I am trying out an idea I had for my FreeBSD-12.2-based router, which has six GbE ports ([FONT=courier new]em0[/FONT] to [FONT=courier new]em5[/FONT]), to tweak how things work on the network. For the last year or two, I had things setup the traditional way where [FONT=courier new]em0[/FONT] was the WAN and [FONT=courier new]em1[/FONT] was the LAN, and a firewall governed what moved between these two interfaces. The router used [FONT=courier new]em1[/FONT] not only as the network gateway, but also exposed its administrative services on [FONT=courier new]em1[/FONT] as well. The downside here was because when using NAT w/ an IPFW firewall, you have to use a default-allow firewall approach, and I couldn't find a clean way to limit access to the administrative services of the router (primarily SSH). Since I have six GbE ports on this thing, I figured I would do something like this:
em0 --> WAN
em1 --> Gateway (10.0.0.1)
em2 --> Services (10.0.0.2)
And then have this criteria be met:
Traffic from other points on the LAN meant for the Internet would flow to [FONT=courier new]em1/10.0.0.1[/FONT], where the firewall script would NAT/send or receieve/NAT to/from the Internet on [FONT=courier new]em0[/FONT]/WAN (item #1). The router itself would use [FONT=courier new]em2/10.0.0.2[/FONT] to expose services (like SSH) or access network services elsewhere on the LAN (like NFS) (items #2 and #4). I can then easily modify the firewall to better govern what can go where and do what on the network by the [FONT=courier new]em2[/FONT] interface directly.
The problem that arises, however, is how do I teach the router to send anything meant for the WAN out [FONT=courier new]em1/10.0.0.1[/FONT] for NATing (like other devices do), but if it wants to access services like NFS on another machine on the network, to have it go out [FONT=courier new]em2/10.0.0.2[/FONT]? It should not use [FONT=courier new]em1/10.0.0.1[/FONT] to talk to other devices on the network, even though [FONT=courier new]em1[/FONT] is attached to the same subnet as [FONT=courier new]em2[/FONT]. More to the point, if this is possible, how would I codify it into [FONT=courier new]/etc/rc.conf[/FONT]? I am assuming that the
I am open to other approaches if this is not a good idea.
em0 --> WAN
em1 --> Gateway (10.0.0.1)
em2 --> Services (10.0.0.2)
And then have this criteria be met:
- Traffic from LAN destined for Internet --> em1 --> NAT --> WAN/em0
- Traffic from LAN destined for router --> em2
- Traffic from router itself destined for Internet --> NAT --> WAN/em0
- Traffic from router itself destined for LAN --> em2
Traffic from other points on the LAN meant for the Internet would flow to [FONT=courier new]em1/10.0.0.1[/FONT], where the firewall script would NAT/send or receieve/NAT to/from the Internet on [FONT=courier new]em0[/FONT]/WAN (item #1). The router itself would use [FONT=courier new]em2/10.0.0.2[/FONT] to expose services (like SSH) or access network services elsewhere on the LAN (like NFS) (items #2 and #4). I can then easily modify the firewall to better govern what can go where and do what on the network by the [FONT=courier new]em2[/FONT] interface directly.
The problem that arises, however, is how do I teach the router to send anything meant for the WAN out [FONT=courier new]em1/10.0.0.1[/FONT] for NATing (like other devices do), but if it wants to access services like NFS on another machine on the network, to have it go out [FONT=courier new]em2/10.0.0.2[/FONT]? It should not use [FONT=courier new]em1/10.0.0.1[/FONT] to talk to other devices on the network, even though [FONT=courier new]em1[/FONT] is attached to the same subnet as [FONT=courier new]em2[/FONT]. More to the point, if this is possible, how would I codify it into [FONT=courier new]/etc/rc.conf[/FONT]? I am assuming that the
defaultrouter
variable won't work here, as that variable appears to be for simpler setups. I have internal DNS setup for other systems to know how to get to the router's services that will listen on [FONT=courier new]em2[/FONT].I am open to other approaches if this is not a good idea.