routing with DMZ between internal and external firewall

Mon, 16 Mar 2020 01:51:28 -0700 

Hi,
I have a question concerning static routes and default gateways for a DMZ setup, with internal and external firewall. A DNS in the DMZ shall be used from internal machines, and later a http proxy from internal and external machines. The setup is within a network of a bigger data centre with it's own edge router. I cannot change anything on this edge router. 
I am using OpenBSD 6.6, and ip forwarding is activated on both firewalls.
Here an ASCII pic (for better viewing also here: https://ln2.sync.com/dl/9da92f730/wrzi9rse-xh9sqzed-cst55auv-y39rkrwj): 

|--------|   |---------|       |---------| /-------------\
| int_pc |---| int_fw  |-------| ext_fw  |---| Data Center |---> Internet
|--------|   |em0   em1|   |   |em0   em1|   | Edge Router |
             |---------|   |   |---------| \-------------/
                           |
                    |------------|
                    | DNS & http |
                    |------------|

Setup of default routes:
  int_pc  -> IP address of em0 on int_fw
  int_fw  -> IP address of em0 on ext_fw
  DNS     -> IP address of em0 on ext_fw
  ext_fw  -> IP address of external interface

Without any firewall rules (pfctl -d), I observe:

 1.) I cannot ping from int_pc to DNS, and vice versa.
 2.) I cannot ping from int_pc to em0 on ext_fw


I can observe with tcpdump, that ping echo request leaves int_pc, goes 
through int_fw and reaches the network card of DNS or em0 on ext_fw. As 
the default route of DNS is pointing to ext_fw, the ping echo reply is 
sent to ext_fw, which doesn't know what to do with the IP address of 
int_pc, and ignores the package. I get this.
So I can set a static route on the DNS or on the external firewall, like 
this


  route add -inet {network of int_pc} {IP address of em1 on int_fw}

and then pinging back and forth works.

But setting static routes on all DMZ machines and ext_fw seems doesn't 
seem right to me(?).


What would be the correct design?

Can I use "only" the ext_fw with a static route, so that packages from 
DNS would travel twice through DMZ net (from DNS to ext_fw, and then 
from ext_fw via int_fw back to int_pc)?



The information I found on misc@ and internet is usually talking about 
"home router" with NAT and three network cards, where one leg supplies 
the DMZ... Mine is different, and I think I do not need NAT here?


thx























					Reply via email to