From owner-freebsd-questions  Tue Jun 25 16:35:37 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from valis.olywa.net (valis.olywa.net [216.173.192.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 95C3137B400; Tue, 25 Jun 2002 16:35:31 -0700 (PDT)
Received: from intrepid.snowpoint.com ([216.173.213.173])
          by valis.olywa.net (Post.Office MTA v3.5.3 release 223
          ID# 0-56662U5000L500S0V35) with ESMTP id net;
          Tue, 25 Jun 2002 16:35:31 -0700
Received: from ([216.173.213.172])
        by intrepid.snowpoint.com (Merak 4.10.020) with SMTP id HUB36795;
        Tue, 25 Jun 2002 16:30:49 -0700
From: "Corey Snow" <corey@snowpoint.com>
To: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org
Date: Tue, 25 Jun 2002 16:35:40 -0700
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: ipfw, nat and routing
Message-ID: <3D189BDC.28738.2074C888@localhost>
X-mailer: Pegasus Mail for Win32 (v3.12c)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi-

I'm currently trying to set up a FreeBSD 4.5-RELEASE box as both a 
router and a NAT system. Basically, it has two NICs, and sits between 
my DMZ and my private LAN. The DMZ is connected to the Internet via a 
FreeBSD-based filtering bridge, which works fine.

The DMZ is where I keep my routable IPs, for things like my webserver 
and mail system. On the backside of my NAT firewall, I use RFC1918 
addresses. The outer interface of the NAT firewall has a routable 
address, obviously.

I can get all this to work just fine. However, there's one more thing 
I'd like to add to this- the ability for the NAT firewall to also do 
simple routing between interfaces for my RFC1918 addresess. See, on 
my DMZ, in addition to my external IP addresses, I have used some 
RFC1918 addresses for various purposes, mostly for local 
administration. These RFC 1918 IPs are all in a single Class C. On 
the inside of the NAT firewall, I have another collection of RFC 1918 
addresses, also in their own Class C.

The internal interface of the NAT firewall has an address that is 
within that Class C, as does every other host on the network. The 
external interface of the NAT firewall has both a public IP and a 
private one. The private one is set as an alias.

I'd like my firewall to route packets from my internal private Class 
C to my DMZ one, or if packets are destined for the Internet, to 
perform NAT and pump them out on the public IP.

I can get this working one way, or the other, but not both at once. 
I'm still experimenting, but any suggestions would be helpful. Thanks 
a bunch.

Regards,

Corey Snow


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message