From owner-freebsd-stable@FreeBSD.ORG Fri Jun 19 12:27:07 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 624691065673 for ; Fri, 19 Jun 2009 12:27:07 +0000 (UTC) (envelope-from giuliano@gzorzi.net) Received: from smtp5.aruba.it (smtp7.aruba.it [62.149.128.206]) by mx1.freebsd.org (Postfix) with SMTP id A7E318FC15 for ; Fri, 19 Jun 2009 12:27:06 +0000 (UTC) (envelope-from giuliano@gzorzi.net) Received: (qmail 409 invoked by uid 89); 19 Jun 2009 12:00:17 -0000 Received: from unknown (HELO giuliano.hiport.lan) (giuliano@gzorzi.net@151.9.60.80) by smtp5.aruba.it with SMTP; 19 Jun 2009 12:00:17 -0000 Message-ID: <4A3B7DD3.60802@gzorzi.net> Date: Fri, 19 Jun 2009 14:00:19 +0200 From: giuliano User-Agent: Thunderbird 2.0.0.21 (X11/20090302) MIME-Version: 1.0 To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Rating: smtp5.aruba.it 1.6.2 0/1000/N Subject: routing, pf, rdr question X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jun 2009 12:27:07 -0000 Hello, I'm trying to replace our current firewall (clavister) with freebsd/pf. I'm almost done but I have some rules I don't know how to convert. I've tried googling around but I've found nothing useful (maybe I'm looking for the wrong terms). I have the following scenario: LAN (192.168.1.0/24) connected to fxp0 (192.168.1.1) DMZ1 (10.0.1.0/24) connected to dc0 (10.0.1.1) DMZ2 (10.0.2.0/24) connected to dc1 (10.0.2.1) DMZ3 (10.0.3.0/24) connected to dc2 (10.0.3.1) DMZ4 (10.0.4.0/24) connected to dc3 (10.0.4.1) The internet is accessible through another router on the LAN (192.168.1.254). The same router provides connections to a remote office using a VPN tunnel. On the remote site there are other 4 DMZ with the same network setup of DMZ1-4. The PCs on the LAN have their default gateway set to the 192.168.1.254 router so when they try to reach any 10.0.x.x IP address they connect to the remote site. This is correct because the production servers are in the remote site and only a few people use the local DMZs that are for development/testing. To actually reach the local DMZs I've configured the clavister firewall to route all the requests for network 10.10.1.0/24 to local 10.0.1.0/24 (and the same with the other 3 DMZs) and setup some static routes on the default gateway. Can I do the same with pf without having one rdr rule for every DMZ's host ? Do I have to setup an alias on the LAN connected interface for every IP on the networks 10.10.1-4.0/24 ? Is there a better way to have a similar setup ? Maybe I can modify the destination IP during the routing process (ie: 10.10.1.10 -> 10.0.1.10, 10.10.2.53 -> 10.0.2.53, and so on) ? Thanks for your help giuliano