On 10/10/2007, Cidric THIBAULT <[EMAIL PROTECTED]> wrote:
> Thank's for your comment. Unfortunately, i well understand the Nat
> process.
Huh? If you understand NAT very well, then how is that unfortunate?
I'm not trying to be a prick here; I honestly have trouble
understanding you.
> I's right it's not seems to be interesting to nat some machine in the same
> IP lan, but that is what i want.
Is this what you are trying to say?:
"It's true that it would not seem to make sense to do Network Address
Translation between machines that are on the same physical network
segment, but this is what I want."
I'll give you an example of what I understood. Please tell me if this
describes what you are trying to do:
- You have multiple hosts on a single physical network segment.
- An OpenBSD box is also connected to the same network segment,
possibly intercalated between two parts of that network, where one
part of that network is connected to its 1st NIC and the other to a
2nd NIC.
- There are hosts on both sides that are on the same logical subnet.
Therefore bridging is required.
- There are other hosts connected to that same physical network
segement that are configured with IP addresses and subnet masks so
that they are in a second different logical subnet. They need NAT in
order to talk to the hosts in the first logical subnet.
Is this what you need?
> The problem, you said it very well, it's the firewall can't assign it's own
> IP adress because is in bridge mode.
You can assign an IP address to a NIC that's part of a bridge. This is
frequently done, so the bridge can be remotely administered with SSH.
In this scenario you put both NICs in promiscuous mode (so they listen
to all traffic and bridge whatever is allowed in pf.conf), but you
assign an IP address to one of the NICs anyway. Most users will never
see/know that IP. It doesn't appear in their network settings. It's
strictly for when you want to talk directly to the OpenBSD box.
> So, the idea is to set a particular IP on all trafic outgoing from the
> firewall.
I have no idea what you're trying to say here.
> The rule could be this one :
>
> nat pass on bridge0 inet tagged LAN1 -> 192.168.2.3 (it's an example of an
> ip pick in the LAN...)
> pass in inet proto {tcp,udp, icmp} on $lan1_if <http://10.0.0.0/24> tag
LAN1
>
> I don't know if this syntax is ok, because i never tested it.
I have no idea what you're trying to do here. I'm missing contextual
information.
