routing, pf, rdr question
giuliano
giuliano at gzorzi.net
Fri Jun 19 12:27:07 UTC 2009
Hello,
I'm trying to replace our current firewall (clavister) with freebsd/pf.
I'm almost done but I have some rules I don't know how to convert. I've
tried googling around but I've found nothing useful (maybe I'm looking
for the wrong terms).
I have the following scenario:
LAN (192.168.1.0/24) connected to fxp0 (192.168.1.1)
DMZ1 (10.0.1.0/24) connected to dc0 (10.0.1.1)
DMZ2 (10.0.2.0/24) connected to dc1 (10.0.2.1)
DMZ3 (10.0.3.0/24) connected to dc2 (10.0.3.1)
DMZ4 (10.0.4.0/24) connected to dc3 (10.0.4.1)
The internet is accessible through another router on the LAN
(192.168.1.254). The same router provides connections to a remote office
using a VPN tunnel. On the remote site there are other 4 DMZ with the
same network setup of DMZ1-4.
The PCs on the LAN have their default gateway set to the 192.168.1.254
router so when they try to reach any 10.0.x.x IP address they connect to
the remote site. This is correct because the production servers are in
the remote site and only a few people use the local DMZs that are for
development/testing.
To actually reach the local DMZs I've configured the clavister firewall
to route all the requests for network 10.10.1.0/24 to local 10.0.1.0/24
(and the same with the other 3 DMZs) and setup some static routes on the
default gateway.
Can I do the same with pf without having one rdr rule for every DMZ's
host ?
Do I have to setup an alias on the LAN connected interface for every IP
on the networks 10.10.1-4.0/24 ?
Is there a better way to have a similar setup ?
Maybe I can modify the destination IP during the routing process (ie:
10.10.1.10 -> 10.0.1.10, 10.10.2.53 -> 10.0.2.53, and so on) ?
Thanks for your help
giuliano
More information about the freebsd-stable
mailing list