routing question
Eric Anderson
anderson at centtech.com
Fri Jan 9 19:39:16 PST 2004
Antoine Jacoutot wrote:
>Selon Eric Anderson <anderson at centtech.com>:
>
>
>>Ok, well, in order to help you more, I'll need to know some things -
>>like, are the IP's in your DMZ going to be publicly accessible? Are the
>>routable IP's (static IPs) you received from your provider? How about
>>the "LAN" addresses?
>>
>>
>
>OK :)
>
>So, my LAN will be 192.168.0.0/24.
>The @IP in my DMZ will be public @IP (I got something like 10 @IP publicly
>available from my provider).
>
I'll assume a few things - you have 1 network card for each "internet"
connection, and you are receiving the IP for that card via DHCP. I'll
also assume that the internet connection used for the DMZ is going to a
router (DSL modem, ISDN router, something).
Keep in mind, there are probably 50 different ways to do this, and
others on this list most likely know far more than I do, and will
probably suggest even better ways to do it.
You'll need natd (or ipnat) running for the LAN<->WAN1 and LAN<->DMZ
connections. This will take care of your LAN connecting to the net, and
also give it access to the DMZ (and the DMZ won't have access to the
LAN). Now the harder part comes in when you want to set up the
DMZ<->WAN2 connection (by the way, I'm using WAN as "internet
connection"). You could do this part a lot of ways - so here's one: set
up a bridge between DMZ and WAN2, and selectively allow in traffic you
deem "ok" using ipfw (or ipfw2, or ipfilter, or..). You could also set
up natd (or ipnat) on the DMZ<->WAN2 connection, mapping your 10 IP's to
certain hosts on the DMZ'd network - and the DMZ's hosts could have IP's
like 10.0.0.xx - that gives you a lot of flexibility. So, you'll need 4
network cards, a simple FreeBSD box, and a little time to read some docs.
Here are some pointers to pages with more information:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html
>Thanks for answering... SO FAST !
>
>
No problem!
Eric
--
------------------------------------------------------------------
Eric Anderson Systems Administrator Centaur Technology
All generalizations are false, including this one.
------------------------------------------------------------------
More information about the freebsd-isp
mailing list