From owner-freebsd-pf@FreeBSD.ORG Tue Oct 26 05:24:09 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B90A16A4CE for ; Tue, 26 Oct 2004 05:24:09 +0000 (GMT) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id E376843D2D for ; Tue, 26 Oct 2004 05:24:08 +0000 (GMT) (envelope-from yongari@kt-is.co.kr) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9Q5MjAh062042 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 26 Oct 2004 14:22:45 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i9Q5NuIk005060 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 26 Oct 2004 14:23:56 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.10/8.12.10/Submit) id i9Q5Nt4t005059; Tue, 26 Oct 2004 14:23:55 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Date: Tue, 26 Oct 2004 14:23:55 +0900 From: Pyun YongHyeon To: Aled Treharne Message-ID: <20041026052355.GA4914@kt-is.co.kr> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) cc: freebsd-pf@freebsd.org Subject: Re: NAT with IP != primary external IP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: yongari@kt-is.co.kr List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Oct 2004 05:24:09 -0000 On Sat, Oct 23, 2004 at 12:15:21PM +0100, Aled Treharne wrote: > Hi guys. > > I'm trying to set up a firewall on a box for a friend. The arrangement is > fairly simple, bunch of machines behind the FBSD box, FBSD box connected to > ADSL. What I'd like to do (because I wanted to in the first place, and now > it's annoying me) is to have 2 Ips on the external i/f on the FBSD box, and > have one as the machine's primary IP and t'other solely as the NAT IP. I've > tried putting various Ips in the places that make sense to me, but I just > couldn't get it to work[1]. > AFAIK, pf maintains a table for $interface and ($interface) is stored in a . If interface $interface has aliases, round-robin through them would be performed automatically by pf. If you want to disable the automatic round-robin in NAT you should let pf not to do so. For instance: nat on $interface inet from $internal_ips to any -> ($interface:0) or nat on $interface inet from $internal_ips to any -> $interface:0 or specify explicit IP address to use nat on $interface inet from $internal_ips to any -> $primary_ip > Is this possible, and if so, would someone be so kind as to tell me how? I'm > trying to move over to pf from ipfw, and if I can get it working, I've got a > strong case for using it at work as well. > > Thanks in advance for your sage advice. :) > > Cheers, > Aled. > > [1] This is just one place where I prefer linux's eth0:alias1 type labelling > of sub-interfaces over FreeBSD's just-put-multiple-ips-on-one-interface way. > -- Regards, Pyun YongHyeon http://www.kr.freebsd.org/~yongari | yongari@freebsd.org