On Tue, 26 Nov 2019 12:27:16 -0000 (UTC) Stuart Henderson <s...@spacehopper.org> wrote:
> > 192.168.1.2 < rdr-to/nat-to > 11.22.33.40 > > 192.168.1.3 < rdr-to/nat-to > 11.22.33.41 > > > > I plan to give the outgoing interface the second public IP > > (11.22.33.41) as an alias, so the egress interface holds both > > public IP addresses. Question is, how do I do the routing so that > > DMZ host 192.168.1.3 uses public IP 11.22.33.41 exclusively? > > I read this as "how do I make it so that *only* the DMZ host uses > 11.22.33.41 and the router itself doesn't use it", is that right? Yes, but first and formost, 192.168.1.3 should use *only* 11.22.33.41 as gateway, 192.168.1.2 (and posibly other hosts) should use 11.22.33.40 as gateway. Both, 192.168.1.2 and 192.168.1.3, are in the DMZ. 192.168.1.2 is a webserver and 192.168.1.3 is mail/smtp server. Therefore is is crucial, that 192.168.1.3 is using only 11.22.33.41 as gateway, because of DNS/RDNS. With Linux/iptables one would establish different routing tables, "mark" the packages and then set "ip rule" and SNAT rules accordingly. I find this procedure over-complicated, so I was hoping for a simpler approach with OpenBSD/pf. > If it's ethernet-like and the subnet has ISP router, your router, > plus your public IPs, then usually the ISP would be ARPing for > addresses so in that case you need to have some way that your router > will respond to those requests. The simplest way is indeed to add the > address to the interface, if you want to prevent local traffic using > that address then maybe a PF rule generally blocking traffic with > that address, and another to permit it "received-on $dmz_if". The entire public subnet is routed through the ISP router (11.22.33.39) which belongs to the same subnet.
