View Single Post
  #6   (View Single Post)  
Old 14th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Here's an example configuration of a DMZ subnet sharing the same Ethernet segment as a LAN. The OpenBSD router has a NIC with two assigned addresses, one on each subnet. The additional address (and subnetting) is configured with the alias operand of ifconfig(8).

All devices use DHCP for address assignment. The isolated device is given its private subnet address by DHCP, assigned by MAC address. The DMZ device must be trusted to not alter the MAC.

The DMZ is on 10.99.99.0/30, which is four addresses: the network address (10.99.99.0), the two endpoints (router 10.99.99.1 and DMZ device 10.99.99.2), and the broadcast address (10.99.99.3).

The LAN is on 10.1.1.0/24, with the router at 10.1.1.1.

The hostname.<nic> file for the router has both addresses and subnet sizes:
Code:
inet 10.1.1.1/24
alias 10.99.99.1/30
The dhcpd.conf uses the shared-network declaration to have multiple subnets on the same NIC:
Code:
option  domain-name "<your domain>";
option  domain-name-servers <my nameservers>;

shared-network <my network name> {

        subnet 10.99.99.0 netmask 255.255.255.252 {
                option routers 10.99.99.1;
                host static-client {
                        hardware ethernet <my DMZ device's MAC address>;
                        fixed-address 10.99.99.2;
                }
        }
        subnet 10.1.1.0 netmask 255.255.255.0 {
                option routers 10.1.1.1;
                range 10.1.1.101 10.1.1.200;
        }
}
Traffic is isolated via PF. In this particular example, there is a pass all then the traffic between subnets is blocked, and finally a pass for dhcpd traffic between the subnets, as dhcpd will use the primary address for its responses to the client.
Code:
pass all
block from 10.1.1.0/24 to 10.99.99.0/3
block from 10.99.99.0/3 to 10.1.1.0/24
pass on <my nic> proto {udp tcp} from any to any port {67 68}
This was tested briefly in a lab today, for syntax and basic functionality.
Reply With Quote