Setting up PF redirect on a DMZ machine

crazychip

crazychip

Hi, I have two FreeBSD machines running on my network. I have very limited access to my ISP's router, and can only set[]up basic port forwarding and define a DMZ IP. The router requires me to reset it after a change, and I don't want to use it for port forwarding. I have defined the one FreeBSD server as the DMZ IP (192.168.10.5) so all ports are forwarded here.

The questions then, using PF:
  • Can I make this machine forward ports to another machine on the same subnet using only one interface (like sending 10022 to 22 on .3)?
  • Even if possible (I assume it is), is it a good idea or could it cause some undesirable effect on the network?

Before anyone says it I would just like to say that I know I could just make the one server be a gateway with two adapters, but for reasons I don't bother getting into I don't want to do that.
 
crazychip said:
Can I make this machine forward ports to another machine on the same subnet using only one interface (like sending 10022 to 22 on .3)?
Click to expand...
No.

Translation rules apply only to packets that pass through the specified
interface, and if no interface is specified, translation is applied to
packets on all interfaces. For instance, redirecting port 80 on an
external interface to an internal web server will only work for connec-
tions originating from the outside. Connections to the address of the
external interface from local hosts will not be redirected, since such
packets do not actually pass through the external interface. Redirec-
tions cannot reflect packets back through the interface they arrive on,
they can only be redirected to hosts connected to different interfaces or
to the firewall itself.
Click to expand...
Taken from pf.conf(5)
 
Thank you :)

That answers that question. Then to make the DMZ redirect I must have two interfaces. Will that work well if both are on the same subnet or could it cause trouble?
 
crazychip said:
Will that work well if both are on the same subnet or could it cause trouble?
Click to expand...
That's going to cause problems. Your best bet is to use a different subnet.
 
Thank you again for the clear answers :) Maybe not the answers I wanted but that just means I have to figure out something else.
 
You must log in or register to reply here.
Back
Top