From owner-freebsd-questions Wed Aug 16 15:19:10 2000 Delivered-To: freebsd-questions@freebsd.org Received: from greg.ad9.com (greg.ad9.com [209.233.225.5]) by hub.freebsd.org (Postfix) with ESMTP id 44C8F37B845 for ; Wed, 16 Aug 2000 15:19:04 -0700 (PDT) (envelope-from nepolon@systray.com) Received: from greg.ad9.com (nepolon@greg.ad9.com [209.233.225.5]) by greg.ad9.com (8.9.1a/8.9.1) with ESMTP id PAA01891 for ; Wed, 16 Aug 2000 15:38:18 -0700 (PDT) Date: Wed, 16 Aug 2000 15:38:18 -0700 (PDT) From: Steve Lewis X-Sender: nepolon@greg.ad9.com To: freebsd-questions@FreeBSD.ORG Subject: Q: network topologies, routing, TCP/IP Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm having difficulty figuring out how to tell FreeBSD to do what I am trying to do here... I have a firewall running 4.0 RELEASE, lets say the public interface is at 1.2.3.4 with the DNS name of frontline.domain.org (it's not obviously), and the private interface is 192.168.0.1. This is the front barrier in the topology, the private interface connects to the DMZ. I have a bastion host (a 'development' server) of sorts sitting in the DMZ (192.168.0.10 in this example). The DMZ also contains another firewall (192.168.0.254 with no DNS name for instance). All of this works beautifully at this point. No problems. We have two IP addresses available, only one of which is currently in use (1.2.3.4 as above, and 1.2.3.5 is still available). The second IP resolves by DNS to the name of the bastion host (basthost.domain.org), and I can use NATD & IPFW to pass traffic on allowed ports to basthost (I know how, anticipate no problem there). The problem is this: I need to have traffic destined to 1.2.3.5 to be routed through 1.2.3.4 (frontline). How can I do this? I can think of a few ways it may be possible: 1) Bind 2 IPs to one interface. I have seen it done in Linux, but I can't find a way to do this with FreeBSD in the docs. How can I bind 1.2.3.5 to frontline's public interface in addition to it's current IP address? 2) Will I need to resort to using a routing package (routed, gated, etc) to do this? I want to avoid running such a package on the firewall for reasons which should be easy to discern. 3) Will I need to have my upstream provider adjust routing for 1.2.3.5 at their end? If so, is this in combination with #2 above? --Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message