From owner-freebsd-net@FreeBSD.ORG  Wed Dec 15 12:35:39 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9D33316A4CE
	for <freebsd-net@freebsd.org>; Wed, 15 Dec 2004 12:35:39 +0000 (GMT)
Received: from doeil.securesites.net (doeil.securesites.net [204.200.195.179])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B7A0543D31
	for <freebsd-net@freebsd.org>; Wed, 15 Dec 2004 12:35:38 +0000 (GMT)
	(envelope-from aheyn@jmsent.com)
Received: from AREILLPC (ns.jmsent.com [66.9.27.146])
	by doeil.securesites.net (8.13.1/8.12.11) with SMTP id iBFCZFaC000622
	for <freebsd-net@freebsd.org>; Wed, 15 Dec 2004 12:35:28 GMT
From: "Andrew Heyn" <aheyn@jmsent.com>
To: <freebsd-net@freebsd.org>
Date: Wed, 15 Dec 2004 07:36:11 -0800
Message-ID: <CLELJKHKLJLNMNHGHFIDOEBLCAAA.aheyn@jmsent.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Subject: Quick question about the tired ipf/ipnat/"dmz"/bridge scenario
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2004 12:35:39 -0000

Hi,


Quoting http://www.moatware.com/support/docbook/faq-bridge.html,

10.8. Why can't hosts on a NATed interface talk to hosts on a bridged
interface?
This frequently happens when someone wants to bridge an interface to their
WAN to use it as a DMZ, and wants to put all of the hosts on their LAN
interface behind a NAT. This is actually a fairly reasonable and natural
thing to want to do.

The problem here is that ipnat and bridging (at least as implemented in
FreeBSD) don't play well together. Packets from the LAN to the DMZ go out
just fine, but in the other direction, it seems like the packets arriving on
the unnumbered bridge interface don't get looked up correctly in the ipnat
state tables.

I've managed to convince myself that solving this is Really Really Hard
(TM). The irritating thing is that there's no theoretical reason why this
should be difficult...it all comes down to implementation details.


Is there any way at all, even with kludges, to get this to work?  I'd be
extremely interested if there was any to accomplish this, as specified
above.

Thanks,
Andrew