* Richard Rauch <rauch@rice.edu> [1123 16:23]:

<Yeah, I know - me again. But bear with me; if you're confused still,
this sorts it out, I think :) >

> > > > > One machine in my LAN:
> > > > >       ethernet card 1: tlp0
> > > > >        network name 1: hermes      (66.136.7.251)
> > > > >
> > > > > My DSL router/gateway:
> > > > >        ethernet card 1: rtk0
> > > > >         network name 1: gate       (66.136.7.249)
> > > > >
> > > > >        ethernet card 2: tlp0
> > > > >         network name 2: prometheus (66.136.7.250)

> > > > How many static IP addresses are you getting from your ISP, and
> > > > how many machines do you have on your home network?

> > Right, these addresses are all on the same /29 network
> > (i.e. 255.255.255.248 subnet mask) - so they're only valid there.
> 
> I do not understand what you mean by "they're only valid there".  They are
> globally valid addresses.  (Or should be.)

I meant if these are all on the same subnet, the DSL router (i.e. BSD gateway machine) 
should only have 1 interface on this network - but see below.

> > The 6 valid addresses are from 66.136.7.249 ->  66.136.7.254
> 
> Of which .254 is taken up by a gateway on the other end of the DSL modem.

I think I've sussed it.
If you're saying that the ISP end if the link has one of these IPs, then
tha ISP end of the link and hermes (say) are both on the same network, and
prometheus shouldn't be routing at all. hermes is directly connected to the net just
as prometheus is.

Plug all your machines and the modem into a hub and point them all at .254 as a gateway. 
This'll work:


 router at  ISP  ----  < 66.136.7.248 network > -- prometheus 
                                                -- hermes
                                                -- others

All you need NetBSD wise  on your machines then is:

$ ifconfig interfacename 66.136.7.24X/29 up
$ route add default 66.136.7.249

and 
echo 66.136.7.249 > /etc/mygate
echo 66.136.7.24X/29 > /etc/ifconfig.interfacename
echo 'auto_ifconfig=YES' >> /etc/rc.conf

to make it stick. (interfacename = rtk0 or whatever is pointing to the net, X a free IP).
Slap in /etc/resolv.conf and you're off.

At the moment prometheus is trying to route between two interfaces which are
both on the same LAN, like this:

   ISP  ----  < 66.136.7.248/29 network > -- prometheus --- <66.136.7.248/29> --- hermes

which makes no sense - that's why my last post was gibberish :).

If you want to firewall away some of the machines, then put the frontend interface (rtk0)
on your globally-accessible 66.136.7.248/29 network and create a private network block
on tlp0 (10.10.10.0/24 - reserved for intranet use) , then hermes and co
can have addresses on that network, and be protected.

Like this:

   ISP  ----  < 66.136.7.248 network > -- prometheus --- <10.10.10.0/24> --- hermes

prometheus would then NAT between the two different networks. That's what mere mortals
like me do with our poxy single public (dynamic) IP; you don't need to do that because
you have public address space, but I can see why you might want to for security.

It's straightforward - see /Documentation/ on the netbsd website, it covers nat and
ipf pretty well - just seems like a bit of a waste of address space :) 

[ This also explains why your DHCP requests fail: there isn't a DHCP server on
the 66.137...  network. ]

-- 
Rasputin :: Jack of All Trades - Master of Nuns