[help] OOL Static IP in OptimumOnline http://www.dslreports.com/forum/r21131761 en Wed, 11 Nov 2009 13:29:21 EDT Wed, 11 Nov 2009 13:29:21 EDT Re: [help] OOL Static IP http://www.dslreports.com/forum/remark,21137585 anon :
said by petec See Profile :

{snip} .. so you should have control of all the IPs except the one assigned to the Cisco box, the Default Gateway for your sub-net. .. {snip}

I have a feeling this is the problem . .

was trying to follow the examples given at the website for pf (newbie/amateur sysadmin) to configure my gateway for a dmz and internal network .. but I guess I don't get control of the gateway ..

so it seems that the standard way to do things won't work

can I use a different IP for my gateway, giving me one less for use in my dmz?

Pete C
Newbie/Amateur is the word.

No matter which service provider you chose for routed static-IP, there'll always be an edge device that will route the relevant subnet (/29 for static-IP), and take 1 of the 8 IPs as its own ethernet gateway address. It is irrelevant that OOL choses to deliver that service to your premises with 2 edge devices (cable modem and Cisco 851) - the result is the same: routed network on local ethernet out of the edge device.

As you want traffic for the ENTIRE subnet to traverse your FW, you will have to do what EVERY FW worth its bits can do: layer-2 bridging.

Available in FBSD since what - 5.2?

/etc/sysctl.conf :
net.link.ether.bridge_ipfw=1
net.link.ether.bridge.config=fxp0,fxp1
net.link.ether.bridge.enable=1

Google from there.

If you had your heart set on PF instead of ipfw2, you will want to ask yourself why - I have no idea if the current 6.x kernel versions supports bridge operation for PF.

The FW box should not have a configured IP for the external interface, but MAY bind with 1 or more IPs to the internal (protected) interface to which you connect your other machines. That way all ipfw rules apply to service directed at the FW itself as well.]]> http://www.dslreports.com/forum/remark,21137585 Fri, 19 Sep 2008 15:01:01 EDT Re: [help] OOL Static IP http://www.dslreports.com/forum/remark,21134312 TheWiseGuy : I'm far from an expert on this type of firewall, you might try the security or the Unix forum. Still I don't see anything there that would prevent you from setting up connected to the OOL router.

One thing you probably do need to change is your static network is not /24 but /29. Also I do not know your public IP addresses, if they do not end in 1-5 (x.x.x.1 - x.x.x.5), you would need to change the zero to the first IP-1

As an example if your first IP were 167.206.251.9 the network would be 167.206.251.8/29

This is the main line that would need to be changed for the subnet and IPs
# Configured Networks
EXT= "x.x.x.0/29"

Also this seems to be using one to one NAT. This means the servers will be set up with Private IPs Mapped one to one to the Public IPs, and again, unless the Public IPs end in 1-5 you would need to change the server IPs in the Firewall code to reflect the correct last octet.

I don't know much about one-one NAT on the freebsd machine but in the BI-NAT section it mentions using Proxy ARP or ifconfig aliases for the Binat to be useful.

Lastly the OOL cable modems are in the 10.xxx.xxx.xxx range, while I do not think that the use of the 10.10.xxx.xxx range and the Reserving of the whole 10.xxx.xxx.xxx range in the example is a problem, if all else fails you might change to a different private IP range. Since you have static IPs it should not matter that DHCP is done from the CMTS private 10.xxx.xxx.xxx address.

Good Luck
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.]]> http://www.dslreports.com/forum/remark,21134312 Thu, 18 Sep 2008 22:52:28 EDT Re: [help] OOL Static IP http://www.dslreports.com/forum/remark,21134013 petec : I'm trying to implement something similar to this (see 3rd post) »64.233.169.104/search?q=cache:99···12&gl=us

(link is to a google cached page, bsdforums.com seems to be down)

I made the necessary changes to the example for my network, but when I load the rules I loose connectivity.

I want to have pf do nat on the public IPs to reserved IPs on the dmz box.

appreciate any help you can offer

Pete C]]> http://www.dslreports.com/forum/remark,21134013 Thu, 18 Sep 2008 21:46:09 EDT Re: [help] OOL Static IP http://www.dslreports.com/forum/remark,21133582 TheWiseGuy : Can you give me a link to the pages, I'll take a quick look and see if I can figure out what you are trying to do.

Also, can you explain a little more what you are trying to do, are you trying to use the Public IPs on servers in the DMZ, are you trying to use NAT to the servers in the DMZ. You have full control over the 5 static IPs. The Gateway IP is a sixth IP in your subnet and is the IP of the CV router, but if you connected to the FreeBSD box directly to the Modem then the Gateway IP would be the IP of the CMTS which you would not have control over.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.]]> http://www.dslreports.com/forum/remark,21133582 Thu, 18 Sep 2008 20:20:09 EDT Re: [help] OOL Static IP http://www.dslreports.com/forum/remark,21133455 majortom1029 : We have bool with boost and we are using a zyxel zywal 70 behind their cisco 851. What is the problem that you are having?

Your router would be given one of the static ips assigned to you .

cablevisions cisoc router does not effect anything.]]> http://www.dslreports.com/forum/remark,21133455 Thu, 18 Sep 2008 19:58:29 EDT Re: [help] OOL Static IP http://www.dslreports.com/forum/remark,21133418 petec : {snip} .. so you should have control of all the IPs except the one assigned to the Cisco box, the Default Gateway for your sub-net. .. {snip}

I have a feeling this is the problem . .

was trying to follow the examples given at the website for pf (newbie/amateur sysadmin) to configure my gateway for a dmz and internal network .. but I guess I don't get control of the gateway ..

so it seems that the standard way to do things won't work

can I use a different IP for my gateway, giving me one less for use in my dmz?

Pete C]]> http://www.dslreports.com/forum/remark,21133418 Thu, 18 Sep 2008 19:51:46 EDT Re: [help] OOL Static IP http://www.dslreports.com/forum/remark,21133120 TheWiseGuy : Sorry I don't understand what you mean by you have to kludge the rules. How does the CV router differ from the CMTS or any Internet router that passes packets? What do you mean when you say that you need to have control of the IP's, the Cisco box simply forwards packets with the static IPs, so you should have control of all the IPs except the one assigned to the Cisco box, the Default Gateway for your sub-net.

I have quite a bit of understanding of how firewall rules work, I don't have any experience with FreeBSD or the pf firewall, but I do understand rule making. I'm not sure what you are having a problem doing maybe you can explain it a little better? I not sure why you would need to Kludge a firewall's rules in any way. I would be interested if you could explain a little better what you need to kludge.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.]]> http://www.dslreports.com/forum/remark,21133120 Thu, 18 Sep 2008 18:54:10 EDT Re: [help] OOL Static IP http://www.dslreports.com/forum/remark,21132691 petec : To do things correctly (follow industry standard practices,) I need to have control of the IPs assigned to the Cisco box, with it in the loop I have to kludge up my rules to deal with it. One workaround then leads to another . . so starting off with a non-standard connection out is not the way I want to go.

Pete C]]> http://www.dslreports.com/forum/remark,21132691 Thu, 18 Sep 2008 17:35:19 EDT Re: [help] OOL Static IP http://www.dslreports.com/forum/remark,21132219 TheWiseGuy : Their router is basically passing packets. I do not believe there is any way it could effect your boxes ability to firewall. If the packets are getting to the box, and you can run a sniffer (wireshark runs on freebsd) and see if they are getting to your box, then your box can have rules that allow/disallow those packets.

»www.wireshark.org/download.html
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.]]> http://www.dslreports.com/forum/remark,21132219 Thu, 18 Sep 2008 16:19:46 EDT Re: [help] OOL Static IP http://www.dslreports.com/forum/remark,21131905 petec : I want to run my own router/NAT/firewall (so I can set up a dmz with my own DNS,WWW and mail servers. Trying to get my firewall (pf) running, but can't. Was suggested at FreeBSD-questions mail list that the router and my FreeBSD box are conflicting w/ each other, causing my pf rules to not work as they should.

Pete C]]> http://www.dslreports.com/forum/remark,21131905 Thu, 18 Sep 2008 15:32:55 EDT Re: [help] OOL Static IP http://www.dslreports.com/forum/remark,21131808 TheWiseGuy : What is the problem you are having?]]> http://www.dslreports.com/forum/remark,21131808 Thu, 18 Sep 2008 15:17:44 EDT Re: [help] OOL Static IP http://www.dslreports.com/forum/remark,21131792 Irish Shark :
said by petec See Profile :

Is there anyway to take the Cisco out of the equation ?
No
--
"You can observe a lot by watching". Yogi Berra]]> http://www.dslreports.com/forum/remark,21131792 Thu, 18 Sep 2008 15:14:38 EDT [help] OOL Static IP http://www.dslreports.com/forum/remark,21131761 petec : recently upgraded to BOOL w/ static IPs and I'm having trouble getting my router working. The tech installed a Cisco 851 but I want to use a FreeBSD box running pf for NAT/firewall. Is there anyway to take the Cisco out of the equation ?

TIA

Pete C]]> http://www.dslreports.com/forum/remark,21131761 Thu, 18 Sep 2008 15:09:57 EDT