From owner-freebsd-net@FreeBSD.ORG Tue Aug 9 13:09:52 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51631106564A for ; Tue, 9 Aug 2011 13:09:52 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout024.mac.com (asmtpout024.mac.com [17.148.16.99]) by mx1.freebsd.org (Postfix) with ESMTP id 3A0E88FC08 for ; Tue, 9 Aug 2011 13:09:52 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from [17.151.76.210] by asmtp024.mac.com (Oracle Communications Messaging Exchange Server 7u4-18.01 64bit (built Jul 15 2010)) with ESMTPSA id <0LPN00IZ0WJS6B40@asmtp024.mac.com> for freebsd-net@freebsd.org; Tue, 09 Aug 2011 06:09:30 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.4.6813,1.0.211,0.0.0000 definitions=2011-08-09_05:2011-08-09, 2011-08-08, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1012030000 definitions=main-1108090093 From: Chuck Swiger In-reply-to: <4E412093.8000105@wp.pl> Date: Tue, 09 Aug 2011 06:09:28 -0700 Message-id: References: <4E412093.8000105@wp.pl> To: Marek Salwerowicz X-Mailer: Apple Mail (2.1084) Cc: freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2011 13:09:52 -0000 On Aug 9, 2011, at 4:57 AM, Marek Salwerowicz wrote: > Right now everything works from the Internet - if I do ssh to xx.yy.zz.170, I really can connect to host 192.168.0.10 etc. > > The problem is that when I want to connect from my 10.0.0.0/24 network (and even from router) to any DMZ host, using it's public address (any of xx.yy.zz.{170,172,173} ), I can't connect and in fact I am connecting to the router.. So I am unable to access my web, mta, ftp servers that are located in DMZ It's not working because you configured natd to work against traffic flowing via vr3, but traffic from your LAN is coming via vr0. While you can change natd to run against all traffic, it's much better to avoid re-writing purely internal traffic by setting up a DNS view for your machines in the DMZ which uses internal IPs rather than the public IPs. Or, if you insist upon your DMZ hosts being on externally routable IPs, then go ahead and configure them with externally routable IPs rather than using natd's redirect_address, and only do NAT for internal traffic via vr0 instead. Regards, -- -Chuck