From owner-freebsd-questions@FreeBSD.ORG Wed Feb 4 16:57:29 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D248316A4CE for ; Wed, 4 Feb 2004 16:57:29 -0800 (PST) Received: from mail1.bwlogic.com (fw.bwlogic.com [209.161.200.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DF5643D1D for ; Wed, 4 Feb 2004 16:57:27 -0800 (PST) (envelope-from jlavigne@bwlogic.com) Received: (qmail 11089 invoked by uid 89); 5 Feb 2004 00:57:26 -0000 Received: from unknown (HELO canada) (192.168.1.5) by liv43-36.tor.idirect.com with SMTP; 5 Feb 2004 00:57:26 -0000 From: "Jason Lavigne" To: Date: Wed, 4 Feb 2004 19:57:26 -0500 Message-ID: <000901c3eb83$05eee010$0501a8c0@canada> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 Importance: Normal Subject: ipf + ipnat + dmz + bridge question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 00:57:30 -0000 Hello all, =A0 I currently have a firewall with 3 nics, one goes to the net, one to the DMZ and one to the LAN. I have ipf and ipnat running along with FreeBSD bridge support and I have the external nic and the DMZ nic bridged. All DMZ computers are configured with a real public ip and have the firewall as the gateway. =A0 My question is when any computer from my DMZ goes out to the net it uses the ip of the firewall and not the public ip it was assigned. Internally within the DMZ they use the correct ips. How can I make it so when the DMZ computers are on the net they report as using their assigned ip. Is the DMZ using ipnat? I only have the LAN mapped in ipnat.rules and nothing about the DMZ ips. =A0 TIA =A0 Jay =A0 Here are my configs: =A0 ifconfig =A0 dc0: flags=3D8843 mtu 1500 =A0=A0=A0=A0=A0=A0=A0 inet 192.168.1.1 netmask 0xffffff00 broadcast = 192.168.1.255 =A0=A0=A0=A0=A0=A0=A0 inet6 fe80::203:6dff:fe00:9bd%dc0 prefixlen 64 = scopeid 0x1 =A0=A0=A0=A0=A0=A0=A0 ether 00:03:6d:00:09:bd =A0=A0=A0=A0=A0=A0=A0 media: Ethernet autoselect (100baseTX) =A0=A0=A0=A0=A0=A0=A0 status: active dc1: flags=3D8943 mtu = 1500 =A0=A0=A0=A0=A0=A0=A0 inet6 fe80::280:c6ff:feea:7af1%dc1 prefixlen 64 = scopeid 0x2 =A0=A0=A0=A0=A0=A0=A0 inet xxx.yyy.200.99 netmask 0xfffffff0 broadcast = xxx.yyy.200.111 =A0=A0=A0=A0=A0=A0=A0 ether 00:80:c6:ea:7a:f1 =A0=A0=A0=A0=A0=A0=A0 media: Ethernet autoselect (100baseTX = ) =A0=A0=A0=A0=A0=A0=A0 status: active xl0: flags=3D8943 mtu = 1500 =A0=A0=A0=A0=A0=A0=A0 options=3D3 =A0=A0=A0=A0=A0=A0=A0 inet6 fe80::250:daff:fe1b:90c3%xl0 prefixlen 64 = scopeid 0x3 =A0=A0=A0=A0=A0=A0=A0 inet xxx.yyy.200.106 netmask 0xffffffff broadcast xxx.yyy.200.106 =A0=A0=A0=A0=A0=A0=A0 inet xxx.yyy.200.107 netmask 0xffffffff broadcast xxx.yyy.200.107 =A0=A0=A0=A0=A0=A0 =A0ether 00:50:da:1b:90:c3 =A0=A0=A0=A0=A0=A0=A0 media: Ethernet autoselect (10baseT/UTP) =A0=A0=A0=A0=A0=A0=A0 status: active lp0: flags=3D8810 mtu 1500 lo0: flags=3D8049 mtu 16384 =A0=A0=A0=A0=A0=A0=A0 inet6 ::1 prefixlen 128 =A0=A0=A0=A0=A0=A0=A0 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 =A0=A0=A0=A0=A0=A0=A0 inet 127.0.0.1 netmask 0xff000000 tun0: flags=3D8051 mtu 1492 =A0=A0=A0=A0=A0=A0=A0 inet xxx.yyy.200.97 --> 207.136.64.4 netmask = 0xffffff00 =A0=A0=A0=A0=A0=A0=A0 Opened by PID 241 =A0 /etc/ipnat.rules =A0 # nat the lan map xl0 192.168.1.0/24 -> xxx.yyy.200.97/32 =A0 /etc/sysctl.conf =A0 # bridge net.link.ether.bridge=3D1 net.link.ether.bridge_cfg=3Ddc1,xl0 net.link.ether.bridge_ipf=3D1 =A0 /etc/rc.conf =A0 hostname=3D"fw.bwlogic.com" =A0 # LAN ifconfig_dc0=3D"inet 192.168.1.1 netmask 255.255.255.0" # DMZ ifconfig_dc1=3D"inet xxx.yyy.200.99 netmask 255.255.255.240" # INET ifconfig_xl0=3D"inet xxx.yyy.200.97 netmask 255.255.255.240" # pppoe tunnel ifconfig_tun0=3D"inet xxx.yyy.200.97 netmask 255.255.255.255" =A0 # pppoe ppp_enable=3D"YES" ppp_mode=3D"ddial" ppp_nat=3D"NO" ppp_profile=3D"isplook" =A0 # gateway gateway_enable=3D"YES" =A0 # ipfilter ipfilter_enable=3D"YES"=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 # Set to YES to = enable ipfilter functionality ipfilter_program=3D"/sbin/ipf"=A0=A0=A0 # where the ipfilter program = lives ipfilter_rules=3D"/etc/ipf.rules" # rules definition file for ipfilter, see =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0 # /usr/src/contrib/ipfilter/rules for examples ipfilter_flags=3D""=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 # = additional flags for ipfilter =A0 # ipnat ipnat_enable=3D"YES"=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =A0=A0# Set to YES = to enable ipnat functionality ipnat_program=3D"/sbin/ipnat"=A0=A0=A0=A0 # where the ipnat program = lives ipnat_rules=3D"/etc/ipnat.rules"=A0 # rules definition file for ipnat ipnat_flags=3D""=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 # = additional flags for ipnat