Date: Tue, 09 Aug 2011 07:18:49 -0700 From: Chuck Swiger <cswiger@mac.com> To: Marek Salwerowicz <marek_sal@wp.pl> Cc: freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN Message-ID: <C99904EF-006A-4321-BA7C-91C6F0B8EB2B@mac.com> In-Reply-To: <4E4139EB.7060904@wp.pl> References: <4E412093.8000105@wp.pl> <A7D49BE7-7822-49BB-91B9-B8EDF09090CA@mac.com> <4E4132D5.8020700@wp.pl> <502BD41A-AF5F-43D7-AB34-0CDEA1F57D4B@mac.com> <4E4139EB.7060904@wp.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 9, 2011, at 6:45 AM, Marek Salwerowicz wrote: > W dniu 2011-08-09 15:26, Chuck Swiger pisze: >> dummynet (or Altq, or whatever else you might be using) works fine with pure routing config, yes-- you don't have to NAT traffic to do bandwidth control on the router. > > How it should be done? > Leave the aliases at my external interface, and then 'bridge' DMZ interface with external and set up public IPs on my DMZ hosts? You don't need to do NAT aliasing if you make your DMZ hosts directly routable-- you just need to do firewall and bandwidth shaping. If your provider is cooperative, then their end and your external NIC (vr3?) can switch to communicate over an unroutable /30 subnet, and your FreeBSD box's DMZ NIC (vr2) is reconfigured with the public router IP they are now vending. If they aren't willing to make such changes, then yes, you could bridge between vr3 and vr2 instead; you need to set the net.link.ether.bridge_ipfw=1 sysctl for IPFW to act on bridged traffic. There are more complicated solutions which could also work, but there doesn't seem to be a need for them. IMO, it's cleaner and more efficient to explicitly route between networks off of a firewall than it is to permit subnet-local broadcast traffic to pass thru the firewall. Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C99904EF-006A-4321-BA7C-91C6F0B8EB2B>