V.0.3
If there are any questions or comments, please direct them to
walt@erudition.net. The newest copy of this How-To can always be retrieved
from www.erudition.net/freebsd/. All rights for the reproduction of this
document are reserved.
1. Background.
1.1. What is Network Routing?
1.2. A Simple Example
1.2.1. Introduction to Routers and Gateways
1.2.2 Introduction to Routing Tables
1.2.3 Introduction to IP
1.2.4 MAC (Medium Access Control) Addresses
1.2.4.1 What is a MAC Address?
1.2.4.2 MAC Address Resolution
1.2.5 Point to Point Protocols
1.2.6 Multihoming
1.2.7 Router Information Protocol
1.3 IP Addressing
1.3.1 IP Assignment, TCP, and UDP
1.3.2 Networks, Subnets, and Hosts
1.3.3 Netmasks
1.3.4 Subnets and Network & Broadcast Addresses
2. Application
2.1. NETSTAT(1) and the Routing Table
2.2. IFCONFIG(8), Network Devices, and Assigning IP
Addresses
2.3. IFCONFIG(8) in more Detail
2.4 ARP, IFCONFIG(8) and Network Devices
2.5. ARP(8) and Routing
2.6. ROUTE(8) instead of ARP(8)
2.6.1. Adding routes with ROUTE(8)
2.6.2. ROUTE(8) Flags
2.6.3. ROUTE(8) and the Default Route
2.6.4 Network Routes & Host Routes
2.6.5 Changing Routes with ROUTE(8)
3. PING(8)
4. Basic Host and Network Naming
-----------------------------------------------------------------------------------
1. Background.
1.1. What is Network Routing?
The basic goal behind routing is to find a path from one node to
another by which information can travel, ideally the shortest/most
efficient path. On the Internet and many LANs, this is often accomplished
through the use of RIP (Routing Information Protocol), Router Discovery
Protocol, ARP (Address Resolution Protocol) and RARP (Reverse Resolution
Address Protocol). RIP and Router Discovery Protocol is the domain of the
routed(8) daemon. ARP can be manipulated through the arp(8) program. This
HowTo deals specifically with IPv4.
1.2. A Simple Example
Let us take the example of a very basic network and see how basic
routing concepts can apply to it:
F
|
A --- B --- D --- G
| |
C --- E
Each letter corresponds to a node on the network, which can be a
computer, CISCO router, or any physical medium that can forward data
packets from one point to another, or accept them. If A is a computer
trying to communicate with G, which is also a computer, it must get its
data packets there somehow. Because it is directly connected to only one
other node, B, it can only send its data packets in that direction. Once
these data packets reach B, they have two directions in which they might
be able to go.
1.2.1. Introduction to Routers and Gateways
Let us assume that node B is a router designed to pass on data
packets. Router B knows that it is directly connected to two other places,
but that is all. As B receives data packets from Computer A it looks at
the address to which the data packets are trying to go and realizes that
the packets wish to reach E, to which it is not directly connected.
Because router B does not know anything else about the network other than
the nodes to which it is directly connected, it has a default direction
that it sends data packets which it can not send directly to their
destination. In this network, it was designed by the administrators that
any data packets that router B can not directly send to their destination
it will send to node D, which is gateway. The gateway, like the router, is
designed to forward packets from one place to another, depending on where
the packets want to go, the only difference being that the gateway is more
intelligent, often times a computer.
Gateway D in this example is connected to four different nodes: B,
E, F, G. When it receives data packets from router B it must next decide
in which direction to send them such that they might (eventually) arrive
at their destination. Gateway D realizes that the data packets are trying
to get to node E, to which it is directly connected. As such, it forwards
the packets to node E (which is a computer, but the gateway doesn't know
this) and they are then processed and used in whatever way computer E was
programmed to.
1.2.2 Introduction to Routing Tables
Nodes B and D each knew what nodes they were directly connected
to, and treated one of those nodes as a default direction in which to send
data packets that were not intended for any of the other nodes. This table
of directly connected nodes is called a "Routing Table". Each direction in
which B and D were able to send data packets is called a "Route", one of
which is treated as the "Default Route." For router B, the Default Route
was gateway D.
1.2.3 Introduction to IP
On the Internet, data packets are routed according to a special
addressing scheme which part of the TCP/IP Protocol Suite: IPv4. It uses a
32 bit addressing scheme broken into 4 8-bit parts separated by a period.
An example of an IP address would be: 192.168.100.5 . This is a logical
address assigned to every computer node connected on the Internel and in
most LANs and WANs. Multiple addresses can be assigned to each
computer/router. Let us redraw our simple network to now reflect some of
these new concepts:
(192.168.200.10)
PC #3
|
|
(192.168.100.2) (192.168.200.65)
(192.168.100.5) (192.168.200.1) (192.168.0.1) (192.168.0.7)
PC #1 --------- R #1 ----------- G ------------ PC #2
1.2.4 MAC (Medium Access Control) Addresses
1.2.4.1 What is a MAC Address?
Each "PC" is a Personal Computer. Each "R" is a router, and "G" is
the gateway. Above each PC, router, and gateway we see an IP address(es). IP
addresses are logical addresses because they can be changed on a computer.
This allows for a powerful means of addressing a large network of
computers, however, because it exists on the network layer of the TCP/IP
Protocol, IP addressing is not understood by actual network interfaces,
such as Ethernet cards. In other words, another addressing scheme is also
used to identify individual computers on the "physical" network. Here we
are referring to the MAC (Medium Access Control) address. Each Network
Adapter, such as an Ethernet or Token Ring I/O card has a unique MAC
address. MAC addresses are 48 bit addresses are written in 6 8-bit parts
separated by colons; for instance: 00:0b:27:5c:d3:89 . By convention, each
of the 6 8-bit MAC address parts is written in hexadecimal whereas each of
the 4 8-bit IP address parts is written in decimal.
1.2.4.2 MAC Address Resolution
When data packets are sent from PC #1 in hopes of reaching PC #2,
they first come to Router #1. Router #1 has a routing table based on both
IP and MAC addresses. It checks to see if any entry in its routing table
has the IP address for which the packets are destined: 192.168.0.7. It
realizes that there is no entry in its routing table that has this
particular IP address, so it forwards the packet to via default route,
which is gateway G. Gateway G checks its own routing table to see if it
has an entry with the IP address that the data packets are destined for.
It does, so it next looks up the MAC address associated with that IP
address. If it successfully acquires the MAC address, it forwards the data
packets to the Network Interface that has that MAC address. In this case,
it is an Ethernet Card in PC #2's chasis. MAC address resolution (mapping
IP address -> MAC addresses is handled by the ARP Protocol which was
mentioned in the beginning).
1.2.5 Point to Point Protocols
MAC addresses are used to uniquely identify a multitude of Network
Interfaces on a network, however, in some cases, a much simpler network
connexion is had where a particular computer will not need to worry about
directly talking to many computers (such as gateway G does) so it will not
need to worry about uniquely identify many computers (such as gateway G
does through maintaing a routing table with the IPs and their
corresponding MAC addresses of various nodes). In such cases, where the
computer at hand will be talking directly ("directly" is the key word,
because it may still be able to talk to other computers "through" the one
it is "directly" connecting to) to only one other computer, a simpler
Protocol than ARP can be used. Such one-to-one protocols are called
point-to-point protocols. A popular one is very appropriately called PPP
(Point to Point Protocol); another is SLIP (Serial Line Internet
Protocol), which is relatively outdated.
PPP connexions are most often seen in Internet dialup accounts.
When a user dials up their ISP, they connect directly to only one other
node, a gateway, using PPP. The gateway recognizes the connected PC
directly as ppp0, ppp1, or ppp2, etc, and not by a MAC address, such as
00:0b:27:5c:d3:89 . Let us once again redraw our example network making
use of these new concepts:
(192.168.100.5) (192.168.200.10)
ppp0 sl0
PC #1 PC #3
| |
| |
| |
| |
(192.168.100.6) (192.168.200.2)
(00:0b:28:6c:d4:99) (00:0c:ax:6a:c1:10)
(192.168.200.1) (192.168.0.1) (192.168.0.7)
(00:0b:27:5c:d3:89) (00:0c:ac:7d:c2:98) (10:0c:27:7c:c2:45)
R #1 ------------------ G ------------------- PC #2
|
|
|
(192.168.100.2)
(00:0a:11:45:14:70)
PC #4
1.2.6 Multihoming
As you will notice, some nodes on this network have multiple
network interfaces. An example of such a node is gateway G. Nodes on a
network that have more than more network interface to a particular network
are termed "multihomed."
1.2.7 Router Information Protocol
In large networks (of which our example is clearly NOT) there may
be many possible paths to a particular node from another node. In such
cases, making sure that a particular route is usable and/or efficient as
compared to another can become an arduous for a network administrator. As
such, a network daemon called routed(8)(or 'gated') can be run. routed(8)
maintains a gateway's routing table to keep it clean of dead routes, keeps
routers/gateways directly connected to it informed of any changes to the
routing table (through RIP), locates routers/gateways (through Internet
Router Discovery Protocol) and responds to requests to the gateway's (on
which it is running) routing table. Because routed(8) and 'gated' are
beyond the scope of "basic network routing" they will not be discussed at
any greater length.
1.3 IP Addressing
1.3.1 IP Assignment, TCP, and UDP
When IP addresses are assigned a network, they are conventionally
done so in ranges, and not random patterns. A network in a particular
university department may, for instance, be assigned all of the IP
addresses between 192.168.200.0 and 192.168.200.255 . This does not mean
that each of these addresses must be given a computer, but that when data
packets are set with a destination of any address within that range, they
will enter that particular dept. network. Depending on the protocol by
which these data packets are transmitted, whether a computer with the
actual destination address exists may or may not preclude the sending of
the data packets in the first place. For example, if PC #1 attemps to make
a TCP (Transmission Control Protocol) connexion with a PC #5 which does
not exist on our network, the connexion will fail, and no data packets
will be sent. This is because the TCP protocol is a connexion oriented
protocol and attempts to determine and set a path to the destination
(create a connexion) before sending any data, while on the other hand, if
the data packets were sent using UDP (User Datagram Protocol) packets,
which are connexionless in nature, the data packets would be sent out
blindly and from the sender's perspective would fall into oblivion.
1.3.2 Networks, Subnets, and Hosts
The important point here is the distinction between "network,"
"subnet" and "host." In general, a network is an arbitrary designaion
given to some 2 or more nodes (of something) which communicate. The
individual nodes are called hosts, and groups of hosts within the network
can be logically lumped together and called subnets. Traditionally, in the
Internet, networks were assigned in multiples of 255 hosts. In the
previous example of the departmental network the range 192.168.200.0 to
192.168.200.255 would be such an Internet network. Such Internet networks
that are comprised of 256 addresses are termed class C networks; those
comprised of 256^2 addresses are termed class B networks, and those
comprised of 256^3 addresses are termed class A networks. However, because
LANs often do not require use of this many addresses, Internet networks
are traditionally broken down further by ISPs and/or local network
administrators into subnets, which are smaller yet address ranges.
1.3.3 Netmasks
Returning back to our network example, if we examine the IP
addresses of gateway G and PC #4 we notice that they both share the class
C network of 192.168.0.0 -> 192.168.100.255 while all of the other PCs are
on the class C 192.168.100.0 -> 192.168.100.255 . They can, therefore, be
logically lumped as distinct subnets within the entire network. Ranges
such as this can be denoted by a simpler notation: 192.168.100.0/24 where
the "24" following the forward slash denotes how many bits in the address
should remain the same; everything else can change and, therefore, is part
of the subnet. Here, the first three 8-bit parts (192.168.100) of the
address can not change while the remaining can. All changable addresses
are considered part of this net. If an IP address falls outside the range
of changable addresses, it is considered to be in another subnet and the
data packets are forwarded accordingly. The "24" is called the "netmask"
and is often written in dot notation just as IP addresses are; for
instance, the netmask for the above class C would be 255.255.255.0. This
may seem peculiar at first, but on closer examination we see that
"255.255.255.0" means exactly the same thing as "24" bits. In
255.255.255.0, 24 of the bits are set high (each 8-bit section in the
first three sections being set high and therefore "255" as 2^8 = 255), and
the remaining octet set low, which results in a "0".
1.3.4 Subnets and Network & Broadcast Addresses
Each subnet must reserve two addresses, one for the network
address and one for the broadcast address, with the exception of subnets
of size 1, where the host address is also the network and broadcast
address, which makes sense if there is only one node in the subnet. The
network and broadcast addresses are the first and last addresses within
the range, respectively, which clearly lessens the amount of addresses
addressable to hosts within a subnet by 2. So, in the above example,
192.168.100.0 would be the network address and 192.168.100.255 would be
the broadcast address, both of which will be described later. The
following table illustrates the subnet sizes as relative to the assigned
netmasks:
Netmask # Bits Set High Size of Subnet
--------------------------------------------------------------
255.255.255.255 32 1
255.255.255.254 31 ???
255.255.255.252 30 2
255.255.255.248 29 6
255.255.255.240 28 14
255.255.255.224 27 30
255.255.255.192 26 62
255.255.255.128 25 126
255.255.255.0 24 254
With the existence of distinct subnets within a larger network, we
now have the option of not only routing data packets based on whether they
match a directly connected host or not (in which case they are sent via
the default route) but also based on what subnet they fall in. This
concept becomes especially powerful where gateways connect several large
subnets or networks.
As we saw above each subnet sets aside two addresses for a
"network address" and "broadcast address" which can not be assigned to
hosts within the subnet. The network address plays the important role of
identidying the subnet itself, so essentially, the subnet has an address
too. In our dept. network that we mentioned earlier, where the address
range was 192.168.0.0/24 the network address would be 192.168.0.0 which
could be written as 192.169 for short notation. This identifies the subnet
itself. The broadcast address allows any host on the subnet to send (or
"broadcast") a message to all other hosts on the subnet at the same time
and not simply to a single other host one at a time. Pinging the broadcast
address on a network will, likewise, result in a responce from all of the
hosts thereon (unless they're behind a proxy server or firewalled), and
allow an effective way to help map out the network topology of a network
you're not completely familiar.
In large distributed networks, such as television or radio
networks this concept of simultaneously broadcasting signals to multiple
nodes in the network is of vital importance. When data packets are
simultaneously sent to a select number of multiple nodes and not simply to
every node across a network, we come to the idea of "multicasting."
Muticasting is handled by the 'mrouted' daemon. Because multicasting is
beyond the scope of basic network routing, it will not be mentioned in any
further detail.
2. Application
Firstly, it must be made clear that routing tables can not be
changed by anyone but root. Also, for a box acting as a router/gateway (as
in the case of gateway G in our example nework) to be able to forward
packets to another box it has to have packet forwarding enabled. To
immediately effect this, setting the following sysctl variable thusly is
sufficient:
sysctl -w net.inet.ip.forwarding=1
Then, to have packet forwarding enabled automatically during every
reboot, setting the following option in /etc/rc.conf will be sufficient:
gateway_enable=YES
2.1. NETSTAT(1) and the Routing Table
FreeBSD, being a powerful network-ready OS, is capable of any
routing operation that may be needed. Routing tables being the core
decision making points in a network, we should be able to view the routing
table of any FreeBSD box. This is accomplished by 'netstat -r'
(root@box)~># netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
localhost localhost UH 0 2 lo0
(root@box)~>#
A fresh system without any network configuration will have a
routing table very similar to this. There would only be one route, that
for the localhost. The localhost is the generic loopback device for
TCP/IP. Any packets sent to it loop back to the host itself. If you, for
instance, telnet to localhost, you will telnet back into the box you're
on. If you're on a shell account and telnet to the localhost, you will
telnet back into the box that you have your shell account on. This device
must be on for any network oriented operations to work and is enabled by
default in the kernel.
The first column in the routing table is, at it is clearly
identified, the "destination" for the route. In the case of localhost, to
the route to localhost must have "localhost" in the destination column.
The second column, the "gateway" column, is the next hop the route must
take to get closer to the destination. In the case of the localhost, the
only "hop" that must be taken is back to itself, therefore "localhost" is
seen in both columns. The third column lists any flags for the route that
give additional information. The 'U' means that the route is usable, and
the 'H' means that the route is to a host computer and not a
subnet/network. Some common additional flags that may be seen are:
b The route represents a broadcast address
C Generate new routes on use
c Protocol-specified generate new routes on use
G Destination requires forwarding by intermediary
H Host entry (net otherwise)
L Valid protocol to link address translation
S Manually added
U Route usable
W Route was generated as a result of cloning
The next column is "Refs" and indicates how many active connexions
there are using that network device. After that, we have the "Use" column
which indicates how many data packets have been moved through that network
device. Following that, we have the "Netif" column listing the device
names, and finally the "Expire" column indicating the expire times for
various connexions.
The localhost, like many destination and gateway addresses within
the routing table has an IP address representation, which is 127.0.0.1 .
In fact, the name localhost is simply a convention and the loopback
device's address of 127.0.0.1 may be named something else just as easily.
The name is defined in the /etc/hosts file.
The localhost is clearly not capable of facilitating network
communication as it 1) does not uniquely identify a computer, and 2) loops
back to the host itself, which by its very nature denies network
communication. It is, on the other hand, simply a method for identifying
the *local* host.
2.2. IFCONFIG(8), Network Devices, and Assigning IP Addresses
Assuming that a host is connected to a network by some type of
network interface, the host must be given a unique IP address so that
other hosts can communicate to it via the TCP/IP protocol. Let us go back
and look at our original network example and assume that our host is PC #2
equipped with a 3Com 3C509 NIC (Network Interface Card). An IP address
must be assigned to the network device (the 3Com NIC) by which the host
will be communicating with the network. This is accomplished by the
ifconfig(8) command. In our example the IP we gave to PC #2 was
192.168.0.7 . To assign 192.168.0.7 to PC #2's network device, we
would do the following:
ifconfig ep0 inet 192.168.0.7 netmask 255.255.0.0 up
The first parameter given ifconfig(8) is the device name that we
are activating. A list of supported network devices can be acquired from
the online FreeBSD Handbook (http://www.freebsd.org/handbook/). To acquire
the device name (in this case 'ep0') of your NIC you can issue the
following command:
ifconfig -l
This will list all available network devices on your system. Ones
such as ppp0, lp0, sl0, tun0, and lo0 can be ruled out, they being the
network devices: Kernel PPP, PLIP, SLIP, User PPP, and localhost
respectively.
(root@box)~># ifconfig -l
ep0 lp0 tun0 sl0 ppp0 lo0 gif0 gif1 gif2 gif3 stf0 faith0
(root@box)~>#
The "gif0 gif1 gif2 gif3 stf0 faith0" network devices are for IPv6
and can be safely ignored for our purposes.
The second parameter is the address family that is being used. By
default it is 'inet' or the internet address family. Other supported
address families are 'ipx' and 'atalk.' In most cases, inet is the address
family you will be dealing with if your network is connected to the
Internet and/or uses standard TCP/IP to communicate, and as such, the
address family parameter can be left out.
The third parameter is the actual IP address being assigned.
The fourth parameter here is 'netmask' followed by the netmask
that routing at this node will obide by. In this case, 255.255.0.0 was
given as the netmask because our example network has a class B network
address range to assign addresses from.
The last parameter tells the network device to become active with
the previously outlined configuration. Be default, the network device will
be activated with the configuration passed in through ifconfig(8) making
'up' superfluous. As such, 'up' is rarely passed in unless the device was
marked 'down' previously.
2.3. IFCONFIG(8) in more Detail
We can now examine the details of network device setup to
determine whether it is 'up' simply by issuing 'ifconfig ep0' :
(root@box)~># ifconfig ep0
ep0: flags=8843 mtu 1500
inet 192.168.0.7 netmask 0xffff0000 broadcast 192.168.255.255
ether 10:0c:27:7c:c2:45
media: 10baseT/UTP (10baseT/UTP )
supported media: 10baseT/UTP 10baseT/UTP 10baseT/UTP
(root@box)~>#
We can see that, for one, 'UP' is shown for ep0 and that secondly,
on the line below it, the IP address we assigned it is listed. We also
notice the broadcast address which reflects the netmask (also listed, but
in hex as 0xffff0000 - the '0x' initiates every hex netmask and the first
four fs indicate that the first 16 bits are set high, while the last 16
are set low, resulting in 255.255.0.0) we specified: our netmask of
255.255.0.0 indicated that starting on the 16th bit (at the third octet)
our local network began, and therefore, the broadcast address should be
the top most address within that address range. Our network's address
range is 192.168.0.0/16, therefore, our broadcast address is
192.168.255.255 .
We also can see the MAC address of the ep0 network device (the
same one we assigned this host's NIC in our original network example) on
the third line. The current media type and a list of supported media types
can be seen on the fourth and fifth lines respectively.
2.4. ARP, IFCONFIG(8) and Network Devices
If we list our routing table now we will not see any changes, but
once we ping the new IP address:
(root@box)~># ping -c 1 192.168.0.7
PING 192.168.0.7 (192.168.0.7): 56 data bytes
64 bytes from 192.168.0.7: icmp_seq=0 ttl=255 time=0.158 ms
--- 192.168.0.7 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.158/0.158/0.158/0.000 ms
(root@box)~>#
we will see that a new route has been added:
(root@box)~># netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
localhost localhost UH 0 2 lo0
192.168 link#1 UC 0 0
192.168.0.7 10:0c:27:7c:c2:45 UHLW 0 20 lo0
(root@box)~>#
Why did the route suddenly appear, and how could we ping the
address if there was no route originally to it? Because ARP is by default
active for all network devices and we had already assigned an IP address
to the ep0 network device, the system was able to through ARP resolve the
192.168.0.7 IP address to the 10:0c:27:7c:c2:45 MAC address. Once this
was done, a route was automatically added to facilitate the path of the
ping. Once the route was added, the ping could proceed successfully. ARP
may be disabled for a network device; if we wanted to make things more
difficult we could disable ARP for our ep0 network device by issuing the
following command:
ifconfig ep0 192.168.0.7 -arp
However, we will not do this as it would be counter-productive to
our successful management of this network.
You will also notice a third entry in the routing table has
appeared. That is a special route to the first address within our network
(192.168.0.0). When we added our IP address we did so with a netmask of
255.255.0.0 which makes the third and fourth octets of our IP address part
of our network - that is, they are address ranges from which addresses can
be assigned to hosts on our network. The first and second octets identify
the network, as those values do not change, that is, all addresses within
our network begin with '192.168' which is a shorthand for 192.168.0.0 . If
you recall our earlier discussion on netmasks, we learned that the network
address of a network or subnet is the first address within its address
range. In our 192.168 class B network, the first address 192.168.0.0 .
the Special link#<0,1,2> type routes are also used to denote other
conditions. For instance, when a route is set to a host and the gateway is
not known/found (because the gateway went down, the host went down or
neither gateway nor host ever existed) it will be shown as a link#1 route.
2.5. ARP(8) and Routing
A very convenient command is called arp(8) which can be used to
return the MAC address mapped to a particular IP address or to return the
entire IP -> MAC table. Issuing the command 'arp -a' does exactly does.
Issuing 'arp 192.168.0.7' would return the MAC address for the IP
address 192.168.0.7 ; for instance:
(root@box)~># arp 192.168.0.7
192.168.0.7 (192.168.0.7) at 10:0c:27:7c:c2:45 permanent
(root@box)~>#
The identifier "permanent" follows the address results indicating
that this particular MAC address entry can not be changed, meaning that it
is the MAC address of some locally installed network device. The entries
in this table for network devices on other nodes on the network can
change. Such changes can take place when hardware is replaced or a node
moves.
arp(8) can also be used to set MAC entries in its table for
particular IP addresses. In our earlier example, where the entry in the
routing table was added automatically when we pinged the IP address of
ep0, we could have manually added the route in the routing table by
issuing the following arp(8) command:
arp -s 192.168.0.7 10:0c:27:7c:c2:45
Because this route would have been manually set, the 'S' flag
would appear for this route in the routing table instead of the 'W' flag:
(root@box)~># netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
localhost localhost UH 0 2 lo0
192.168 link#1 UC 0 0
192.168.0.7 10:0c:27:7c:c2:45 UHLS 0 0 lo0
(root@box)~>#
The 'L' flag indicates that this is a link level route, which, in
short, means that it is a route dealing with MAC addresses. Referring back
to our original example network, let us assume we wanted to next set a
route to PC #4 so that PC #2 (our current one) and PC #4 could
communicate. This could be accomplished with the following command:
arp -s 192.168.100.2 00:0a:11:45:14:70
and our routing table would reflect this accordingly:
(root@box)~># netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
localhost localhost UH 0 2 lo0
192.168 link#1 UC 0 0
192.168.100.2 00:0a:11:45:14:70 UHLS 1 5 ep0 50
192.168.0.7 10:0c:27:7c:c2:45 UHLS 0 0 lo0
(root@box)~>#
Now PC #4 and PC #2 could communicate using the TCP/IP protocol
suite. Normally, each host will automatically find any directly connected
hosts and add a route in the routing table for them, so manually adding
such routes through arp(8) is usually unnecessary.
2.6. ROUTE(8) instead of ARP(8)
2.6.1. Adding routes with ROUTE(8)
Using arp(8) manually and/or waiting for the system to use ARP to
translate IP addresses to their corresponding MACs and then including that
entry within the routing table is not the only way to set network routes;
in many cases it is impossible or impracticle to determine the MAC address
of a particular host. On a small LAN this would never be a problem,
however, in WANs the case is different. As such, there is a another, more
powerful, command used for setting routes, based on IP addresses as well
as MAC addresses. It is appropriately named route(8) and is a more
conventional method for setting link level routes instead of arp(8).
Strictly IP address routes with route(8) can be set with the
following syntax:
route add
To set link level route as we did earlier with arp(8) the
following syntax can be used:
route add -link
So, the route we set with arp(8) could have been set with route(8)
thusly:
route add 192.168.100.2 -link 00:0a:11:45:14:70
Let is say we wished to now set a route from PC #2 to PC #3.
Clearly as PC #3 is connected to the network via a SLIP connexion we can
not use a link level connexion as we did to PC #4 with arp(8). Examining
the network layout we see that gateway G is the intermediary between PC #4
and PC #2. When setting routes to hosts that are not directly connected,
hop counts are utilized so the system can maintain a measure of the
expense of a particular route. For instance, a route whose destination is
3 hops away is more costly than one that is 1 hop away. Hop counts are
passed to the route(8) command using the -hopcount modifier. As such, we
can set a route thusly:
route add 192.168.200.10 192.168.0.1 -hopcount 1
2.6.2. ROUTE(8) Flags
There are a number of additional flags and modifiers available for
route(8), some of which are listed here:
Modifiers:
-mtu - maximum transmission unit allowed
Flags:
-cloning - generates a new route on use
-iface - destination is directly reachable
-static - manually added route
-nostatic - pretend route added by kernel or daemon
-reject - emit an ICMP unreachable when matched
-blackhole - silently discard packets (during updates)
Viewing our routing table we see the new route:
(root@box)~># netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
localhost localhost UH 0 2 lo0
192.168 link#1 UC 0 0
192.168.0.1 00:0c:ac:7d:c2:98 UHLW 1 7 ep0 230
192.168.100.2 00:0a:11:45:14:70 UHLS 2 15 ep0 532
192.168.0.7 10:0c:27:7c:c2:45 UHLS 0 0 lo0
192.168.200.10 192.168.0.1 UGHS 1 5 ep0 20
(root@box)~>#
Data packets now will know they need to travel to gateway G
(192.168.0.1) first in order to reach PC #3 (192.168.200.10) . At gateway
G, they will travel through the SLIP connexion to PC #3, however, as far
as PC #4 is concerned, data packets simply need to be sent in the
direction of gateway G for them to get to their destination. Luckily, the
gateway is directly connected to PC #4, and as such, a route to it would
have been automatically added by the system. It may have also been added
manually using route(8) or arp(8).
2.6.3. ROUTE(8) and the Default Route
Unfortunately, we do not always know the exactly route to a host
as we did in the case of PC #3. We knew it was exactly one hop away and
that this hop was the gateway G. Let us assume that PC #3 is not directly
connected to gateway G, but is in some distant network.
(192.168.100.5) (192.168.200.10)
ppp0 sl0
PC #1 PC #3
| |
| / \
| Haze of Networks
| \ /
| |
| (192.168.200.2)
| (00:0c:ax:6a:c1:10)
(00:0b:27:5c:d3:100) (192.168.0.1) (192.168.0.7)
(00:0b:27:5c:d3:89) (00:0c:ac:7d:c2:98) (10:0c:27:7c:c2:45)
Bridge ------------------ G ------------------- PC #2
|
|
|
(192.168.100.2)
(00:0a:11:45:14:70)
PC #4
We must take a different approach. We still see that data packets must
pass through gateway G in order eventually reach PC #3, however, we do not
know how many hops PC #3 is away. Furthermore, we may also wish contact
other hosts periodically that are located in the "Haze of Networks."
Setting a route to each of them ahead of them, if such a route is even
possible to be set, would suddenly turn into nightmare. Such situations
are handled by the "default" route. When there is no direct route set to a
host, data packets are then moved out the "default" route. In this case,
the default route would be gateway G as it is the intermediary that
connects PC #2 with PC #3 and the rest of the "Haze of Networks." Before
we set the "default" route, let us delete the route we set to PC #3:
(root@box)~># route delete 192.168.200.10
delete host 192.168.200.10
(root@box)~>#
and now:
(root@box)~># route add default 192.168.0.1
add net default: gateway 192.168.0.1
(root@box)~>#
(root@box)~># netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGSc 1 10 ep0
localhost localhost UH 0 2 lo0
192.168 link#1 UC 0 0
192.168.0.1 00:0c:ac:7d:c2:98 UHLW 1 7 ep0 230
192.168.100.2 00:0a:11:45:14:70 UHLS 2 15 ep0 532
192.168.0.7 10:0c:27:7c:c2:45 UHLS 0 0 lo0
(root@box)~>#
Also, the route to 192.168.100.2 has become superfluous as packets
can reach it via the "default" route. As such, we can remove it also:
(root@box)~># route delete 192.168.100.2
delete host 192.168.100.2
(root@box)~>#
(root@box)~># netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGSc 1 10 ep0
localhost localhost UH 0 2 lo0
192.168 link#1 UC 0 0
192.168.0.1 00:0c:ac:7d:c2:98 UHLW 1 7 ep0 410
192.168.0.7 10:0c:27:7c:c2:45 UHLS 0 0 lo0
(root@box)~>#
Clearly, the "default" route is powerful and makes many small-time
routing issues easier to deal with, and not to mention, allows for a very
scalable network environment.
2.6.4 Network Routes & Host Routes
Here we also have our first contact with setting routes to
networks. the "default" route is a route to all networks beyond a host's
direct routes. Routes can also be set to specific networks or subnets; for
instance, if we wished to add a route to the '10.54.81' class C network
which, for argument's sake, ws connected to our host via gateway G, we
would issue the following command:
route add -net 10.54.81 192.168.0.1
2.6.5 Changing Routes with ROUTE(8)
route(8) also has other functions. Changing routes can be
accomplished with the "change" command instead of using "delete" and "add"
in succession. Routes can be looked up and returned using the "get"
command, and the routing table can be flushed (cleared), based on address
family or all routes together using the "flush" command followed by any
optional address family identifiers.
If, for instance, you wished to change the gateway of the route to
192.168.0.1 from 00:0c:ac:7d:c2:98 to 00:12:4c:78:23:10 you could issue
the following command:
route change 192.168.0.1 -link 00:12:4c:78:23:10
If you now wished to change the hop count of this route, you could
issue the following command:
route change 192.168.0.1 -hopcount 2
Now, having done this, if we wished to retrieve information on
this route, we could issue the following command:
(root@box)~># route get 192.168.0.1
route to: 192.168.0.1
destination: 192.168.0.1
gateway: 00:0c:ac:7d:c2:98
interface: ep0
flags:
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
16384 16384 0 0 0 2 1500 0
(root@box)~>#
We can see the hop count value as we had adjusted it, along with
the new gateway. For additional usages of route(8), arp(8), ifconfig(8),
ping(8), and netstat(1) the corresponding man pages should be consulted.
3. PING(8)
ping(8) is your friend. It sends ICMP ECHO packets to the target
host, and if there is a route to the host, and the host is up, an ICMP
ECHO from the host will be recieved. Use it to test the integrity of
routes and/or whether a host is alive.
4. Basic Host and Network Naming
Hitherto we have seen the routing table only reflecting the IP
addresses and in only one instance an actual name - localhost. In large
networks, mapping name -> IP and IP -> name is often handled by a local
NIS or DNS server. For small LANs or where strictly local configurations
are employed such that the naming will only be relevant in a small area of
the network or subnet, naming for hosts can be done in /etc/hosts and
naming for networks/subnets can be done in /etc/networks .
4. Basic Host and Network Naming
Hitherto we have seen the routing table only reflecting the IP
addresses and in only one instance an actual name - localhost. In large
networks, mapping name -> IP and IP -> name is often handled by a local
NIS or DNS server. For small LANs or where strictly local configurations
are employed such that the naming will only be relevant in a small area of
the network or subnet, naming for hosts can be done in /etc/hosts and
naming for networks/subnets can be done in /etc/networks .
cite from http://www.erudition.net/freebsd/Basic-Routing-HOWTO
The firewall will use the following rules to manage traffic: