Date: Fri, 09 Jan 2004 21:38:51 -0600 From: Eric Anderson <anderson@centtech.com> To: Antoine Jacoutot <ajacoutot@lphp.org> Cc: freebsd-isp@freebsd.org Subject: Re: routing question Message-ID: <3FFF73CB.1090304@centtech.com> In-Reply-To: <1073696519.3fff4f07796ac@webmail.lphp.org> References: <200401091912.46936.ajacoutot@lphp.org> <3FFF05FB.9090002@centtech.com> <200401100153.18052.ajacoutot@lphp.org> <3FFF4DF7.3040007@centtech.com> <1073696519.3fff4f07796ac@webmail.lphp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Antoine Jacoutot wrote: >Selon Eric Anderson <anderson@centtech.com>: > > >>Ok, well, in order to help you more, I'll need to know some things - >>like, are the IP's in your DMZ going to be publicly accessible? Are the >>routable IP's (static IPs) you received from your provider? How about >>the "LAN" addresses? >> >> > >OK :) > >So, my LAN will be 192.168.0.0/24. >The @IP in my DMZ will be public @IP (I got something like 10 @IP publicly >available from my provider). > I'll assume a few things - you have 1 network card for each "internet" connection, and you are receiving the IP for that card via DHCP. I'll also assume that the internet connection used for the DMZ is going to a router (DSL modem, ISDN router, something). Keep in mind, there are probably 50 different ways to do this, and others on this list most likely know far more than I do, and will probably suggest even better ways to do it. You'll need natd (or ipnat) running for the LAN<->WAN1 and LAN<->DMZ connections. This will take care of your LAN connecting to the net, and also give it access to the DMZ (and the DMZ won't have access to the LAN). Now the harder part comes in when you want to set up the DMZ<->WAN2 connection (by the way, I'm using WAN as "internet connection"). You could do this part a lot of ways - so here's one: set up a bridge between DMZ and WAN2, and selectively allow in traffic you deem "ok" using ipfw (or ipfw2, or ipfilter, or..). You could also set up natd (or ipnat) on the DMZ<->WAN2 connection, mapping your 10 IP's to certain hosts on the DMZ'd network - and the DMZ's hosts could have IP's like 10.0.0.xx - that gives you a lot of flexibility. So, you'll need 4 network cards, a simple FreeBSD box, and a little time to read some docs. Here are some pointers to pages with more information: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html >Thanks for answering... SO FAST ! > > No problem! Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology All generalizations are false, including this one. ------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FFF73CB.1090304>