hi,
just a reminder:
NIC_A: IP 123.123.0.1, connected to the big bad internet
NIC_B: IP 192.168.0.1, internal network (desktops etc)
NIC_C: IP 10.0.0.1, internal servers (development and staging area)
NIC_D: NO IP, DMZ 1 (a collection of operational www and mail servers)
NIC_E: NO IP, DMZ 2 (a collection of operational DB and backend servers)
> > 2. if all the NATing happens on NIC_A, why do i get such
> > entries in my state table when an internal desktop tries
> > to reach a server in DMZ 1:
> > 192.168.0.13 -> 123.123.0.1 -> 123.123.0.13
> > (ie. the private address is translated to the external bridge IP!)
>
> The NATing actually happens before the packets are parsed on
> the INCOMING interface, here NIC_B. You said you had a rule
> NATing packets from your internal network to the internet.
> So possibly you did not specify, not to translate packets
> for other internal networks. (try "no nat on ...")
ok, here is my confusion. my NAT rule specfically says NAT on NIC_A. why
does NATing happen on any other interface? i was wondering if the
bridging is letting packets traverse other interfaces as well. there is
something i just don't understand here.
> > 3. my understanding is that a packet from an internal desktop (ie.
> > 192.168.0.13) to an internal server (ie. 10.0.0.13) would PASS IN ON
> > NIC_B and then PASS OUT ON NIC_C but it doesn't seem to behave that
> > way. did i get something wrong?
>
> I think your logic is correct here. No idea what's going wrong here.
also suspecting the bridging. remember, all interfaces are on a single
bridge. don't know how good that is. maybe i should remove NIC_B and
NIC_C from the bridge. will try that tomorrow.
> > 4. equally, a server on DMZ 1 trying to reach a service on DMZ 2
> > should PASS IN ON NIC_D and PASS OUT ON NIC_E but the packets
> > seem to be going through NIC_A as well. does this make any sense
> > or do i have a terribly bad setup?
>
> Actually I still have no clue how you are going to route any
> packets through your interfaces D and E, but I'm not _that_
> experienced.
why route? the servers actually shouldn't even see the bridge. from
their perspective everything is on the same network...
> > 5. finally, is there any way to reach an internal server (ie.
> > 10.0.0.13) through a "real" IP from both outside (NIC_A) and inside
> > (NIC_B)?
>
> Sure there is. Try "rdr in on {$NIC_A , $NIC_B} from any to $serverIP
> port 1:65535 -> 10.0.0.13 port 1:*" or something similar. From my
> understanding, that should work.
ok, will try that. but NIC_B does not have an alias for the serverIP.
that is what i was wondering about.
hmmm, i'm just not sure about the exact packet flow through bridges &
NAT & PF. will work a little more on it.
thanks for your help!
best,
shadi
