I manage a small business network. Our core router is running pfSense, with two WAN connections (each is a static IP with only one address) and a bunch of VLANS, etc. We will soon be hosting our own (low-traffic - maybe 300 hits a month) web server and authoritative DNS. My concern is that when I have to run a pfSense update, that the DNS will become unavailable (HTTP will be unavailable too, but I can easily time this to avoid any interruptions).
So, I'd like to take our secondary WAN, and put a pure FreeBSD box in between the WAN and the router. I envision this passing all traffic straight through itself, and only catching DNS on the outside, and maybe SSH on the inside (but I can figure out a different management solution).
I can certainly do this with a (mostly) 1:1 NAT - give this box the WAN IP address, then give the other side a network on a unique subnet, and simply pass everything through except DNS. If it's not too difficult, though, I'd like to avoid this, and keep my WAN IP on the router.
So, I'm thinking that I may be able to exploit bridge for this. Directly pass through every incoming packet that's not bound for my.ip.ad.dr:53, and catch it if it is. I believe this doesn't even have to be stateful. If I wanted ssh on the inside, I could do something similar, but catch packets bound for my.ga.te.way:22 instead.
I'm not too familiar with bridging, and I've never touched it on BSD. Seems like I'll have a problem getting named to listen, since this computer won't really have an ip address, unless I can make some weird internal interface.
Am I totally barking up the wrong tree here, or is what I'm describing possible? If so, how do I go about it?
So, I'd like to take our secondary WAN, and put a pure FreeBSD box in between the WAN and the router. I envision this passing all traffic straight through itself, and only catching DNS on the outside, and maybe SSH on the inside (but I can figure out a different management solution).
I can certainly do this with a (mostly) 1:1 NAT - give this box the WAN IP address, then give the other side a network on a unique subnet, and simply pass everything through except DNS. If it's not too difficult, though, I'd like to avoid this, and keep my WAN IP on the router.
So, I'm thinking that I may be able to exploit bridge for this. Directly pass through every incoming packet that's not bound for my.ip.ad.dr:53, and catch it if it is. I believe this doesn't even have to be stateful. If I wanted ssh on the inside, I could do something similar, but catch packets bound for my.ga.te.way:22 instead.
I'm not too familiar with bridging, and I've never touched it on BSD. Seems like I'll have a problem getting named to listen, since this computer won't really have an ip address, unless I can make some weird internal interface.
Am I totally barking up the wrong tree here, or is what I'm describing possible? If so, how do I go about it?