Date: Wed, 15 Dec 2004 07:36:11 -0800 From: "Andrew Heyn" <aheyn@jmsent.com> To: <freebsd-net@freebsd.org> Subject: Quick question about the tired ipf/ipnat/"dmz"/bridge scenario Message-ID: <CLELJKHKLJLNMNHGHFIDOEBLCAAA.aheyn@jmsent.com>
next in thread | raw e-mail | index | archive | help
Hi, Quoting http://www.moatware.com/support/docbook/faq-bridge.html, 10.8. Why can't hosts on a NATed interface talk to hosts on a bridged interface? This frequently happens when someone wants to bridge an interface to their WAN to use it as a DMZ, and wants to put all of the hosts on their LAN interface behind a NAT. This is actually a fairly reasonable and natural thing to want to do. The problem here is that ipnat and bridging (at least as implemented in FreeBSD) don't play well together. Packets from the LAN to the DMZ go out just fine, but in the other direction, it seems like the packets arriving on the unnumbered bridge interface don't get looked up correctly in the ipnat state tables. I've managed to convince myself that solving this is Really Really Hard (TM). The irritating thing is that there's no theoretical reason why this should be difficult...it all comes down to implementation details. Is there any way at all, even with kludges, to get this to work? I'd be extremely interested if there was any to accomplish this, as specified above. Thanks, Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CLELJKHKLJLNMNHGHFIDOEBLCAAA.aheyn>