I'm trying to find the cleanest solution for correct routing of internal LAN servers to the external IP's of other servers in the same LAN.
I have read the OpenBSD FAQ here (http://www.openbsd.org/faq/pf/rdr.html#reflect ) and mostly understand the problems associated with doing this via some relatively simple firewall rule. The purpose of this is to simplify the logic in our pf rules a bit where we have redirects/nat for the internal LAN clients (see below) but also to allow access to internal services without always editing /etc/hosts. I'm wondering what people think the cleanest way of accomplishing this is? The split view DNS seems like kind of an extra management hassle and a good opportunity to screw something up. But running a proxy and the added rules in pf doesn't seem like a great solution either. Also, is there some catch all that could be created with rules like this? Currently we are using this on specific services when we want to be able to use the fqdn on a local server without adding the internal ip resolution to /etc/hosts: rdr pass on {$ext_if, $int_if} inet proto tcp from any to $mx4_ext port 25 -> $mx4_int port 25 nat on $int_if inet proto tcp from 192.168.1.0/24 to $mx4_int port 25 -> $int_if It has the very much less than ideal result of showing the connection coming from the firewall internal interface though, which makes it harder to know where incoming connections are really coming from in the logs and such. Anyways. Any thoughts?
