Date: Mon, 11 Jun 2007 19:20:47 -0700 From: snowcrash+freebsd <schneecrash+freebsd@gmail.com> To: freebsd-pf <freebsd-pf@freebsd.org>, freebsd-questions@freebsd.org Subject: how 2 address&port map outbound traffic to multiple/different IPs on a single intfc? Message-ID: <70f41ba20706111920x2e9e2d71ma2bcb3dd074daa60@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
hi, i'm trying to do 1:1 (nat?) *outbound* address mapping using pf, but NOT 'whole server' binat, but rather a single address&port. i'm close, but no cigar ... any suggestions? details follow ... thanks! i've a block of 8 static IPs, x.x.x.1 - x.x.x.8. freebsd6.2-Rp5+pf are installed as my edge router/firewall. the router has a SINGLE external interface, "sis0", mapped at bootup to a single pppoe-generated interface, "tun0". ifconfig shows that "tun0" is assigned the 'primary' IP of x.x.x.1. so most of my LAN->WAN traffic travels out, appearing to originate at x.x.x.1. i've two mail servers on my LAN, at private addresses z.z.z.100 & z.z.z.200. i've NAT+rdr set up to address-map WAN to LAN addresses for the two servers. nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if proto tcp from any to x.x.x.2 port 25 -> z.z.z.102 port 25 rdr on $ext_if proto tcp from any to x.x.x.3 port 25 -> z.z.z.103 port 25 where $ext_if == tun0. now as to OUTBOUND mapping ... i want to make sure that traffic: FROM internal server @ z.z.z.102:25 exits $ext_if, 'seen' as SRC_ADDR=x.x.x.2 & FROM internal server @ z.z.z.103:25 exits $ext_if, 'seen' as SRC_ADDR=x.x.x.3 reading: "PF: Network Address Translation (NAT)" http://cvs.openbsd.org/faq/pf/nat.html and, "PF: Address Pools and Load Balancing http://cvs.openbsd.org/faq/pf/pools.html (1) 'binat' is not what i want, as i want to ONLY map a single addr for a single port -- NOT the whole server in a 1:1 mapping for all ports and, (2) from the POOLS discussion, 'simple' outbound NAT: nat on $ext_if from z.z.z.102 port 25 to any -> ($ext_if) nat on $ext_if from z.z.z.102 port 25 to any -> ($ext_if) doesn't do it either - i dno't think -- as $ext_if picks up the "primary IP" assigned via the pppoe startup, x.x.x.1. so, i think i'm in the right ballpark with *nat of some sort, but how do i get this done correctly? cheers!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?70f41ba20706111920x2e9e2d71ma2bcb3dd074daa60>