Maxim Khitrov wrote:
Hello all,

A quick question - I have a /29 block of IPs that needs to be handled
by a firewall I'm setting up. Two addresses are lost to broadcast and
network, one is the ISP gateway, so we end up with 5 usable IPs that
can be assigned to the external interface. The question is how to do
this correctly?

I want only one of the addresses assigned to the firewall itself,
another will be used as the public nat address for all hosts on the
lan. Remaining three addresses will be used as bidirectional nat for

Am I correct in assuming that I just need to add four
ifconfig_vr0_alias[0-3] lines to rc.conf? What happens if in the
future we get a much bigger IP block, is there a more efficient way of
accomplishing the same thing? I don't actually want the firewall to
consider itself the final destination for any of the additional IPs,
it just needs to pass them to pf for nat and filtering.

- Max
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Aloha Max,

What you have sounds like an ATM ( Asynchronous Transfer Mode ) circuit. I have one here that is for three servers a desktop and one spare IP.

I got the setup from Michael Paoli at in California.

With setup I had to put firewalls (PF) on the three servers facing the internet and the desktop as well. There are 2 references I used for this firewall setup. Absolute FerrBSD - M. Lucas Pg. 273 and Peter Hansteen. Both are on this list.

If you would like to see the three sheets on how I set this up I can fax them to you or email.

The setup for more IP's should be scalable but the IP's and default route would change I would think. You could keep using /29 ATM blocks and increase in increments with different IP's most likely with out changing the first ones.

~Al Plant - Honolulu, Hawaii -  Phone:  808-284-2740
  + + +
  +   - Supporting - FreeBSD 6.* - 7.* - 8.* +
  < email: >
"All that's really worth doing is what we do for others."- Lewis Carrol

_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to