Date: Thu, 05 Feb 2004 10:46:35 +0200 From: Nelis Lamprecht <nelis@8ball.co.za> To: Jason Lavigne <jlavigne@bwlogic.com> Cc: FreeBSD Questions Mail List <questions@freebsd.org> Subject: Re: ipf + ipnat + dmz + bridge question Message-ID: <1075970794.274.219.camel@enigma.8ball.co.za> In-Reply-To: <000901c3eb83$05eee010$0501a8c0@canada> References: <000901c3eb83$05eee010$0501a8c0@canada>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2004-02-05 at 02:57, Jason Lavigne wrote: > Hello all, > > I currently have a firewall with 3 nics, one goes to the net, one to the > DMZ and one to the LAN. I have ipf and ipnat running along with FreeBSD > bridge support and I have the external nic and the DMZ nic bridged. All > DMZ computers are configured with a real public ip and have the firewall > as the gateway. > > My question is when any computer from my DMZ goes out to the net it uses > the ip of the firewall and not the public ip it was assigned. Internally > within the DMZ they use the correct ips. How can I make it so when the > DMZ computers are on the net they report as using their assigned ip. Is > the DMZ using ipnat? I only have the LAN mapped in ipnat.rules and > nothing about the DMZ ips. > > TIA > > Jay > > Here are my configs: > > ifconfig > > dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > inet6 fe80::203:6dff:fe00:9bd%dc0 prefixlen 64 scopeid 0x1 > ether 00:03:6d:00:09:bd > media: Ethernet autoselect (100baseTX) > status: active > dc1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > inet6 fe80::280:c6ff:feea:7af1%dc1 prefixlen 64 scopeid 0x2 > inet xxx.yyy.200.99 netmask 0xfffffff0 broadcast xxx.yyy.200.111 > ether 00:80:c6:ea:7a:f1 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > options=3<RXCSUM,TXCSUM> > inet6 fe80::250:daff:fe1b:90c3%xl0 prefixlen 64 scopeid 0x3 > inet xxx.yyy.200.106 netmask 0xffffffff broadcast > xxx.yyy.200.106 > inet xxx.yyy.200.107 netmask 0xffffffff broadcast > xxx.yyy.200.107 > ether 00:50:da:1b:90:c3 > media: Ethernet autoselect (10baseT/UTP) > status: active > lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > inet 127.0.0.1 netmask 0xff000000 > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492 > inet xxx.yyy.200.97 --> 207.136.64.4 netmask 0xffffff00 > Opened by PID 241 > > /etc/ipnat.rules > > # nat the lan > map xl0 192.168.1.0/24 -> xxx.yyy.200.97/32 try changing this to: map xl0 from 192.168.1.0/24 ! to xxx.yyy.200.99/32 -> xxx.yyy.200.97/32 which basically tells ipnat to always use NAT unless you are speaking with your DMZ xxx.yyy.200.99/32 Regards, -- Nelis Lamprecht PGP: http://www.8ball.co.za/pgp/nelis.key "Unix IS user friendly.. It's just selective about who its friends are."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1075970794.274.219.camel>