IP alias + NAT through a single NIC?

[Chuck Swiger]

Romain Kang wrote:
> I have a single physical network with 2 disjoint address spaces in
> it.  Logical Net 1 is routable, while Logical Net 2 is in private
> space intended to keep devices there safe from the outside.  Now I
> need to allow some Net 2 devices the capability to access the web,
> and putting in a second physical net is impractical.
> 
> Can a FreeBSD box with just one NIC on the physical net be used as
> the router between the logical nets?

Yes, although using one NIC compromises security a great deal compared with 
having two physical subnets seperated by a packet-filtering firewall.

Set up an interface alias via ifconfig to go on the second network, enable 
ipforwarding and presumably NAT.

> If so, could it be used to limit outside access from Net 2 by hardware address?

All outside traffic is going to go through the machine used as a router and 
acquire it's hardware address.  If you have another router on net 1, blocking 
packets from that MAC on all of the hosts on net 2 would be useful, but you'd 
have to do it for each client machine, not just on this FreeBSD box itself.

> Or is there a proxy that would work for this configuration?

Running a proxy server on the FreeBSD box is more secure than providing 
routing and NAT for the machines on net 2.  squid works fine for this.

-- 
-Chuck