Quick question about the tired ipf/ipnat/"dmz"/bridge scenario
Andrew Heyn
aheyn at jmsent.com
Wed Dec 15 04:35:39 PST 2004
Hi,
Quoting http://www.moatware.com/support/docbook/faq-bridge.html,
10.8. Why can't hosts on a NATed interface talk to hosts on a bridged
interface?
This frequently happens when someone wants to bridge an interface to their
WAN to use it as a DMZ, and wants to put all of the hosts on their LAN
interface behind a NAT. This is actually a fairly reasonable and natural
thing to want to do.
The problem here is that ipnat and bridging (at least as implemented in
FreeBSD) don't play well together. Packets from the LAN to the DMZ go out
just fine, but in the other direction, it seems like the packets arriving on
the unnumbered bridge interface don't get looked up correctly in the ipnat
state tables.
I've managed to convince myself that solving this is Really Really Hard
(TM). The irritating thing is that there's no theoretical reason why this
should be difficult...it all comes down to implementation details.
Is there any way at all, even with kludges, to get this to work? I'd be
extremely interested if there was any to accomplish this, as specified
above.
Thanks,
Andrew
More information about the freebsd-net
mailing list