Shadi Abou-Zahra wrote:
> hello,
Hi,
> here are my questions:
> 1. NATing always happens before PF rules are applied. correct?
This is correct.
> 2. if all the NATing happens on NIC_A, why do i get such entries in my
> state table when an internal desktop tries to reach a server in DMZ 1:
> 192.168.0.13 -> 123.123.0.1 -> 123.123.0.13
> (ie. the private address is translated to the external bridge IP!)
The NATing actually happens before the packets are parsed on the INCOMING
interface, here NIC_B. You said you had a rule NATing packets from your
internal network to the internet. So possibly you did not specify, not to
translate packets for other internal networks. (try "no nat on ...")
> 3. my understanding is that a packet from an internal desktop (ie.
> 192.168.0.13) to an internal server (ie. 10.0.0.13) would PASS IN ON
> NIC_B and then PASS OUT ON NIC_C but it doesn't seem to behave that
> way. did i get something wrong?
I think your logic is correct here. No idea what's going wrong here.
> 4. equally, a server on DMZ 1 trying to reach a service on DMZ 2
> should PASS IN ON NIC_D and PASS OUT ON NIC_E but the packets seem to
> be going through NIC_A as well. does this make any sense or do i have
> a terribly bad setup?
Actually I still have no clue how you are going to route any packets through
your interfaces D and E, but I'm not _that_ experienced.
> 5. finally, is there any way to reach an internal server (ie.
> 10.0.0.13) through a "real" IP from both outside (NIC_A) and inside
> (NIC_B)?
Sure there is. Try "rdr in on {$NIC_A , $NIC_B} from any to $serverIP port
1:65535 -> 10.0.0.13 port 1:*" or something similar. From my understanding,
that should work.
HTH
Stefan
