Afcelie, you have set up a test system with addresses not mentioned in your description. It was not quite what I was looking for. I'm interested in the test environment, and what you intend there.
First, please edit your post, above, and remove your actual Internet addresses from your post. There is no reason to publish information that, combined with a configuration file (with possible errors) might provide a vector to an attacker.
Second, post the following information, since perhaps I wasn't clear.
1) For your test environment: Either post the entire output of "ifconfig" from the OpenBSD system, or, post the IP addresses and netmasks for em0 and em1. That's really what I was looking for.
2) For your network topology, barely described in your prior thread and here, what does the layout look like? (Now, or intended) For example -- and in these examples, any of the individual firewalls can be multiple systems with CARP for redundancy:
A) Did you intend to have your internet-exposed servers in a tiered DMZ, such as:
Code:
{internet} [fw1] exposed servers [fw2] inner servers and user workstations
B) Or did you mean a single bastion firewall configuration, with no DMZ, such as:
Code:
{internet} [fw] all servers and workstations
C) Or did you mean a single bastion firewall configuration, with separate DMZ, such as:
Code:
{internet} [fw] inner servers and workstations
|
exposed servers
If you have the flexibility and budget, option A would be preferable, as the inner servers (database, application servers) would be protected by any direct attack from the Internet. The vector would have to come from the DMZ. And the connections from the DMZ inward should be extremely restrictive.
I hope you can see from this simple set of three alternative designs that what you've posted so far has not been of sufficient clarity, nor your questions specific.