From owner-freebsd-net@FreeBSD.ORG Tue Aug 9 12:01:27 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6616D1065693 for ; Tue, 9 Aug 2011 12:01:27 +0000 (UTC) (envelope-from marek_sal@wp.pl) Received: from mx3.wp.pl (mx3.wp.pl [212.77.101.7]) by mx1.freebsd.org (Postfix) with ESMTP id DBC8A8FC1F for ; Tue, 9 Aug 2011 12:01:26 +0000 (UTC) Received: (wp-smtpd smtp.wp.pl 21503 invoked from network); 9 Aug 2011 13:58:20 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wp.pl; s=1024a; t=1312891100; bh=T3Um7JaPn8ZxZcwkzZwqiZSsToiEf5x2ZFveIR/tZCU=; h=From:To:Subject; b=SRQIxnx6VhqgZWZ+lMVYy7f/AiZax2KMfvTuwHEQ23JJpv6tGiOfp8I7P1UpVTq1u rqvaO0Uu2+8yKcxsuFk6SizKUTfzGU6TnCZ3GNODZ2Hh1PIdjTlUAKN2Jt3Aejcy8f rQTxsr026QP49GRTtdEehtW5YDpD67cTtWh5buYw= Received: from cwx170.internetdsl.tpnet.pl (HELO [10.0.0.15]) (marek_sal@[83.19.131.170]) (envelope-sender ) by smtp.wp.pl (WP-SMTPD) with AES256-SHA encrypted SMTP for ; 9 Aug 2011 13:58:20 +0200 Message-ID: <4E412093.8000105@wp.pl> Date: Tue, 09 Aug 2011 13:57:07 +0200 From: Marek Salwerowicz User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A. X-WP-SPAM: NO 0000000 [ETNE] Subject: ipfw - accessing DMZ from LAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2011 12:01:27 -0000 Hi all, I have set up a new router for my network, with separated DMZ zone for my internet servers. I'd like computers from my LAN to be able to connect to DMZ zone. My ISP provided me some public IP's, so right now configuration looks like this: Router with 4 NICs: #public ISP ifconfig_vr3="inet xx.yy.zz.171 netmask 255.255.255.248" ifconfig_vr3_alias0="inet xx.yy.zz.170 netmask 255.255.255.255" ifconfig_vr3_alias1="inet xx.yy.zz.172 netmask 255.255.255.255" ifconfig_vr3_alias2="inet xx.yy.zz.173 netmask 255.255.255.255" The first IP, with suffix .171 I want to be used as real router's IP, and public IP for computers in my LAN. All 3 aliases I want to be redirected to DMZ (one public IP for each server in DMZ) #DMZ ifconfig_vr2="inet 192.168.0.1 netmask 255.255.255.0" #LAN ifconfig_vr0="inet 10.0.0.1 netmask 255.255.255.0" I've set up in natd.conf: use_sockets yes same_ports yes interface vr3 dynamic yes unregistered_only yes redirect_address 192.168.0.10 xx.yy.zz.170 #DMZ host 1 redirect_address 192.168.0.20 xx.yy.zz.172 #DMZ host 2 redirect_address 192.168.0.30 xx.yy.zz.173 #DMZ host 3 Right now everything works from the Internet - if I do ssh to xx.yy.zz.170, I really can connect to host 192.168.0.10 etc. The problem is that when I want to connect from my 10.0.0.0/24 network (and even from router) to any DMZ host, using it's public address (any of xx.yy.zz.{170,172,173} ), I can't connect and in fact I am connecting to the router.. So I am unable to access my web, mta, ftp servers that are located in DMZ My ipfw firewall script looks as follows: #!/bin/sh cmd="ipfw -q" DMZ="192.168.0.0/24" LAN="10.0.0.0/24" kldstat -q -m dummynet || kldload dummynet $cmd flush $cmd add 80 divert natd ip from any to any via vr3 $cmd add 90 allow ip from any to any via lo0 $cmd add 100 allow ip from any to me $cmd add 101 allow ip from me to any $cmd add 500 deny ip from $DMZ to $LAN $cmd add 510 deny ip from $LAN to $DMZ $cmd add 10000 allow ip from any to any I know I've blcoked traffic between DMZ and LAN, but I wanted them to contact via public IPs.. but now I'm not sure if it's possible... Can you give me some hints on how to properly configure my router? Regards, -- Marek Salwerowicz