On Wed, Nov 5, 2008 at 3:16 AM, John . <[EMAIL PROTECTED]> wrote: > fxp0 to the speedtouch > fxp1 for a network that I want to be unfiltered, in other words, real > IPs (wired) > fxp2 the top usable real IP - this I want to nat behind, it is for wireless > fxp3 is unused. > > Is this a DMZ for fxp1? I don't need this traffic to be processed by > the openbsd box, I just want it to go down the right interface. From > what I've read, a DMZ involves some queuing/processing. Not sure if my > nomenclature is right for what I'm describing. Is there a howto for > what I'm trying to do? Do I have to split the /28? >
Basically you need to make a bridge between fxp0 and fxp1. I do this exact setup in one of our locations. The basic steps run like this: 1) Put one address from the /28 on the Speedtouch ethernet interface. 2) Put one address from the /28 on the OpenBSD box 3) Disable pf (pfctl -d) 4) Make sure you can ping the speedtouch and get out to the Internet. 5) Setup a bridge on fxp0 to fxp1 per the OpenBSD FAQ 6) Setup a computer on the fxp1 network and give it an IP from the /28 7) Make the default gateway on the computer on the fxp1 network equal the speed touch IP address 8) Make sure you can get out to the Internet on the computer on the fxp1 network. 9) Open your pf.conf file and add 'skip on fxp0 fxp1' for now 10) Put pass all in your pf.conf for now 11) Enable pf and make sure you can still ping the internet from your OpenBSD box and the computer on your network 12) Setup NAT on fxp2 per the FAQs 13) Setup a computer on the fxp2 network and make sure you can ping and get out to the internet 14) Go back through your pf.conf and put in the firewall rules you need. Hope that helps. Mikel -- http://lindsaar.net/ Rails, RSpec and Life blog....
