From owner-freebsd-pf@FreeBSD.ORG Tue Jun 12 02:20:48 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A6C3616A46B for ; Tue, 12 Jun 2007 02:20:48 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.239]) by mx1.freebsd.org (Postfix) with ESMTP id 52B2113C480 for ; Tue, 12 Jun 2007 02:20:48 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so1415248wxd for ; Mon, 11 Jun 2007 19:20:47 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=mOdJdzbLIP5AnmDMeE+pinqP7KWniLbw+sJWbSc2N+UlpwmAzTgEufr8EfPJgqDXG5S0+CukN4WW3tVem/eFh6CJs02398fuHdq0OvJrotDk2s6TPAf3ToVH5/GRV+Ipl9XX+n8qOZqe3W6DokEkX7gowKw+nu+ObXlW2qk0KI4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=TiSARMDA8GTXyNpvV2kIADKNY1KxpL/Tw5jcago8YuDqnG0QMR4qY13rIZ0WzPf9NABPJS+xZnLcoYscormySbUuwFtqYPvGG7ZiKqVL5fCUUpgxZOg2qpGzoF+jzVE/N9QIdxo5O4AhWayb8a6uCOBQw8Mzcap9EcSdexHIDE4= Received: by 10.90.98.3 with SMTP id v3mr6064313agb.1181614847231; Mon, 11 Jun 2007 19:20:47 -0700 (PDT) Received: by 10.90.50.6 with HTTP; Mon, 11 Jun 2007 19:20:47 -0700 (PDT) Message-ID: <70f41ba20706111920x2e9e2d71ma2bcb3dd074daa60@mail.gmail.com> Date: Mon, 11 Jun 2007 19:20:47 -0700 From: snowcrash+freebsd Sender: schneecrash@gmail.com To: freebsd-pf , freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Google-Sender-Auth: 91baf1d6f50edf66 Cc: Subject: how 2 address&port map outbound traffic to multiple/different IPs on a single intfc? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 02:20:48 -0000 hi, i'm trying to do 1:1 (nat?) *outbound* address mapping using pf, but NOT 'whole server' binat, but rather a single address&port. i'm close, but no cigar ... any suggestions? details follow ... thanks! i've a block of 8 static IPs, x.x.x.1 - x.x.x.8. freebsd6.2-Rp5+pf are installed as my edge router/firewall. the router has a SINGLE external interface, "sis0", mapped at bootup to a single pppoe-generated interface, "tun0". ifconfig shows that "tun0" is assigned the 'primary' IP of x.x.x.1. so most of my LAN->WAN traffic travels out, appearing to originate at x.x.x.1. i've two mail servers on my LAN, at private addresses z.z.z.100 & z.z.z.200. i've NAT+rdr set up to address-map WAN to LAN addresses for the two servers. nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $ext_if proto tcp from any to x.x.x.2 port 25 -> z.z.z.102 port 25 rdr on $ext_if proto tcp from any to x.x.x.3 port 25 -> z.z.z.103 port 25 where $ext_if == tun0. now as to OUTBOUND mapping ... i want to make sure that traffic: FROM internal server @ z.z.z.102:25 exits $ext_if, 'seen' as SRC_ADDR=x.x.x.2 & FROM internal server @ z.z.z.103:25 exits $ext_if, 'seen' as SRC_ADDR=x.x.x.3 reading: "PF: Network Address Translation (NAT)" http://cvs.openbsd.org/faq/pf/nat.html and, "PF: Address Pools and Load Balancing http://cvs.openbsd.org/faq/pf/pools.html (1) 'binat' is not what i want, as i want to ONLY map a single addr for a single port -- NOT the whole server in a 1:1 mapping for all ports and, (2) from the POOLS discussion, 'simple' outbound NAT: nat on $ext_if from z.z.z.102 port 25 to any -> ($ext_if) nat on $ext_if from z.z.z.102 port 25 to any -> ($ext_if) doesn't do it either - i dno't think -- as $ext_if picks up the "primary IP" assigned via the pppoe startup, x.x.x.1. so, i think i'm in the right ballpark with *nat of some sort, but how do i get this done correctly? cheers!