On Fri, Feb 20, 2009 at 6:34 AM, Federico <[email protected]> wrote: > Hello all, > > I have a trouble with some routing-related that i can't figure out. > > I have this configuration: > > > ************** > ***INTERNET*** > ************** > | > bnx1 > | FIREWALL | > bnx0 > | > DMZ (10.0.0.0/28) > | > bnx1 > | PROXY | > bnx0 > | > LAN (192.168.80.0/24) > > > > FIREWALL and PROXY are both OpenBSD machines. > > The bnx1 of the firewall is configured on a public subnet. > > A couple of machines in the DMZ are natted with public ip configured on > the bnx1 of the firewall. > > For a particular reason, I have to route traffic from LAN to DMZ using > the pubblic ip. I can't use a DNS based solution (like views). So, when > I try to connect to a DMZ machine by using its pubblic (natted) ip, > traffic is blocked at bnx0 of the firewall. > > With tcpdump I can see that bnx0 answers with a RST packet to the > connection request coming from lan (and masked by PROXY). > > The only "trick" I found to make it works, is using redirect on PROXY, > something like that: > > rdr on bnx1 from bnx0:network to $MyPublicIp -> 10.0.0.2 > > This is the basic ruleset I'm using on FIREWALL: > > set skip on lo > scrub in > rdr pass on bnx1 proto tcp from any to $MyPublicIP port 80 -> 10.0.0.2 > block in log > pass out > pass in on bnx1 proto tcp from any to 10.0.0.2 port 80 flags S/SA > synproxy state > > I didn't touch routes. > > Is there another way than using a set of rdr rules? Did I miss some man > page?
$MyPublicIP doesn't actually belong to your DMZ machine, so FIREWALL's route to that address (if it has one) is not what you're expecting. Your rdr on PROXY solves the problem. Use it or remove the need for it. -HKS
