Date: Wed, 26 Jan 2005 00:45:13 +0100 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Stephane Raimbault <segr@hotmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: route-to rule. Message-ID: <20050125234513.GH17646@insomnia.benzedrine.cx> In-Reply-To: <BAY24-F7CAA78DC83D17C3B49C46CC860@phx.gbl> References: <005101c5030d$b98beb20$0100000a@R3B> <BAY24-F7CAA78DC83D17C3B49C46CC860@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 25, 2005 at 04:22:45PM -0700, Stephane Raimbault wrote: > Looking into audities... it seems that the nat that goes across this line > right now: > > nat on $ext_if1 from $internal_net to any -> ($ext_if1) > > seems to round robin the external IP as I have several IP's aliased on > $ext_if1 if I replace the above line with this: > > nat on $ext_if1 from $internal_net to any -> ($ext_ip1) > > where $ext_ip1 is the external IP I want the nat to go out, however when I > do this... the lan can no longer establish new connections... any thoughts > on this? You can put () around an interface name, meaning 'dynamic interface name to address translation'. In the first example, as you noted, this means pf will round-robin through all addresses of the interface to pick a source address for NATed connections. The second example makes no sense. If what you want is to use a constant source address for NAT, just use -> $ext_ip1 without the parentheses. If you expect $ext_if1 to change its address dynamically, and you want to use its 'main' address as replacement (but not round-robin through aliases, if it has any), use -> ($ext_if1:0) If you want still something else, please explain. What you actually have in your second example is (surprisingly) not a syntax error, but -> (10.1.2.3) Which means the interface with name "10.1.2.3". There is no such interface, of course, but since pf accepts non-existant interfaces (which could exist later on, think USB or PCMCIA nics), it accepts this. It's still non-sensical, don't use () around IP addresses. :) Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050125234513.GH17646>