port-i386: Two Network Cards/ipf

Subject: Two Network Cards/ipf
To: None <port-i386@netbsd.org>
From: Ray Phillips <r.phillips@jkmrc.uq.edu.au>
List: port-i386
Date: 09/04/2002 18:32:25
I've put two network cards into a PC running NetBSD/i386 1.5, 
intending to run ipf on it and use it as a firewall, but I don't seem 
to know enough to get it working.

The info from dmesg for those cards is:

ne2 at pci0 dev 9 function 0: RealTek 8029 Ethernet
ne2: 10base2, 10baseT, 10baseT-FDX, auto, default [0x00 0x30] auto
ne2: Ethernet address 00:40:05:6b:f9:f3
ne2: interrupting at irq 5
ne3 at pci0 dev 10 function 0: RealTek 8029 Ethernet
ne3: 10base2, 10baseT, 10baseT-FDX, auto, default [0x00 0x30] auto
ne3: Ethernet address 00:40:05:e1:f6:fa
ne3: interrupting at irq 9

I thought I'd start with a simple test... In /etc/rc.conf I set 
ipfilter to YES, left auto_ifconfig set to YES, then created 
/etc/ifconfig.ne2 and /etc/ifconfig.ne3:

# cat /etc/ifconfig.ne2
inet 130.102.18.111 netmask 255.255.255.192
# cat /etc/ifconfig.ne3
inet 130.102.18.112 netmask 255.255.255.192

I added one line to /etc/sysctl.conf (its only uncommented line):

net.inet.ip.forwarding=1

and created /etc/ipf.conf:

# cat /etc/ipf.conf
pass in from any to any
pass out from any to any

# ifconfig ne2
ne2: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         media: Ethernet autoselect (10baseT)
         inet 130.102.18.111 netmask 0xffffffc0 broadcast 130.102.18.127
         inet6 fe80::240:5ff:fe6b:f9f3%ne2 prefixlen 64 scopeid 0x1
# ifconfig ne3
ne3: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         media: Ethernet autoselect (10baseT)
         inet 130.102.18.112 netmask 0xffffffc0 broadcast 130.102.18.127
         inet6 fe80::240:5ff:fee1:f6fa%ne3 prefixlen 64 scopeid 0x2

I connecting ne2 to my LAN and a machine with an IP in the 
130.102.20.0/24 subnet (which I can communicate with when it's 
connected to my LAN) to ne3 using a transposed twisted-pair cable.  I 
was unable to ping the machine on ne3 either from the firewall or 
another machine on 130.102.20.0/24.

When I couldn't solve that problem I reset ipfilter in /etc/rc.conf 
to NO, commented out the line I'd added to /etc/sysctl.conf, removed 
the cable from ne3 and rebooted.  I was able to ping machines on my 
LAN with a cable connected to ne2 but not when I moved that cable to 
ne3.  However, when I configured only ne3 I could ping through it.

Could someone point out my crucial error(s) please?


Ray