routing, pf, rdr question

---

• From: giuliano <giuliano@xxxxxxxxxx>
• Date: Fri, 19 Jun 2009 14:00:19 +0200

---

Hello,
I'm trying to replace our current firewall (clavister) with freebsd/pf. I'm almost done but I have some rules I don't know how to convert. I've tried googling around but I've found nothing useful (maybe I'm looking for the wrong terms).

I have the following scenario:

LAN (192.168.1.0/24) connected to fxp0 (192.168.1.1)
DMZ1 (10.0.1.0/24) connected to dc0 (10.0.1.1)
DMZ2 (10.0.2.0/24) connected to dc1 (10.0.2.1)
DMZ3 (10.0.3.0/24) connected to dc2 (10.0.3.1)
DMZ4 (10.0.4.0/24) connected to dc3 (10.0.4.1)

The internet is accessible through another router on the LAN (192.168.1.254). The same router provides connections to a remote office using a VPN tunnel. On the remote site there are other 4 DMZ with the same network setup of DMZ1-4.
The PCs on the LAN have their default gateway set to the 192.168.1.254 router so when they try to reach any 10.0.x.x IP address they connect to the remote site. This is correct because the production servers are in the remote site and only a few people use the local DMZs that are for development/testing.
To actually reach the local DMZs I've configured the clavister firewall to route all the requests for network 10.10.1.0/24 to local 10.0.1.0/24 (and the same with the other 3 DMZs) and setup some static routes on the default gateway.

Can I do the same with pf without having one rdr rule for every DMZ's host ?
Do I have to setup an alias on the LAN connected interface for every IP on the networks 10.10.1-4.0/24 ?
Is there a better way to have a similar setup ?
Maybe I can modify the destination IP during the routing process (ie: 10.10.1.10 -> 10.0.1.10, 10.10.2.53 -> 10.0.2.53, and so on) ?

Thanks for your help

giuliano
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

---

• Prev by Date: Re: Open Vs Free BSD
• Next by Date: Re: Upgrade from 7.1-RELEASE to 7.2-RELEASE through freebsd update
• Previous by thread: Open Vs Free BSD
• Next by thread: kernel wants the wrong driver for my NIC
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: iptables configuration ... I have a RH firewall setup to protect my LAN, ... (comp.os.linux.security) Re: ADSL Modem/Router Question ... > .233 is assigned to the modem/router, the other is for a web server. ... > lan which can use the internet, but also allow his web server to ... integrate a NAT setup with multiple IPs. ... Green is my internal LAN on a LAN subnet and Orange is ... (comp.security.firewalls) Re: kern/147191: [ppp] Problems with ppp -nat [pppoe], ipfw, dummynet ... I don't have much experience doing ipfw setups, but I've setup docens of boxes with ipfilter. ... My initial setup uses ppp -nat, without natd. ... So I expect that a packed passed IN from local lan, after translated, hit the firewall as XMIT on tun0. ... What I noted on this setup is that I must pass the traffic incoming from local lan LAST, or NATP is not fuction at all. ... (freebsd-net) RE: Secure WAN Setup (Possibly off topic?) ... Using a broadband Internet connection at the remote site will probably ... The secondary company will have a much more strict security setup than ... (Security-Basics) Dlink DI-804HV <-> DI-804HV VPN Blues ... I am having no end of problems trying to get what should be a simple VPN ... The basic setup is as follows: ... Office Network: ... The remote site, 211.47.129.10 uses a cable modem which is connected to the ... (comp.dcom.vpn)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > stable  > 2009-06