From owner-freebsd-questions@FreeBSD.ORG Thu Jan 5 19:15:35 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED42B16A41F for ; Thu, 5 Jan 2006 19:15:35 +0000 (GMT) (envelope-from leon@trusc.net) Received: from cluster1.trusc.net (clgw.trusc.net [196.25.95.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2890B43D4C for ; Thu, 5 Jan 2006 19:15:34 +0000 (GMT) (envelope-from leon@trusc.net) Received: from [172.18.0.240] (helo=[172.18.0.240]) by cluster1.trusc.net (Exim 4.52 0 (FreeBSD 5.3)) protocol: esmtp id 1EuaYJ-0007Yz-GF for ; Thu, 05 Jan 2006 21:13:42 +0200 Message-ID: <43BD704C.9050009@trusc.net> Date: Thu, 05 Jan 2006 21:15:24 +0200 From: Leon Botes Organization: TruscTechnologies User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -1.4 (-) Subject: PF ruleset NAT assistance X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: leon@trusc.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2006 19:15:36 -0000 I have a strange scenario that i am sure pf can cope with but i am not sure how to write the ruleset. We have a gateway freebsd box with the following interfaces ext_if1 (internet connection 1) ext_if1_rt (router ip connected to the ext_if1) ext_if1_ip (the ip of ext_if1) ext_if1_ip2 (the 2nd ip of ext_if1) ext_if2 (internet connection 2) ext_if2_rt (router ip connected to the ext_if2) ext_if2_ip (the ip of ext_if2) ext_if2_ip2 (the 2nd ip of ext_if2) ext_if3 (internet connection 3) ext_if3_rt (router ip connected to the ext_if3) ext_if3_ip (the ip of ext_if3) ext_if3_ip2 (the 2nd ip of ext_if3) dmz_if (DMZ server interface) dmz_srv (DMZ server ip) dmz_if_ip (DMZ interface ip) lan_if (lan pc network interface)# network diagram lan_if_ip (lan interface ip) pri_net (entire subnet of the lan pc's) The default gateway is the router ext_if_rt. All external interfaces need to be natted. The second ips on the interfaces are intended for binat use which is where the problem comes in. I need to allow various ports in on all the ext_if's and be redirected to the dmz server. The returning packets must then be sent back out the same interface they arrived on. These rules seem logical but dont seem to work (specific ports omitted) Can anyone point out my fault? nat on $ext_if1 from pri_net to any -> $ext_if1_ip binat on ext_if1 from dmz_srv to any -> ext_if1_ip2 nat on $ext_if2 from pri_net to any -> $ext_if2_ip binat on ext_if2 from dmz_srv to any -> ext_if2_ip2 nat on $ext_if3 from pri_net to any -> $ext_if3_ip binat on ext_if3 from dmz_srv to any -> ext_if3_ip2 Can someone help me with these three binat rules plz. -- Regards Leon