Hi,
for years I have been using setup with two firewalls: "outer" one -
FW1-BGP - connecting to upstream ISPs and talking BGP to them regarding
my DMZ, and "inner" one - FW2-NAT, doing NAT for my LAN.
ISP1 ISP2
\ /
[FW1-BGP]
|
(DMZ)
|
[FW2-NAT]
|
(LAN)
(Actually, it's more complicated due to each of the firewalls having
their CARP twin, but that shouldn't matter for my questions).
I'm considering moving to setup with just one firewall (ok, two,
because of CARP, once again it should not matter), which would connect
to upstream ISPs, DMZ and LAN.
ISP1 ISP2
\ /
[FW1-ALL]
/ \
(DMZ) (LAN)
Any success / failure stories from admins who already went through
this? Any pitfalls I should avoid?
My main concern is the fact that in previous setup I could set up ip
aliases on DMZ interface on my NAT server, and redirect requests to
them to LAN hosts. This way I could switch ISPs and still access my LAN
hosts (via redirection) through same, DMZ ip addresses.
Will I still be able to do this in single firewall setup? I guess this
won't work:
pass in on $ext_if inet proto tcp from any to $dmz_ipaddr \
rdr-to $lan_ipaddr
...assuming I am also doing NAT on $ext_if:
match out on $ext_if inet from any to any received-on $if_int \
nat-to $ext_if
If I'm correct about above not working, is there a chance to achieve
the same goal by means of nc proxy? Or some other way? Any other things
I should be aware of?
Or should I just continue with my current two-firewall setup?
Thank you in advance,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.
Marko Cupać
https://www.mimar.rs/
