Hello all,
I have a trouble with some routing-related that i can't figure out.
I have this configuration:
**************
***INTERNET***
**************
|
bnx1
| FIREWALL |
bnx0
|
DMZ (10.0.0.0/28)
|
bnx1
| PROXY |
bnx0
|
LAN (192.168.80.0/24)
FIREWALL and PROXY are both OpenBSD machines.
The bnx1 of the firewall is configured on a public subnet.
A couple of machines in the DMZ are natted with public ip configured on
the bnx1 of the firewall.
For a particular reason, I have to route traffic from LAN to DMZ using
the pubblic ip. I can't use a DNS based solution (like views). So, when
I try to connect to a DMZ machine by using its pubblic (natted) ip,
traffic is blocked at bnx0 of the firewall.
With tcpdump I can see that bnx0 answers with a RST packet to the
connection request coming from lan (and masked by PROXY).
The only "trick" I found to make it works, is using redirect on PROXY,
something like that:
rdr on bnx1 from bnx0:network to $MyPublicIp -> 10.0.0.2
This is the basic ruleset I'm using on FIREWALL:
set skip on lo
scrub in
rdr pass on bnx1 proto tcp from any to $MyPublicIP port 80 -> 10.0.0.2
block in log
pass out
pass in on bnx1 proto tcp from any to 10.0.0.2 port 80 flags S/SA
synproxy state
I didn't touch routes.
Is there another way than using a set of rdr rules? Did I miss some man
page?
