syn_nospam_uw <syn_nospam_uw@hotmail.com> wrote:
> Joachim Schipper wrote:
>
>> So, if I understand correctly, there are two classes of machines:
>>
>> - say 192.168.X.15 and 192.168.X.153, which should appear to be
>> pub.lic.ip.2 and pub.lic.ip.3 for all intents and purposes?
>> - and everything else in 192.168.X.0/24, which do not need to be
>> externally accessible. Any traffic originating here should appear to
>> come from the firewall
>
> That's exactly what I am doing, correct.
>
>> Thus, I would expect you to end up with something like
>>
>> binat on $ext_if 192.168.X.15 to any -> pub.lic.ip.2
>> binat on $ext_if 192.168.X.163 to any -> pub.lic.ip.3
>>
>> nat on $ext_if from $int_if:network to any -> $ext_if:0
>
> Acutally what I have right now is the following:
>
> nat on $ext_if from 192.168.X.15 -> pub.lic.ip.15
> nat on $ext_if from 192.168.X.40 -> pub.lic.ip.40
>
> nat on $ext_if from ($int_if:network) -> $ext_ip_firewall
>
>
> This works fine in our current configuration with the $ext_if being the
> interface connected to our provider (with the CPE on this network). We
> don't even need binat. But where this configuration doesn't work anymore
> is as described in my first post. Then this doesn't work at all.
>
> I can't think of this being an issue of using binat and it wasn't just
> the two servers mentioned up here it was any internal machine on the
> internal network which couldn't access the internet...

(Sorry for the slow response, I am somewhat busy with my exams.)

If I am getting anything wrong, please correct me. For some reason I
can't really wrap my head around your configuration...

If I understand correctly, your old setup is

<ISP>
|
|
$ext_if at pub.lic.ip.1
<FIREWALL>
$int_if at 192.168.X.1
|
|
192.168.X.0/24

Or something very close. And this does, in fact, work. Furthermore,
traffic from 192.168.X.{15,40} appears to come from pub.lic.ip.{15,40}.
(Traffic to pub.lic.ip.{15,40} is not necessarily sent to
192.168.X.{15,40}.)

Also, if I understand you correctly, you want to have

<ISP>
|
|
$ext_if at pub.lic.ip.1
<FIREWALL> $dmz1_if at pub.lic.ip2.1 -- pub.lic.ip2.0/24
$int_if at 192.168.X.1
|
|
192.168.X.0/24

where you have two public class C subnets, pub.lic.ip.0/24 and
pub.lic.ip2.0/24. Is what I call $dmz1_if indeed what you meant in your
first post?

Am I also correct that you didn't set up any special things for
pub.lic.ip2.0/24 - that is just routed - and that that subnet has no
problems accessing the internet or being accessed by the internet? That
is, can I ignore this subnet, because it works?

Finally, am I correct in thinking that traffic from 192.168.X.0/24
should appear to come from $ext_if (pub.lic.ip.1), except for traffic
from 192.168.X.{15,40} which should appear to come from
pub.lic.ip.{15,40}?

Because if all this is correct, I would fully expect your configuration
to work (in fact, it didn't materially change). It will not necessarily
allow pub.lic.ip.{15,40} to be accessed from the internet, but that is
not your problem, is it?

Could you post a diagram, and perhaps the output of 'route show'? I have
the feeling I don't understand what you are trying to do...

Joachim