On 2019-11-25, Henry Jensen <hjen...@mailbox.org> wrote: > Hi, > > my ISP provides me with a /29 subnet, including 5 usable public IPv4 > addresses. > > Until now my router uses only one of this public IPs (11.22.33.40), > with port forwarding of port 443 to an host in a DMZ(192.168.1.0/24) > like this: > > pass in on egress proto tcp from any to any port 443 rdr-to 192.168.1.2 > > Now I plan to have a second host in the DMZ which should use another > public IP from the subnet the ISP gave me. > > In other words, I want to do the following > > 192.168.1.2 < rdr-to/nat-to > 11.22.33.40 > 192.168.1.3 < rdr-to/nat-to > 11.22.33.41 > > I plan to give the outgoing interface the second public IP > (11.22.33.41) as an alias, so the egress interface holds both public IP > addresses. Question is, how do I do the routing so that DMZ host > 192.168.1.3 uses public IP 11.22.33.41 exclusively?
I read this as "how do I make it so that *only* the DMZ host uses 11.22.33.41 and the router itself doesn't use it", is that right? How is your internet connection provided? If the subnet is routed to your router IP (as, for example, would always be the case with a PPP-based connection) then you don't actually need to configure the second IP on your router, making it easy to achieve this. If it's ethernet-like and the subnet has ISP router, your router, plus your public IPs, then usually the ISP would be ARPing for addresses so in that case you need to have some way that your router will respond to those requests. The simplest way is indeed to add the address to the interface, if you want to prevent local traffic using that address then maybe a PF rule generally blocking traffic with that address, and another to permit it "received-on $dmz_if". (If it's ethernet and there's a separate "link" subnet then the main public IP subnet would probably be routed via the link subnet, in which case they would only be ARPing for the link network IP, so same applies as with PPP, you could just not configure the IP). If none of this seems to fit then describe your setup in more detail (ifconfig -A and netstat -rn or similar). > Do I have to use rtables and rdomains or is there a simpler approach? I don't think that would be needed.
