Try a bridge.
man brconfig(8) says:
he brconfig utility retrieves kernel state of bridge interfaces and al-
      lows user control of these bridges.  Bridge devices create a  
logical link
      between two or more Ethernet interfaces or encapsulation  
interfaces (see
      gif(4)), which will selectively forward frames from each  
interface on the
      bridge to every other interface on the bridge.  This can be  
used to iso-
      late traffic between sets of machines on the same segment and  
to provide
      a transparent filter for ip(4) datagrams.

Which pretty much what you want to do (e,g. isolate traffic between  
the router and the DMZ). T
he put its interface into promiscuous mode all see all traffic. THe  
DMZ keeps in own adddress.
Take a look at BRCONFIG(8)

Tony Sterrett

Consultant in Open Source Software, featuring OpenBSD and Linux.

On Jan 22, 2006, at 10:07 AM, Jonas Lindskog wrote:

> Hello,
> We are running Open BSD 3.8 as a firewall router. The router has  
> two internal networks to handle; a DMZ with "real"
> ip adresses and a NAT network to which our workstations are  
> connected. The problem I have is that its not possible to
> connect to the server on the DMZ (ip, netmask  
> from the outside (but from the inside).
> I guess that I somehow has to make the external interface listen to  
> the same adress as the server (they are on the same net), but if I add
> an alias to the external interface it doesn't (of course) route  
> packages to the DMZ. How do I make OpenBSD route packages to the  
> server
> (and the DMZ subnet)?
> Our ISP has given us a net that has the following data:
> Net segment: /28 net address: 
> gw address:
> firewall:    
> free ip ip:
> broadcast address:
> netmask:    
> the server has the following interfaces configured:
> ### interfaces ####
> #external interface
> inet NONE
> #internal interface
> inet NONE
> # dmz
> inet NONE
> Thanks in advance
> Jonas

Reply via email to