|–Ether1—>ISP Class C
|
|–Ether2—>192.168.1.x private lan
|
|–Ether3—>Public Class C servers (with FW rules)
All ports are bridged WITH bridge fw turned on and MASQ for the private address.
Can this be done? Because the problem is .. with bridge fw turned on all of it’s traffic gets nat’d. if the fw is off… everything works fine.
Seems like I need a in-interface option on the src-nat’ing rule, not just an out-interface.
lordzar -
Not to be critical - by why the heck do you want to bridge everything anyway?
NORMALLY you would give your servers a private IP and use 1:1 nat’ing for them on a particular private IP block, and then do masq for clients from another private IP block. And/or if you HAVE to have public IPs on the servers then carve out a smaller - say /27, out of your class ‘C’ (/24) network, put a public gateway IP on ether3 and point all of your servers to that IP with an IP in the /27 that you defined a few moments ago…
Then you have a purely routed/nat’d network that does not need bridging at all…you can also use all the ‘power’ of ROS to filter, nat, policy route, everything…
Just a suggestion - that’s all - as it IS YOUR network…
R/
That setup describes the “drop-in” mode of a Watchguard Firebox. Not my favorite setup; but it is sometimes useful. Especially if you need to have a device on a public IP (as in actually in the device and not NATd into it), behind a firewall and the ISP controls the subnet. It also allows the firewall to be inserted/removed without reconfiguring the devices on static public addresses.
dankerr -
Well you can’t specify the in-interface but you can specify the src-addr for NAT’ing…
R/
Thom