Leave the setup as you have above, except put a new, 3rd firewall router in the DMZ of Router 1 and direct the .130 traffic to the DMZ where you place Router 3. Router 3 then forwards incoming traffic to the 10.0.0.10 address. The kicker here is the One IP Only requirement for the server. You will not be able to send packets back through Router 3 without a distinct IP on the server for that path (traffic via Router 3). The server's routing table will have a single default gateway for the single assigned IP, so no matter which way the traffic arrives (via Router 2 or Router 3), responses will go out the default gateway and are therefore translated to the public IP of that router. Perhaps UDP would work (traffic goes to .130 and comes back from .129), but I see no way for TCP to successfully make a connection on the IP that isn't routed through the server's gateway. I suggest you think really hard about the Only One IP requirement since allowing 2 IPs would make things much simpler.
Well, I give it a shot:
I'm not sure of how to get only some traffic to go through I can solve your problem, but it would take a little changing of your setup. I'm assuming your Mac has two network interfaces, let's call them eth0 and eth1 :-)
we'll assume that eth0 is connected to your work network and has an internal (work network) address of 13.1.1.6, subnet 255.0.0.0.
we'll also assume that eth1 is connected to your WiFi X and has an address (eth1 <---> WiFi X network) of 192.168.1.10, subnet 255.0.0.0, to keep things simple.
I've setup VPN servers on BSD and Linux, but not Mac, however the concept will still be the same, you have options, I'll list one:
1)Ensure that the routing table on the Mac has an entry as follows:
$>sudo route add 13.0.0.0/8 eth0
What this will do is make sure any traffic coming in over the WiFi X or VPN interface that is destined for your company's network (the 13 network) will make it there. Without this, the Mac (which provides the bridge) really has no way to know how to route traffic between the two interfaces, and by default it will try to send it out of whatever interface is the default, which is WiFi X you stated.
I would undo what you did to the VPN routing table above and try this if its not (hopefully) already there.
If the above doesn't do it please update w/ your VPN Server's routing table and ip address list, or update w/ any fix you came across. Hope this points you in the right direction.
Best Answer
Here is the short answer:
sudo ifconfig lo0 alias 127.0.0.* up
Each alias must be added individually (
sudo ifconfig lo0 alias 127.0.0.2 up
,sudo ifconfig lo0 alias 127.0.0.3 up
). It can be done manually for testing, or a subset or the complete list of the other 250 available numbers in that subnet can be made into StartupItems script that will do it automagically at boot time.The long answer: According to RFC3330, 127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere.