From owner-freebsd-net@FreeBSD.ORG Tue Aug 9 14:19:10 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1BF1106564A for ; Tue, 9 Aug 2011 14:19:10 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout019.mac.com (asmtpout019.mac.com [17.148.16.94]) by mx1.freebsd.org (Postfix) with ESMTP id 983408FC12 for ; Tue, 9 Aug 2011 14:19:10 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from [17.151.76.210] by asmtp019.mac.com (Oracle Communications Messaging Exchange Server 7u4-20.01 64bit (built Nov 21 2010)) with ESMTPSA id <0LPN002H9ZREW190@asmtp019.mac.com> for freebsd-net@freebsd.org; Tue, 09 Aug 2011 07:18:51 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.4.6813,1.0.211,0.0.0000 definitions=2011-08-09_05:2011-08-09, 2011-08-08, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1012030000 definitions=main-1108090113 From: Chuck Swiger In-reply-to: <4E4139EB.7060904@wp.pl> Date: Tue, 09 Aug 2011 07:18:49 -0700 Message-id: References: <4E412093.8000105@wp.pl> <4E4132D5.8020700@wp.pl> <502BD41A-AF5F-43D7-AB34-0CDEA1F57D4B@mac.com> <4E4139EB.7060904@wp.pl> To: Marek Salwerowicz X-Mailer: Apple Mail (2.1084) Cc: freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2011 14:19:10 -0000 On Aug 9, 2011, at 6:45 AM, Marek Salwerowicz wrote: > W dniu 2011-08-09 15:26, Chuck Swiger pisze: >> dummynet (or Altq, or whatever else you might be using) works fine with pure routing config, yes-- you don't have to NAT traffic to do bandwidth control on the router. > > How it should be done? > Leave the aliases at my external interface, and then 'bridge' DMZ interface with external and set up public IPs on my DMZ hosts? You don't need to do NAT aliasing if you make your DMZ hosts directly routable-- you just need to do firewall and bandwidth shaping. If your provider is cooperative, then their end and your external NIC (vr3?) can switch to communicate over an unroutable /30 subnet, and your FreeBSD box's DMZ NIC (vr2) is reconfigured with the public router IP they are now vending. If they aren't willing to make such changes, then yes, you could bridge between vr3 and vr2 instead; you need to set the net.link.ether.bridge_ipfw=1 sysctl for IPFW to act on bridged traffic. There are more complicated solutions which could also work, but there doesn't seem to be a need for them. IMO, it's cleaner and more efficient to explicitly route between networks off of a firewall than it is to permit subnet-local broadcast traffic to pass thru the firewall. Regards, -- -Chuck