Routing the same subnet.

I'm setting up a OpenBSD gateway with the following conditions:

The gateway we have from our ISP is 2xx.xx.22.129.
My Gateway has two NIC's
xl0 2xx.xx.22.130/ (ext, con. to wireless Internet)
xl1 2xx.xx.22.156/ (int, con. to local switch)

The computers and servers inside uses 2xx.xx.22.131 to .158

How should I setup the route tables and arp on the gateway to get the
inside net to get Internet access?

Also, should I run "routed" ?,if so, with witch parameters and do I
need any special parameters in /etc/gateways ?

Also, Bridging is not a option since I cannot have more that one MAC
address out to our wireless equipment.
Who is Participating?
jlevieConnect With a Mentor Commented:
Ahh, but that's what one-to-one static NAT translations gets you. A particular inside machine, say gets assigned an outside IP of 2x.x.22.130. You enable inbound web (port 80 & maybe 443) on the 2x.x.22.130-> NAT conduit, and voila, you've got a web server that for all intents and purposes is "outside the firewall". It always appears to be at 2x.x.xx.130. Since you only enable inbound connections through the firewall on specific ports and to specific inside machines, the rest of the networks services and systems are protected from attack on all other ports. This is a "very good thing".

I do this all the time. Right now I've got six web servers (plain & SSL), an email server, and two DNS boxes inside of a firewall doing NAT (and have had most of them in place for 3-4 years). There are a few things that you can't easily do, like VPN's from an inside system, and some special things you must do, like a careful setup of the DNS for public/private IP's. Some of this gets handled by special boxes connected to the DMZ. And I should explain that term.

The standard configuration for a firewall protected network looks something like:

gateway router to the Internet
       | DMZ network
       | w/"public" IP's
  Firewall w/NAT
Inside "private" network

Frequently you put special systems (like sendmail relays, external DNS servers, VPN hosts) outside of the firewall attached to the DMZ. These typically are specially hardened system that only provide a specific service(s). Everything else lives inside the firewall and static conduit's are provided though the firewall to those inside systems that need to accept inbound connections from the public (insecure) Internet.

fred_ndCTOAuthor Commented:
Adjusted points from 100 to 200
Basically... You can't. The way routing works the inside and outside networks must be different. Otherwise the routing process can't tell which interface to use for an IP in the 2xx.xx.22.128/32 net. And you can't fool it by fiddling the netmask on the inside network, because you have to make corresponding change on the outside network.

However, you are in luck in that you are running OpenBSD and can use ipfilter, you can read about it at: What I'd do is to change the inside network to be a "private network" and use ipfilter's NAT facility. If you want, you can set up static one-to-one translations so that each inside system has a fixed outside IP. Or you can set up a NAT pool and let the translation be dynamic. Or have some dynamic and some static. Your choice... Oh yeah, you get firewalling for free, so to speak.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

fred_ndCTOAuthor Commented:
By "private network" you mean a 192.168.x.x address or alike?

This is a problem because the machines inside the firewall has public addresses 2xx.xx.22.128/ and I cant change that, mostly because this is Web, DNS and mail servers.
you may want to look at the "winGate" product also...
fred_ndCTOAuthor Commented:
When using NAT like this, assigning public IP numbers to private numbers, how will the logs on a WebServer look like?

Will the firewall be the visitor or will the users real IP number show here as it would do without the firewall?

The real (public) source IP will still be shown at either end. With lots of folks installing firewall'a and NAT'ing their internal networks these days (for security and to have more systems than the have public IPs for), you frequently can't tell a whole lot about who is actually accessing a site from the IP. For instance I've got some 700 nodes being dynamically NAT'd through 224 public IP's. Any given inside system can get any of the public IPs.
fred_ndCTOAuthor Commented:
This works, not exactly the answer I where looking for, but this could work for me.

Thanks for the fast help, now I'm going to kick on my ISP, and force them to give me another wireless bridge that can handle more than one MAC address, then I will be able to setup a bridge instead.

But, thanx again for the fast and good help.
Yeah that would work also. If you decide you want to get into using ipfilter to NAT the network, I can be reached at
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.