Date: Tue, 09 Aug 2011 06:09:28 -0700 From: Chuck Swiger <cswiger@mac.com> To: Marek Salwerowicz <marek_sal@wp.pl> Cc: freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN Message-ID: <A7D49BE7-7822-49BB-91B9-B8EDF09090CA@mac.com> In-Reply-To: <4E412093.8000105@wp.pl> References: <4E412093.8000105@wp.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 9, 2011, at 4:57 AM, Marek Salwerowicz wrote:
> Right now everything works from the Internet - if I do ssh to xx.yy.zz.170, I really can connect to host 192.168.0.10 etc.
>
> The problem is that when I want to connect from my 10.0.0.0/24 network (and even from router) to any DMZ host, using it's public address (any of xx.yy.zz.{170,172,173} ), I can't connect and in fact I am connecting to the router.. So I am unable to access my web, mta, ftp servers that are located in DMZ
It's not working because you configured natd to work against traffic flowing via vr3, but traffic from your LAN is coming via vr0. While you can change natd to run against all traffic, it's much better to avoid re-writing purely internal traffic by setting up a DNS view for your machines in the DMZ which uses internal IPs rather than the public IPs.
Or, if you insist upon your DMZ hosts being on externally routable IPs, then go ahead and configure them with externally routable IPs rather than using natd's redirect_address, and only do NAT for internal traffic via vr0 instead.
Regards,
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A7D49BE7-7822-49BB-91B9-B8EDF09090CA>