Charles Farinella wrote: > > I have an OpenBSD 3.9 machine with a public IP providing NAT and > firewalling for our internal network. It has 3 interfaces: > > dc0: public ip from internet X.X.X.25 > dc1: 192.168.100.x to internal network. This works well. > dc2: 192.168.200.x --> to Windows server. > > I need to allow public access to the Windows server connected to dc2 > (one port only). Currently I have a private network address assigned to > dc2 and a public one (X.X.X.26) assigned to the machine connected to it. > > I need to know how to access the X.X.X.26 machine from the internet. My > attempts at redirecting with pf rules haven't been successful so far, > and I'm not sure that's how I should be approaching it.
If dc2 and your Windows server are on an ethernet LAN they need to be addressed in such a fashion that at least one IP address on the dc2 interface is in the same subnet as at least one IP address on Windows box interface. If the only address on dc2 is 192.168.200.x and the only address on the Windows box is X.X.X.26, they just won't talk. At least not IP. I can think of two solutions, neither perfect (nothing is perfect in the presence of NAT.... :-): Address the Windows box in 192.168.200.x and put a bidirectional mapping rule into pf (read up on binat) between X.X.X.26 and the internal address. Address dc2 in X.X.X. and actually use your public addresses for the subnet attached to dc2. You won't want to be using X.X.X.25 for dc0 anymore, but you could still use that address as a PAT address for traffic coming from dc1. If you have only the one server in your DMZ and want the easiest solution, I'd go for option 1. --Jon Radel [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
