From owner-freebsd-questions Mon Feb 22 9:40:54 1999 Delivered-To: freebsd-questions@freebsd.org Received: from reed.itisolutions.com (reed.itisolutions.com [209.125.131.131]) by hub.freebsd.org (Postfix) with ESMTP id 091D210E5F for ; Mon, 22 Feb 1999 09:40:43 -0800 (PST) (envelope-from akim@itisolutions.com) Received: from hfr.com (forbes.itisolutions.com [209.218.53.193]) by reed.itisolutions.com (8.8.8/8.8.7) with SMTP id LAA14882 for ; Mon, 22 Feb 1999 11:44:10 -0600 X-TCMG: kiev.itisolutions.com Message-Id: <3.0.6.32.19990222113857.009ad5d0@forbes.itisolutions.com> X-Sender: X-Mailer: none Date: Mon, 22 Feb 1999 11:38:57 -0600 To: freebsd-questions@freebsd.org From: Anthony Kim Subject: IPFW & NAT question Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Deliver-To: freebsd-questions@freebsd.org X-Return-Path: akim@itisolutions.com Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm trying to come up with a solution as follows please let me know if this is workable: Given a 2.2.8-STABLE box running IPFW & NAT The firewall will have 3 NICS. NIC1 - Real IP; to Internet NIC2 - Real IP; to Perimeter network <--> on this network another HOST (HOST A) with Real IP NIC3 - Private IP; to Internal network NIC1 & NIC2 & HOST A will all be on the same network address. I've done ipfw several times with 2 network cards. How is FreeBSD going to handle this 3rd card? NIC1 & NIC2 will be on the same network ID. On the perimeter network will be a bastion host having a real IP on the same network. I was thinking maybe I could bridge between NIC1 & NIC2. Or will static routing work in this case? I'm unsure. I'm aware of the -u flag to natd to enable translation only for rfc1918 compliant addresses. Real IPs will be passed untranslated. Will routing be a problem? I'm thinking, if on the firewall I added the following example this might work(?): route add default route add -host route add -net ... The alternative solution is to enable translation on HOST A with another fake IP network but using static NAT. IOW: EXT NETWORK: real PERIMETER NETWORK: 192.168.16.0 INTERNAL NETWORK: 192.168.17.0 where HOST A on the perimeter network will be static NAT to its real IP. If I were to do this, where do I assign HOST A's real IP? As an alias to the firewall's external NIC? How can FreeBSD handle NAT using more than one public IP? I appreciate any direction. Thanks! Anthony Kim Sysadmin, HFR Group http://www.hfr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message