есть оффис, в нём 1 фряха и 2 подсети, раньше было всё на Алиясе от сетевушки которая смотрит в сеть, теперь я поставил 3-ю сетевушку спицом под сеть 192.168.2.0/24 в конфигах фаэра дописал что теперь такая есть, везде заменил алиясы от sk0_alias на новую мою fxp0
но вот такой косяк появился, я совсем и не подумал о роутирицазии вот что мне говорят логи
messages
Код: Выделить всё
Apr 7 15:05:06 office kernel: arp: 192.168.2.22 is on fxp0 but got reply from 00:04:61:75:eb:7f on sk1
Apr 7 15:05:24 office kernel: arp: 192.168.2.1 is on lo0 but got reply from 00:90:27:a6:a4:6b on sk0
Apr 7 15:05:27 office kernel: arp: 192.168.2.1 is on lo0 but got reply from 00:90:27:a6:a4:6b on sk0
Apr 7 15:05:27 office kernel: arp: 192.168.2.22 is on fxp0 but got reply from 00:04:61:75:eb:7f on sk1
Apr 7 15:05:33 office kernel: arp: 192.168.2.1 is on lo0 but got reply from 00:90:27:a6:a4:6b on sk0
Apr 7 15:05:33 office kernel: arp: 192.168.2.22 is on fxp0 but got reply from 00:04:61:75:eb:7f on sk1
Apr 7 15:07:26 office kernel: arp: 192.168.2.1 is on lo0 but got reply from 00:90:27:a6:a4:6b on sk0
Apr 7 15:07:29 office kernel: arp: 192.168.2.6 is on fxp0 but got reply from 00:0e:a6:1c:22:b5 on sk1
Apr 7 15:07:29 office kernel: arp: 192.168.2.1 is on lo0 but got reply from 00:90:27:a6:a4:6b on sk0
Apr 7 15:08:12 office kernel: arp: 62.117.120.185 is on sk0 but got reply from 00:03:fa:70:1f:c0 on fxp0
Apr 7 15:10:59 office kernel: arp: 192.168.2.1 is on lo0 but got reply from 00:90:27:a6:a4:6b on sk0
Apr 7 15:12:05 office kernel: arp: 62.117.120.185 is on sk0 but got reply from 00:03:fa:70:1f:c0 on fxp0
Apr 7 15:13:22 office kernel: arp: 192.168.2.1 is on lo0 but got reply from 00:90:27:a6:a4:6b on sk0
Apr 7 15:13:25 office kernel: arp: 192.168.2.1 is on lo0 but got reply from 00:90:27:a6:a4:6b on sk0
Apr 7 15:13:26 office kernel: arp: 192.168.2.6 is on fxp0 but got reply from 00:0e:a6:1c:22:b5 on sk1
Apr 7 15:13:28 office kernel: arp: 192.168.2.1 is on lo0 but got reply from 00:90:27:a6:a4:6b on sk0
Код: Выделить всё
#!/bin/sh
fw="/sbin/ipfw" # daemon
lw="sk0" # внешн. сетевуха
ll="sk1" # внутр. сетевуха
ll2="fxp0"
ipw="xx.xx.xx.xx" # внешн. ip
ipl="192.168.9.1" # внутр. ip
ipl2="192.168.2.1" # внутр. ip2
nmask="24" # разрядность посети lan
netin="192.168.9.0" # маска подсети lan
netin2="192.168.2.0"
myip="192.168.9.1, 192.168.2.1, 192.168.9.91, 192.168.9.92, 192.168.2.5, 192.168.2.6, 192.168.2.7, 192.168.2.8, 192.168.2.9, 192.168.2.10, 192.168.2.11, 192.168.2.12, 192.168.2.13, 192.168.2.17, 192.168.2.22"
otherip="192.168.9.0/24"
myip2="192.168.9.200, 192.168.9.201, 192.168.9.202, 192.168.9.203, 192.168.9.204, 192.168.9.205, 192.168.9.206, 192.168.9.207, 192.168.9.208, 192.168.9.209, 192.168.9.210"
tcp="21, 20, 1024, 80, 22, 3306, 20001, 3388, 3389, 666, 999, 631, 49152-65534, 5060-5066"
udp="5060-5066"
ip="6900, 5121, 6121, 40000"
### Flush ALL!
${fw} -f flush
${fw} -f pipe flush
${fw} -f queue flush
${fw} 100 add check-state
### VPN 1
${fw} 101 add allow ip from any to any via tun0
${fw} 102 add allow tcp from 80.84.121.138 to ${ipw} 5000
${fw} 103 add allow ip from 192.168.0.1 to 192.168.2.1 via ${ll2}
${fw} 104 add allow ip from 192.168.2.1 to 192.168.0.1 via ${ll2}
### VPN 2
${fw} 105 add allow ip from any to any via tun1
${fw} 106 add allow tcp from 213.147.37.99 to ${ipw} 5000
${fw} 107 add allow ip from 192.168.1.1 to 192.168.2.1 via ${ll2}
${fw} 108 add allow ip from 192.168.2.1 to 192.168.1.1 via ${ll2}
### NEW LAN
$fw 109 add allow ip from 192.168.2.0/24 to 192.168.9.0/24
$fw 110 add allow ip from 192.168.9.0/24 to 192.168.2.0/24
### PIPE
$fw pipe 1 config bw 1000Kbit/s
$fw pipe 2 config bw 5000Kbit/s
$fw pipe 3 config bw 200000Kbit/s
$fw add pipe 3 ip from not $netin/$nmask to $myip
$fw add allow ip from not $netin/$nmask to $myip
$fw add pipe 2 ip from not $netin/$nmask to $myip2
$fw add allow ip from not $netin/$nmask to $myip2
$fw add pipe 1 ip from not $netin/$nmask to $netin/$nmask
$fw add allow ip from not $netin/$nmask to $netin/$nmask
### Lan Settings
${fw} 170 add allow ip from any to any via lo0
${fw} 180 add deny ip from any to 127.0.0.0/8
${fw} 190 add deny ip from 127.0.0.0/8 to any
### NetAMS-NAT-NetAMS-OUT
${fw} 400 add divert 199 ip from ${netin}/${nmask} to any out via ${lw}
${fw} 410 add divert 199 ip from ${netin2}/${nmask} to any out via ${lw}
${fw} 430 add fwd 127.0.0.1,3128 tcp from ${netin}/${nmask} to any 80,8080,8101 via ${lw}
${fw} 440 add fwd 127.0.0.1,3128 tcp from ${netin2}/${nmask} to any 80,8080,8101 via ${lw}
${fw} 450 add divert natd ip from ${netin}/${nmask} to any out via ${lw}
${fw} 460 add divert natd ip from ${netin2}/${nmask} to any out via ${lw}
### NetAMS-NAT-NetAMS-IN
${fw} 470 add divert natd ip from any to ${ipw} in via ${lw}
${fw} 480 add divert 199 ip from any to ${netin}/${nmask} in via ${lw}
${fw} 490 add divert 199 ip from any to ${netin2}/${nmask} in via ${lw}
### ICMP Allow Ping\Trac
${fw} 700 add allow tcp from any to any established
${fw} 710 add allow ip from ${ipw} to any out xmit ${lw}
${fw} 900 add allow icmp from any to any icmptypes 0,8,11
### Allow Ports
${fw} 2000 add allow udp from any 53 to any via ${lw}
${fw} 2010 add allow ip from any to any ${ip} via ${lw}
${fw} 2020 add allow tcp from any to any ${tcp} via ${lw}
${fw} 2030 add allow udp from any to any ${udp} via ${lw}
### COUNTER-STRIKE (Нуууу да:))
${fw} add allow ip from any 6003, 1200, 2048, 16000-16005, 27000-27050, 22015-22050, 11360 to ${netin2}/${nmask} in via ${lw}
${fw} add allow ip from any 6003, 1200, 2048, 16000-16005, 27000-27050, 22015-22050, 11360 to ${netin2}/${nmask} out via ${ll2}
${fw} add allow ip from ${netin2}/${nmask} to any 6003, 1200, 2048, 16000-16005, 27000-27050, 22015-22050, 11360 in via ${ll2}
${fw} add allow ip from ${ipw} to any 6003, 1200, 2048, 16000-16005, 27000-27050, 22015-22050, 11360 out via ${lw}
${fw} 60000 add allow tcp from any to any via ${ll}
${fw} 60010 add allow udp from any to any via ${ll}
${fw} 60020 add allow icmp from any to any via ${ll}
${fw} 60030 add allow tcp from any to any via ${ll2}
${fw} 60040 add allow udp from any to any via ${ll2}
${fw} 60050 add allow icmp from any to any via ${ll2}
${fw} 65000 add deny ip from any to any
Код: Выделить всё
arp -a
? (62.117.120.185) at 00:03:fa:70:1f:c0 on sk0 [ethernet]
192.168.2.1 (192.168.2.1) at 00:90:27:a6:a4:6b on fxp0 permanent [ethernet]
? (192.168.2.255) at ff:ff:ff:ff:ff:ff on fxp0 permanent [ethernet]
philka.sg.local (192.168.9.13) at 00:e0:4c:c0:16:2e on sk1 [ethernet]
marina.sg.local (192.168.9.16) at 00:15:f2:02:49:14 on sk1 [ethernet]
masik (192.168.9.24) at 00:0e:a6:59:6e:cc on sk1 [ethernet]
nata.sg.local (192.168.9.25) at 00:15:f2:f5:b7:a8 on sk1 [ethernet]
janna.sg.local (192.168.9.40) at 00:13:d4:f5:c1:61 on sk1 [ethernet]
yaropuda.sg.local (192.168.9.45) at 00:15:f2:f5:b7:ae on sk1 [ethernet]
alex.sg.local (192.168.9.56) at 00:11:6b:24:53:25 on sk1 [ethernet]
buhprodix (192.168.9.68) at 00:01:6c:d2:1d:5e on sk1 [ethernet]
server01.sg.local (192.168.9.91) at 00:0e:0c:4f:31:c8 on sk1 [ethernet]
server02.sg.local (192.168.9.92) at 00:30:48:5b:d8:9e on sk1 [ethernet]
smeta.sg.local (192.168.9.120) at 00:21:5a:20:8a:dc on sk1 [ethernet]
sgsupport.sg.local (192.168.9.130) at 00:23:7d:49:84:b6 on sk1 [ethernet]
sgbuh.sg.local (192.168.9.206) at 00:1f:29:d9:0e:6c on sk1 [ethernet]
glavbuh.sg.local (192.168.9.207) at 00:15:f2:02:48:c9 on sk1 [ethernet]
oksana-b.sg.local (192.168.9.208) at 00:17:31:b8:72:31 on sk1 [ethernet]
buh-natasha.sg.local (192.168.9.209) at 00:14:2a:54:63:91 on sk1 [ethernet]
Код: Выделить всё
::1 localhost.office localhost
127.0.0.1 localhost.office localhost
192.168.9.1 192.168.9.1 office
192.168.2.1 192.168.2.1 prodix
192.168.9.91 server01.sg.local server01
192.168.9.92 server02.sg.local server02
192.168.2.6 masik masik
Мне бы сеть поднять ту что 192.168.2.0/24 а-то положил я всё нафиг
