From owner-freebsd-questions@FreeBSD.ORG Thu Feb 5 05:04:18 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64ADA16A4CE for ; Thu, 5 Feb 2004 05:04:18 -0800 (PST) Received: from mail1.bwlogic.com (fw.bwlogic.com [209.161.200.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD2A643D1F for ; Thu, 5 Feb 2004 05:04:15 -0800 (PST) (envelope-from jlavigne@bwlogic.com) Received: (qmail 25901 invoked by uid 89); 5 Feb 2004 13:04:14 -0000 Received: from unknown (HELO canada) (192.168.1.5) by liv43-36.tor.idirect.com with SMTP; 5 Feb 2004 13:04:14 -0000 From: "Jason Lavigne" To: Date: Thu, 5 Feb 2004 08:04:14 -0500 Message-ID: <008701c3ebe8$8df0e2a0$0501a8c0@canada> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 In-Reply-To: <1075970794.274.219.camel@enigma.8ball.co.za> Importance: Normal cc: 'FreeBSD Questions Mail List' Subject: RE: ipf + ipnat + dmz + bridge question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 13:04:18 -0000 Clever. I tried that and now I have found a different issue, I don't know if ipnat is working correctly, I can browse the internet using my LAN however the ipnat.rules are being completely ignored, I removed all rules and I can still browse the Internet with my LAN and to me this is odd. Any ideas? Thanks for your time. Jay -----Original Message----- From: Nelis Lamprecht [mailto:nelis@8ball.co.za] Sent: Thursday, February 05, 2004 3:47 AM To: Jason Lavigne Cc: FreeBSD Questions Mail List Subject: Re: ipf + ipnat + dmz + bridge question On Thu, 2004-02-05 at 02:57, Jason Lavigne wrote: > Hello all, > > I currently have a firewall with 3 nics, one goes to the net, one to the > DMZ and one to the LAN. I have ipf and ipnat running along with FreeBSD > bridge support and I have the external nic and the DMZ nic bridged. All > DMZ computers are configured with a real public ip and have the firewall > as the gateway. > > My question is when any computer from my DMZ goes out to the net it uses > the ip of the firewall and not the public ip it was assigned. Internally > within the DMZ they use the correct ips. How can I make it so when the > DMZ computers are on the net they report as using their assigned ip. Is > the DMZ using ipnat? I only have the LAN mapped in ipnat.rules and > nothing about the DMZ ips. > > TIA > > Jay > > Here are my configs: > > ifconfig > > dc0: flags=8843 mtu 1500 > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > inet6 fe80::203:6dff:fe00:9bd%dc0 prefixlen 64 scopeid 0x1 > ether 00:03:6d:00:09:bd > media: Ethernet autoselect (100baseTX) > status: active > dc1: flags=8943 mtu 1500 > inet6 fe80::280:c6ff:feea:7af1%dc1 prefixlen 64 scopeid 0x2 > inet xxx.yyy.200.99 netmask 0xfffffff0 broadcast xxx.yyy.200.111 > ether 00:80:c6:ea:7a:f1 > media: Ethernet autoselect (100baseTX ) > status: active > xl0: flags=8943 mtu 1500 > options=3 > inet6 fe80::250:daff:fe1b:90c3%xl0 prefixlen 64 scopeid 0x3 > inet xxx.yyy.200.106 netmask 0xffffffff broadcast > xxx.yyy.200.106 > inet xxx.yyy.200.107 netmask 0xffffffff broadcast > xxx.yyy.200.107 > ether 00:50:da:1b:90:c3 > media: Ethernet autoselect (10baseT/UTP) > status: active > lp0: flags=8810 mtu 1500 > lo0: flags=8049 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > inet 127.0.0.1 netmask 0xff000000 > tun0: flags=8051 mtu 1492 > inet xxx.yyy.200.97 --> 207.136.64.4 netmask 0xffffff00 > Opened by PID 241 > > /etc/ipnat.rules > > # nat the lan > map xl0 192.168.1.0/24 -> xxx.yyy.200.97/32 try changing this to: map xl0 from 192.168.1.0/24 ! to xxx.yyy.200.99/32 -> xxx.yyy.200.97/32 which basically tells ipnat to always use NAT unless you are speaking with your DMZ xxx.yyy.200.99/32 Regards, -- Nelis Lamprecht PGP: http://www.8ball.co.za/pgp/nelis.key "Unix IS user friendly.. It's just selective about who its friends are."