There are several possible alternatives that don't use binat, such as:
- Place your local hosts on a separate Ethernet and NIC, which you bridge with your external NIC:
Code:
[internet]---[external NIC]-[OpenBSD]-[NAT addressed private network]
|
|
[exposed NIC]
- A classic dual firewall with DMZ, though typically, the DMZ is on a private subnet with exposed servers and/or ports:
Code:
[internet]---[FW1]---{DMZ servers}---[FW2]--{private net}
What's wrong with binat?