From owner-freebsd-net@FreeBSD.ORG Tue Aug 9 13:27:13 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1777106564A for ; Tue, 9 Aug 2011 13:27:13 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout025.mac.com (asmtpout025.mac.com [17.148.16.100]) by mx1.freebsd.org (Postfix) with ESMTP id A8A548FC15 for ; Tue, 9 Aug 2011 13:27:13 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from [17.151.76.210] by asmtp025.mac.com (Oracle Communications Messaging Exchange Server 7u4-20.01 64bit (built Nov 21 2010)) with ESMTPSA id <0LPN00GS3XCCI950@asmtp025.mac.com> for freebsd-net@freebsd.org; Tue, 09 Aug 2011 06:26:37 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.4.6813,1.0.211,0.0.0000 definitions=2011-08-09_05:2011-08-09, 2011-08-08, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1012030000 definitions=main-1108090097 From: Chuck Swiger In-reply-to: <4E4132D5.8020700@wp.pl> Date: Tue, 09 Aug 2011 06:26:35 -0700 Message-id: <502BD41A-AF5F-43D7-AB34-0CDEA1F57D4B@mac.com> References: <4E412093.8000105@wp.pl> <4E4132D5.8020700@wp.pl> To: Marek Salwerowicz X-Mailer: Apple Mail (2.1084) Cc: freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2011 13:27:13 -0000 On Aug 9, 2011, at 6:15 AM, Marek Salwerowicz wrote: >> It's not working because you configured natd to work against traffic flowing via vr3, but traffic from your LAN is coming via vr0. While you can change natd to run against all traffic, it's much better to avoid re-writing purely internal traffic by setting up a DNS view for your machines in the DMZ which uses internal IPs rather than the public IPs. > > So should I allow trafic from LAN to DMZ and setup my local DNS to connect to hosts in DMZ using private IPs ? Yes, that ought to work fine. In fact, in the classic screened-subnet design from which the notion of DMZ hosts originated, you only permitted traffic from LAN to DMZ, and blocked all traffic from outside to LAN. This meant that all LAN hosts needed to go through proxies or other services living in the DMZ-- internal hosts never talk to strangers, so to speak. :) >> Or, if you insist upon your DMZ hosts being on externally routable IPs, then go ahead and configure them with externally routable IPs rather than using natd's redirect_address, and only do NAT for internal traffic via vr0 instead. > > Am I able to configure them with externally IPs only and having eg. bandwidth control using only one router? > > My current setup is that I have separately router, web server and mail server but If I want to limit bandwidth, I have to do it on proper machine instead of configuring only one device. dummynet (or Altq, or whatever else you might be using) works fine with pure routing config, yes-- you don't have to NAT traffic to do bandwidth control on the router. Regards, -- -Chuck