Thanks, that's something I'll look into. There's another wrinkle I forgot to mention-- There is a Windows domain controller on the private net along with several Windows clients, and one Windows server on the DMZ net, a member of the domain. The router is running BIND, with its zones as slaves to the Windows DNS server on the domain controller (this is my public nameserver-- the Windows primary is on the private net). For this reason, the Windows server on the DMZ net must use the domain controller's private address as its DNS and not the router's BIND nameserver on the DMZ net, because BIND refuses to handle the special records that a Windows client needs to locate Active Directory. I'm not totally against creating another subnet, I just want to keep it as simple as possible and I hate messing with static routes and that sort of thing.
Thanks, Jeff ________________________________ From: Adam M. Dutko [mailto:[email protected]] Sent: Thu 5/6/2010 12:12 PM To: Jeff Powell Cc: [email protected] Subject: Re: Semi-newbie NAT question vr0 and vr1 are bridged together as bridge0. I was puzzled as to how it was working until you said this... I have a similar setup as you. I have a public interface with my public IP attached to the cable modem, then I have two other interfaces, one for internal hosts and another for DMZ hosts. In order to give a good amount of separation, logical and physical, I've setup two unique subnets, one for private side and the other for the DMZ. I simply point the DMZ hosts to the DMZ gateway address and then handle it through pf and do the same with internal/private hosts. I understand you don't want to use the fourth port, but it would make for clean separation and wouldn't require another public IP if you used a private subnet. An added benefit of such a setup is port redirects from the public IP to the other hosts, or using some sort of proxy to proxy connections to the DMZ hosts.
