Date: Wed, 4 Feb 2004 19:57:26 -0500 From: "Jason Lavigne" <jlavigne@bwlogic.com> To: <freebsd-questions@FreeBSD.ORG> Subject: ipf + ipnat + dmz + bridge question Message-ID: <000901c3eb83$05eee010$0501a8c0@canada>
next in thread | raw e-mail | index | archive | help
Hello all, =A0 I currently have a firewall with 3 nics, one goes to the net, one to the DMZ and one to the LAN. I have ipf and ipnat running along with FreeBSD bridge support and I have the external nic and the DMZ nic bridged. All DMZ computers are configured with a real public ip and have the firewall as the gateway. =A0 My question is when any computer from my DMZ goes out to the net it uses the ip of the firewall and not the public ip it was assigned. Internally within the DMZ they use the correct ips. How can I make it so when the DMZ computers are on the net they report as using their assigned ip. Is the DMZ using ipnat? I only have the LAN mapped in ipnat.rules and nothing about the DMZ ips. =A0 TIA =A0 Jay =A0 Here are my configs: =A0 ifconfig =A0 dc0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 =A0=A0=A0=A0=A0=A0=A0 inet 192.168.1.1 netmask 0xffffff00 broadcast = 192.168.1.255 =A0=A0=A0=A0=A0=A0=A0 inet6 fe80::203:6dff:fe00:9bd%dc0 prefixlen 64 = scopeid 0x1 =A0=A0=A0=A0=A0=A0=A0 ether 00:03:6d:00:09:bd =A0=A0=A0=A0=A0=A0=A0 media: Ethernet autoselect (100baseTX) =A0=A0=A0=A0=A0=A0=A0 status: active dc1: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu = 1500 =A0=A0=A0=A0=A0=A0=A0 inet6 fe80::280:c6ff:feea:7af1%dc1 prefixlen 64 = scopeid 0x2 =A0=A0=A0=A0=A0=A0=A0 inet xxx.yyy.200.99 netmask 0xfffffff0 broadcast = xxx.yyy.200.111 =A0=A0=A0=A0=A0=A0=A0 ether 00:80:c6:ea:7a:f1 =A0=A0=A0=A0=A0=A0=A0 media: Ethernet autoselect (100baseTX = <full-duplex>) =A0=A0=A0=A0=A0=A0=A0 status: active xl0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu = 1500 =A0=A0=A0=A0=A0=A0=A0 options=3D3<RXCSUM,TXCSUM> =A0=A0=A0=A0=A0=A0=A0 inet6 fe80::250:daff:fe1b:90c3%xl0 prefixlen 64 = scopeid 0x3 =A0=A0=A0=A0=A0=A0=A0 inet xxx.yyy.200.106 netmask 0xffffffff broadcast xxx.yyy.200.106 =A0=A0=A0=A0=A0=A0=A0 inet xxx.yyy.200.107 netmask 0xffffffff broadcast xxx.yyy.200.107 =A0=A0=A0=A0=A0=A0 =A0ether 00:50:da:1b:90:c3 =A0=A0=A0=A0=A0=A0=A0 media: Ethernet autoselect (10baseT/UTP) =A0=A0=A0=A0=A0=A0=A0 status: active lp0: flags=3D8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 =A0=A0=A0=A0=A0=A0=A0 inet6 ::1 prefixlen 128 =A0=A0=A0=A0=A0=A0=A0 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 =A0=A0=A0=A0=A0=A0=A0 inet 127.0.0.1 netmask 0xff000000 tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492 =A0=A0=A0=A0=A0=A0=A0 inet xxx.yyy.200.97 --> 207.136.64.4 netmask = 0xffffff00 =A0=A0=A0=A0=A0=A0=A0 Opened by PID 241 =A0 /etc/ipnat.rules =A0 # nat the lan map xl0 192.168.1.0/24 -> xxx.yyy.200.97/32 =A0 /etc/sysctl.conf =A0 # bridge net.link.ether.bridge=3D1 net.link.ether.bridge_cfg=3Ddc1,xl0 net.link.ether.bridge_ipf=3D1 =A0 /etc/rc.conf =A0 hostname=3D"fw.bwlogic.com" =A0 # LAN ifconfig_dc0=3D"inet 192.168.1.1 netmask 255.255.255.0" # DMZ ifconfig_dc1=3D"inet xxx.yyy.200.99 netmask 255.255.255.240" # INET ifconfig_xl0=3D"inet xxx.yyy.200.97 netmask 255.255.255.240" # pppoe tunnel ifconfig_tun0=3D"inet xxx.yyy.200.97 netmask 255.255.255.255" =A0 # pppoe ppp_enable=3D"YES" ppp_mode=3D"ddial" ppp_nat=3D"NO" ppp_profile=3D"isplook" =A0 # gateway gateway_enable=3D"YES" =A0 # ipfilter ipfilter_enable=3D"YES"=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 # Set to YES to = enable ipfilter functionality ipfilter_program=3D"/sbin/ipf"=A0=A0=A0 # where the ipfilter program = lives ipfilter_rules=3D"/etc/ipf.rules" # rules definition file for ipfilter, see =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0 # /usr/src/contrib/ipfilter/rules for examples ipfilter_flags=3D""=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 # = additional flags for ipfilter =A0 # ipnat ipnat_enable=3D"YES"=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =A0=A0# Set to YES = to enable ipnat functionality ipnat_program=3D"/sbin/ipnat"=A0=A0=A0=A0 # where the ipnat program = lives ipnat_rules=3D"/etc/ipnat.rules"=A0 # rules definition file for ipnat ipnat_flags=3D""=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 # = additional flags for ipnat
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000901c3eb83$05eee010$0501a8c0>