From owner-freebsd-questions@FreeBSD.ORG Wed Sep 9 19:14:48 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16EEB106566B for ; Wed, 9 Sep 2009 19:14:48 +0000 (UTC) (envelope-from noc@hdk5.net) Received: from guam10.hdk5.net (guam10.hdk5.net [66.180.132.235]) by mx1.freebsd.org (Postfix) with ESMTP id DB3AF8FC18 for ; Wed, 9 Sep 2009 19:14:47 +0000 (UTC) Received: from mohawk7.intra.net (unknown [66.180.149.18]) by guam10.hdk5.net (Postfix) with ESMTP id 108D41CCA0; Wed, 9 Sep 2009 09:14:46 -1000 (HST) Message-ID: <4AA7FEA6.70603@hdk5.net> Date: Wed, 09 Sep 2009 09:14:46 -1000 From: Al Plant User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071128 FreeBSD/i386 SeaMonkey/1.1.7 MIME-Version: 1.0 To: Maxim Khitrov References: <26ddd1750909091144x447fb4bt93e4bdc56d7a9202@mail.gmail.com> In-Reply-To: <26ddd1750909091144x447fb4bt93e4bdc56d7a9202@mail.gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Free BSD Questions list Subject: Re: Correct way to configure an IP range for firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2009 19:14:48 -0000 Maxim Khitrov wrote: > Hello all, > > A quick question - I have a /29 block of IPs that needs to be handled > by a firewall I'm setting up. Two addresses are lost to broadcast and > network, one is the ISP gateway, so we end up with 5 usable IPs that > can be assigned to the external interface. The question is how to do > this correctly? > > I want only one of the addresses assigned to the firewall itself, > another will be used as the public nat address for all hosts on the > lan. Remaining three addresses will be used as bidirectional nat for > servers. > > Am I correct in assuming that I just need to add four > ifconfig_vr0_alias[0-3] lines to rc.conf? What happens if in the > future we get a much bigger IP block, is there a more efficient way of > accomplishing the same thing? I don't actually want the firewall to > consider itself the final destination for any of the additional IPs, > it just needs to pass them to pf for nat and filtering. > > - Max > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > Aloha Max, What you have sounds like an ATM ( Asynchronous Transfer Mode ) circuit. I have one here that is for three servers a desktop and one spare IP. I got the setup from Michael Paoli at cal.berkely.edu in California. With setup I had to put firewalls (PF) on the three servers facing the internet and the desktop as well. There are 2 references I used for this firewall setup. Absolute FerrBSD - M. Lucas Pg. 273 and bsdly.bet Peter Hansteen. Both are on this list. If you would like to see the three sheets on how I set this up I can fax them to you or email. The setup for more IP's should be scalable but the IP's and default route would change I would think. You could keep using /29 ATM blocks and increase in increments with different IP's most likely with out changing the first ones. ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 + http://hawaiidakine.com + http://freebsdinfo.org + + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* - 8.* + < email: noc@hdk5.net > "All that's really worth doing is what we do for others."- Lewis Carrol