From owner-freebsd-net@FreeBSD.ORG Tue Aug 9 13:16:29 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03C3B106566B for ; Tue, 9 Aug 2011 13:16:29 +0000 (UTC) (envelope-from marek_sal@wp.pl) Received: from mx3.wp.pl (mx3.wp.pl [212.77.101.7]) by mx1.freebsd.org (Postfix) with ESMTP id 734038FC17 for ; Tue, 9 Aug 2011 13:16:28 +0000 (UTC) Received: (wp-smtpd smtp.wp.pl 29271 invoked from network); 9 Aug 2011 15:16:13 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wp.pl; s=1024a; t=1312895773; bh=8NuTmjj5pGCut/wzLRm/6GFWULkEfG0OTX6ReEzOZd4=; h=From:To:CC:Subject; b=vig6idigo/DGTMyHArt0nLU4TiQplxACV6prarbLB6Kj6OS1iEswDEqnmSjnWlhg5 Z9SpDwzqJkpUOujMMmDDkGVBwORkaf965lTV8zQ1bK+6ymc+vqgLMidsq0X+b7n4NM 4ZO85LSUCCXwFgMMYgYr8xBBI+89o61PT4+/jQvE= Received: from cwx170.internetdsl.tpnet.pl (HELO [10.0.0.15]) (marek_sal@[83.19.131.170]) (envelope-sender ) by smtp.wp.pl (WP-SMTPD) with SMTP for ; 9 Aug 2011 15:16:13 +0200 Message-ID: <4E4132D5.8020700@wp.pl> Date: Tue, 09 Aug 2011 15:15:01 +0200 From: Marek Salwerowicz User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: Chuck Swiger References: <4E412093.8000105@wp.pl> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A. X-WP-SPAM: NO 0000000 [EZNU] Cc: freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2011 13:16:29 -0000 W dniu 2011-08-09 15:09, Chuck Swiger pisze: > On Aug 9, 2011, at 4:57 AM, Marek Salwerowicz wrote: >> Right now everything works from the Internet - if I do ssh to xx.yy.zz.170, I really can connect to host 192.168.0.10 etc. >> >> The problem is that when I want to connect from my 10.0.0.0/24 network (and even from router) to any DMZ host, using it's public address (any of xx.yy.zz.{170,172,173} ), I can't connect and in fact I am connecting to the router.. So I am unable to access my web, mta, ftp servers that are located in DMZ > It's not working because you configured natd to work against traffic flowing via vr3, but traffic from your LAN is coming via vr0. While you can change natd to run against all traffic, it's much better to avoid re-writing purely internal traffic by setting up a DNS view for your machines in the DMZ which uses internal IPs rather than the public IPs. So should I allow trafic from LAN to DMZ and setup my local DNS to connect to hosts in DMZ using private IPs ? > > Or, if you insist upon your DMZ hosts being on externally routable IPs, then go ahead and configure them with externally routable IPs rather than using natd's redirect_address, and only do NAT for internal traffic via vr0 instead. > > Am I able to configure them with externally IPs only and having eg. bandwidth control using only one router? My current setup is that I have separately router, web server and mail server but If I want to limit bandwidth, I have to do it on proper machine instead of configuring only one device. Regards, -- Marek Salwerowicz