On Mon, Mar 16, 2020 at 09:49:30AM +0100, pebwindkraft wrote: > Hi, > > I have a question concerning static routes and default gateways for a DMZ > setup, with internal and external firewall. > A DNS in the DMZ shall be used from internal machines, and later a http > proxy from internal and external machines. > The setup is within a network of a bigger data centre with it's own edge > router. I cannot change anything on this edge router. > I am using OpenBSD 6.6, and ip forwarding is activated on both firewalls. > Here an ASCII pic (for better viewing also here: > https://ln2.sync.com/dl/9da92f730/wrzi9rse-xh9sqzed-cst55auv-y39rkrwj): > > |--------| |---------| |---------| /-------------\ > | int_pc |---| int_fw |-------| ext_fw |---| Data Center |---> Internet > |--------| |em0 em1| | |em0 em1| | Edge Router | > |---------| | |---------| \-------------/ > | > |------------| > | DNS & http | > |------------| > > Setup of default routes: > int_pc -> IP address of em0 on int_fw > int_fw -> IP address of em0 on ext_fw > DNS -> IP address of em0 on ext_fw > ext_fw -> IP address of external interface > > Without any firewall rules (pfctl -d), I observe: > > 1.) I cannot ping from int_pc to DNS, and vice versa. > 2.) I cannot ping from int_pc to em0 on ext_fw > > I can observe with tcpdump, that ping echo request leaves int_pc, goes > through int_fw and reaches the network card of DNS or em0 on ext_fw. As the > default route of DNS is pointing to ext_fw, the ping echo reply is sent to > ext_fw, which doesn't know what to do with the IP address of int_pc, and > ignores the package. I get this. > So I can set a static route on the DNS or on the external firewall, like > this > > route add -inet {network of int_pc} {IP address of em1 on int_fw} > > and then pinging back and forth works. > But setting static routes on all DMZ machines and ext_fw seems doesn't seem > right to me(?). > > What would be the correct design? > Can I use "only" the ext_fw with a static route, so that packages from DNS > would travel twice through DMZ net (from DNS to ext_fw, and then from ext_fw > via int_fw back to int_pc)? > > The information I found on misc@ and internet is usually talking about "home > router" with NAT and three network cards, where one leg supplies the DMZ... > Mine is different, and I think I do not need NAT here? >
You need to add routes for your internal network on ext_fw and on the DNS box. They need to know that those networks are reachable via int_fw. These routes are more specific and will make sure that the traffic has a path back to int_pc. -- :wq Claudio