Hello all, I currently have a firewall with 3 nics, one goes to the net, one to the DMZ and one to the LAN. I have ipf and ipnat running along with FreeBSD bridge support and I have the external nic and the DMZ nic bridged. All DMZ computers are configured with a real public ip and have the firewall as the gateway. My question is when any computer from my DMZ goes out to the net it uses the ip of the firewall and not the public ip it was assigned. Internally within the DMZ they use the correct ips. How can I make it so when the DMZ computers are on the net they report as using their assigned ip. Is the DMZ using ipnat? I only have the LAN mapped in ipnat.rules and nothing about the DMZ ips. TIA Jay Here are my configs: ifconfig dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::203:6dff:fe00:9bd%dc0 prefixlen 64 scopeid 0x1 ether 00:03:6d:00:09:bd media: Ethernet autoselect (100baseTX) status: active dc1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 inet6 fe80::280:c6ff:feea:7af1%dc1 prefixlen 64 scopeid 0x2 inet xxx.yyy.200.99 netmask 0xfffffff0 broadcast xxx.yyy.200.111 ether 00:80:c6:ea:7a:f1 media: Ethernet autoselect (100baseTX <full-duplex>) status: active xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=3<RXCSUM,TXCSUM> inet6 fe80::250:daff:fe1b:90c3%xl0 prefixlen 64 scopeid 0x3 inet xxx.yyy.200.106 netmask 0xffffffff broadcast xxx.yyy.200.106 inet xxx.yyy.200.107 netmask 0xffffffff broadcast xxx.yyy.200.107 ether 00:50:da:1b:90:c3 media: Ethernet autoselect (10baseT/UTP) status: active lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff000000 tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492 inet xxx.yyy.200.97 --> 207.136.64.4 netmask 0xffffff00 Opened by PID 241 /etc/ipnat.rules # nat the lan map xl0 192.168.1.0/24 -> xxx.yyy.200.97/32 /etc/sysctl.conf # bridge net.link.ether.bridge=1 net.link.ether.bridge_cfg=dc1,xl0 net.link.ether.bridge_ipf=1 /etc/rc.conf hostname="fw.bwlogic.com" # LAN ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0" # DMZ ifconfig_dc1="inet xxx.yyy.200.99 netmask 255.255.255.240" # INET ifconfig_xl0="inet xxx.yyy.200.97 netmask 255.255.255.240" # pppoe tunnel ifconfig_tun0="inet xxx.yyy.200.97 netmask 255.255.255.255" # pppoe ppp_enable="YES" ppp_mode="ddial" ppp_nat="NO" ppp_profile="isplook" # gateway gateway_enable="YES" # ipfilter ipfilter_enable="YES" # Set to YES to enable ipfilter functionality ipfilter_program="/sbin/ipf" # where the ipfilter program lives ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see # /usr/src/contrib/ipfilter/rules for examples ipfilter_flags="" # additional flags for ipfilter # ipnat ipnat_enable="YES" # Set to YES to enable ipnat functionality ipnat_program="/sbin/ipnat" # where the ipnat program lives ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat ipnat_flags="" # additional flags for ipnat
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
