Folks, I could add another physical interface for the internal end of the bridge, but not for the external end. Would this work?
--Paul On Jun 22, 2011, at 6:56 AM, Stuart Henderson wrote: > Seconded, or alternatively can you add another interface (physical > or vlan) to place the server on? > > It might be possible to do bridging and nat on the same interface > (possibly using bridge rules and PF tags) but at best you're setting > yourself up for a complicated and fragile ruleset. > > On 2011-06-22, Shane Lazarus <shane.laza...@pobox.com> wrote: >> Heya >> >> On Wed, Jun 22, 2011 at 12:13 PM, Paul Suh <pl...@goodeast.com> wrote: >> >>> Folks, >>> >>> Is this possible and/or a good idea? I have a router with three interfaces: >>> >>> sis0: external interface, IPv4 address 1.2.3.4/24 >>> sis1: internal interface, IPv4 address 192.168.1.1/24 >>> sis2 <http://192.168.1.1/24sis2>: DMZ interface, IPv4 address >>> 192.168.2.1/24 >>> >>> NAT rules pass all traffic from the internal and DMZ zones through the >>> external IP address. I have a couple of servers with IPv4 addresses >>> 192.168.2.2 and 192.168.2.3 in the DMZ, with rdr-to rules that send traffic >>> in >>> to them from 1.2.3.4. >>> >>> I need to place a server at 1.2.3.5, and the software I have to run needs >>> the >>> server itself to have the IPv4 address 1.2.3.5 -- I can't NAT it and give >>> the >>> server the address 192.168.2.4 in the DMZ. (Don't ask. *shudder*) Can I set >>> up >>> a bridge between sis0 and sis2 so that traffic for 1.2.3.5 gets passed >>> through >>> to the server via sis2 as well as having the IPv4 address 1.2.3.4 on sis0? >>> Or >>> is there a better way to do this? >>> >>> >>> --Paul >>> >>> [demime 1.01d removed an attachment of type application/pkcs7-signature >>> which had a name of smime.p7s] >>> >>> >> I personally would check to see if you could get a /30 routed to 1.2.3.4. >> 5.6.7.8 - 5.6.7.11 >> >> Append one of the /30 to the sis2 interface, and the other to your new >> server. >> >> If 1.2.3.4 & 1.2.3.5 are part of a bigger block that you own, see if you >> can't allocate a /30 from that larger pool. >> ( 1.2.3.8 - 1.2.3.11 ?? ) >> >> >> Shane [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
