 192.168.1.10 netmask 255.255.255.255 broadcast 192.168.1.10"
ifconfig_em0_alias1="inet 192.168.1.11 netmask 255.255.255.255 broadcast 192.168.1.11"
ifconfig_em0_alias2="inet 192.168.1.12 netmask 255.255.255.255 broadcast 192.168.1.12"
ifconfig_em0_alias3="inet 192.168.1.231 netmask 255.255.255.255 broadcast 192.168.1.231"
ifconfig_em1="inet 174.###.51 netmask 255.255.255.248 broadcast 174.###.55"
ifconfig_em1_alias0="inet 174.###.52 netmask 255.255.255.255 broadcast 174.###.52"
ifconfig_em1_alias1="inet 174.###.53 netmask 255.255.255.255 broadcast 174.###.53"

Currently everything works but I have em0 (internal) connected to the switch and em1(external) directly connected with the external line.

What I would like to do is to connect the external line to the same switch or the netgear router so I can monitor the traffic better.

I have tried to configure the router with a DMZ (174.###.51/255.255.255.252) but it didn't work. I have also tried to set the default router to 192.168.1.1 and connect both to the switch. This worked and I was able to connect with the outside world, but the servers were not reachable from outside.

I know some routers have a "reroute" feature for the IP address.. you hit "174.###.##" and you reroute it to 192.168.1.9 ... but I can't find it on this router.

I know I could purchase a small smart switch with SNMP and it would be solved, but I believe that what I want to achieve is already possible with what I have, I just don't know how to configure it right.

keep in mind that I am converting an old network with 3 servers into one server and I cannot drop nor change the IP addresses for now. The server is also a monitor system for other servers as well as a backup and has a small html page that needs to be accessible from everywhere)

Thank you

EDIT:

What I am trying to achieve is: current configuration: ISP -> SERVER && INTERNAL -> SWITCH -> SERVER -> ISP what I want is: ISP -> ROUTER -> SERVER && INTERNAL -> SWITCH -> SERVER

I also would like to keep em0 for only 192 traffic and em1 for only 174 incoming traffic and all the outgoing traffic (this is also a proxy server)

EDIT 2: Let's see if I can explain myself better. Sorry English is not my first language.

I want:

  • Outgoing traffic: em0: USER -> SWITCH -> SERVER -> ROUTER -> THE NET -> ROUTER -> SERVER -> SWITCH -> USER
  • Incoming traffic: em1 THE NET -> ROUTER -> SERVER

Currently I have:

  • outgoing: em0 USER -> SWITCH -> SERVER -> THE NET -> SERVER -> SWITCH -> USER
  • incoming: em1 THE NET -> SERVER

Incoming is used for backups, some http traffic, various rsync, and push monitoring (something I wrote, monitoring both ways, checking the outside server and waiting from outside server information not at the same time that the "sent" is done)

Fabrizio
  • 73
  • 1
  • 7
  • 1
    Can you perhaps draw a diagram of what your current situation is and clarify your description of what you're trying to accomplish? I *think* what you want is traffic graphing for your server, and if that's the case you're probably making things way more complicated than they need to be... – voretaq7 Jul 30 '12 at 19:26

2 Answers2

3

If your netgear is not a firewall, your default needs to point to the ISP address on your em1 interface. Your em1 can connect the ISP through the netgear switch as long as the ISP connection is bridged by that switch.

If that netgear is actually a firewall, you need to remove the 174 address from your freebsd machine, move that address to the netgear, and rely on the netgear to do NAT. At this point, your freebsd default should point to the netgear and the netgear should default to the ISP.

As for "rerouting" to 192.168.1.9, that's called NAT; it's a common feature on firewalls, and it also happens to be in the BSD kernel. I'm not sure why you're configuring so many 192.168.x.x addresses on em0, but it looks a little strange. Other than these points, it's not entirely clear what else you want to do; perhaps this is a good start.

EDIT:

Since you have a real Netgear SRX5308 firewall, you need to simplify your topology.

  • Connect freebsd's em0 to one LAN port on the netgear
  • Add a default on your freebsd machine to point to the netgear's 172.16.x.x address
  • Connect your ISP1 uplink to the "WAN 1" port on the netgear (it has 4 WAN ports)
  • Connect your ISP2 uplink to the "WAN 2" port on the netgear
  • Assign your 174.x.x.x address to Netgear's WAN 1
  • Assign your 70.x.x.x address to Netgear's WAN 2
  • Set a default route on the netgear to point to your ISP1's router (this will need to be dynamically scripted to change in the event of a failover to the new ISP)
  • Set up a script to perform failover detection and reconfiguration to go to ISP2's router (or maybe use a real Cisco with EEM static routing at this point???)
  • Perform NAT on WAN 1 for your 172.16.1.10 addresses and services
  • Perform NAT on WAN 2 for your 172.16.1.10 addresses and services
  • Configure all clients to default through the freebsd machine, which is also acting as a router / http proxy.
  • Map your services to the various ISP NATs with Dynamic DNS

I am including a link to the Netgear SRX5308 documentation, which I hope helps; I'm a bit concerned that you're getting in over your head, but assuming you've tried to read the docs yourself I will answer whatever questions I can.

bsd_topology_02

Mike Pennington
  • 8,305
  • 9
  • 44
  • 87
  • In other words I do not want the ISP cable connected to the server, but I want it connected to the router and then have the router decide where to send the traffic (192 = internal, 171.###.51-54 that specific card, everything else load balance) – Fabrizio Jul 30 '12 at 19:30
  • If you have a netgear firewall, then yes connect the ISP cable to the firewall (and you can completely remove `em1` from the picture). May I request that you draw a diagram of what you're trying to do, the various 192.168 / 174.x.x.x addresses involved, and also make a list of features (such as load-balancing, NAT, etc...) that you need? It's perfectly acceptable to obscure the real 174 addresses by changing an octet or two, but we need a better description of what you're trying to do – Mike Pennington Jul 30 '12 at 19:31
  • The 192 IP addresses will SOON be removed, I am consolidating 3 different servers and until everything works I do not want to go around and change the DNS/Proxy/etc.. sadly the previous person didn't use an internal DNS and everything was configured as IP address – Fabrizio Jul 30 '12 at 19:33
  • not sure I can design one here, but is simple (I think). current: `ISP -> SERVER && INTERNAL -> SWITCH -> SERVER -> ISP` what I want is `ISP -> ROUTER -> SERVER && INTERNAL -> SWITCH -> SERVER ` I cannot find the NAT functionality on this router and the WAN mode is set to NAT – Fabrizio Jul 30 '12 at 19:38
  • NETGEAR ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 – Fabrizio Jul 30 '12 at 19:41
  • OK, everything is done.. but the point 6 is what I am not able to do on this router.. and what will I do with `em1` ? as I am using this machine as proxy, i was hoping to make use of both network cards, only ONLY for internal traffic and one only for external so I can perform backups without clogging the network too much (as I am doing right now) – Fabrizio Jul 30 '12 at 19:56
  • When you give us a diagram of what you need I can elaborate further. What protocols are you proxying for with the freebsd box? – Mike Pennington Jul 30 '12 at 20:01
  • HTTP and HTTPS only. everything else currently goes on a different line (WAN1 on the netgear). I would like everything else to be transferred with a failback configuration .. in other words use 174.###.## only for incoming traffic, else let the router decide which WAN to use to fetch the data. I am going to update my question further – Fabrizio Jul 30 '12 at 20:07
  • What did you use to create the graph, I will create one right away. yes I am well over my head with this, but I have to figure it out. Your diagram is perfect except needs to add a WAN 70.X.X.X that goes to a different ISP (is a failover line currently used for SSH etc.) I'll read the manual again and see if I can replicate your configuration. Thank you very much – Fabrizio Jul 30 '12 at 20:41
  • I used [inkscape](http://inkscape.org/) with [Cisco's icons converted to SVG](http://bucksnort.pennington.net/blog/post/svg-from-eps/) – Mike Pennington Jul 30 '12 at 20:43
  • OK, so If I understand this right: using the names that I already have configured: Connect the switch to Lan1, using qVLan. Connect em0 to Lan2, using qVLan, connect the em1 to Lan3 using qVLan10 (NO IP Change, you wrote another internal netw. IP 172.x.x.x) and the configure the client to use as router 192.168.1.9 (server IP). – Fabrizio Jul 30 '12 at 20:48
  • 1
    You need to change the address on `em1` so you can use the 174.x.x.x and 70.x.x.x addresses on the netgear. Since you're using `em1` as the egress LAN interface, you need to assign your NAT configuration to use this address on the netgear... Most of what you said otherwise looks ok, but you have a rather complex topology for someone who is starting out with networking... – Mike Pennington Jul 30 '12 at 20:57
  • Great. I believe I understand also the reasons why and how to do it. Thank you very much. Yes it is complex but a man gotta do what a man gotta do :-) – Fabrizio Jul 30 '12 at 21:00
  • you're most welcome... best of luck with your endeavors... if you run into a snag, you can always ask another question that is specific to your (new) problem – Mike Pennington Jul 30 '12 at 21:01
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/4333/discussion-between-fabrizio-and-mike-pennington) – Fabrizio Jul 31 '12 at 15:19
  • Thank you. Do you think that there is way for the NetGear to send the correct Gateway ? right now it sends 192.168.1.1 where per your suggestion we want it to send 192.168.1.9 (my server IP) – Fabrizio Jul 31 '12 at 15:21
  • I'm waiting for you in [chat](http://chat.stackexchange.com/rooms/4333/discussion-between-fabrizio-and-mike-pennington)... – Mike Pennington Jul 31 '12 at 15:38
1
  1. All those broadcast lines shouldn't be in there unless you have a spectacular reason for them.
  2. It's much easier to specify the netmasks in CIDR notation, but not necessary.
  3. Most ISPs will only enable the modem to talk to 1 MAC address. So you can't have both the Server and the Netgear router on the same external line. I'm really not sure what you'd expect to get out of that anyway.
  4. Why do you think you need SNMP?

What you've specified in the Question should mostly be possible. I'm just not clear everything you're trying to accomplish.

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • How would you rewrite the lines ? not sure what you mean with point ??? their modem is connected to our router. I use SNMP to monitor the in/out traffic with MRTG – Fabrizio Jul 30 '12 at 19:26