Date: Tue, 14 Apr 2009 13:34:50 -0500 From: "Gary Gatten" <Ggatten@waddell.com> To: "Steve Krawcke" <Steve@Latcha.com>, "mail.list freebsd-questions" <freebsd-questions@freebsd.org> Subject: RE: ipnat dmz/internal network issue Message-ID: <70C0964126D66F458E688618E1CD008A0793E9A6@WADPEXV0.waddell.com> In-Reply-To: <5E0C592A-813B-491C-8F0C-AEABC7E1C150@Latcha.com> References: <5E0C592A-813B-491C-8F0C-AEABC7E1C150@Latcha.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Steve Krawcke Sent: Tuesday, April 14, 2009 12:08 PM To: mail.list freebsd-questions Subject: ipnat dmz/internal network issue I have a gateway setup wing freebsd 7.1 gateway% uname -a FreeBSD gateway.latcha.com 7.1-RELEASE-p2 FreeBSD 7.1-RELEASE-p2 #0:=20=20 Wed Feb 4 20:27:06 EST 2009 root@gateway3.latcha.com:/usr/obj/usr/=20 src/sys/GATEWAY amd64 I have 1 external nic , and 2 internal, one for a DMZ and one for the=20=20 rest of the network em0 is my external, em1 is my internal and em2 is my DMZ I am using ipf and ipnat to get access to the internet, but I am=20=20 having an issue. I am able to get to the internet via nat on both em1 and em2. I am able to get port/IP redriection working from em0 -> em2 I can access the address space from em1 <-> em2 But if I go to one of the redirected IPs from em1 -> em0 -> em2 it=20=20 fails. here are my ipnat rules map em1 from 10.75.0.1/24 to 10.73.0.1/16 -> 0/0 map em1 from 65.173.238.2/32 to 10.73.0.1/16 -> 0/0 map em0 from 10.73.0.1/16 to any -> 65.173.238.2/32 portmap tcp/udp=20=20 auto map em0 from 10.75.0.1/24 to any -> 65.173.238.2/32 portmap tcp/udp=20=20 auto rdr em0 from any to 65.173.238.27/32 port =3D 80 -> 10.75.0.29 port 80 tcp rdr em0 from any to 65.173.238.30/32 port =3D 80 -> 10.75.0.30 port 80 tcp rdr em0 from any to 65.173.238.29/32 port =3D 80 -> 10.75.0.26 port 80 tcp for now I have the firewall rules disabled, until I get this working,=20=20 so I know it isn't a firewall issue. Any help would be appreciated. Steve K You want to get to a "public" address that really exists on your DMZ from your private LAN? Why not connect to the DMZ addresses directly? What you're trying to do is probably possible, but tricky in some cases and not possible with some/many commercial firewalls. I'll have to read this a few more times and draw a pretty picture.... <font size=3D"1"> <div style=3D'border:none;border-bottom:double windowtext 2.25pt;padding:0i= n 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?70C0964126D66F458E688618E1CD008A0793E9A6>