From owner-freebsd-pf@FreeBSD.ORG Wed Jan 2 17:19:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DE3616A417 for ; Wed, 2 Jan 2008 17:19:45 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 1907813C455 for ; Wed, 2 Jan 2008 17:19:44 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.8/8.13.8) with ESMTP id m02H2LxI082132 for ; Wed, 2 Jan 2008 12:02:21 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m02H2LWb005895 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 2 Jan 2008 12:02:21 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200801021702.m02H2LWb005895@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 02 Jan 2008 12:04:23 -0500 To: freebsd-pf@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: pf and pppoe help! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jan 2008 17:19:45 -0000 I have a Soekris 5501 that I want to use to do natting for a number of subnets with a number of static IPs and am not sure what the best way to handle the multiple IPs aliases is. In the past, when I aliased the /32s to lo0, I had stability problems and the box would deadlock. That firewall was on fibre, so it was easy to move the IPs to the external nic and alias them there. That box sees a lot of traffic with a LOT of internal hosts and is very stable now. However, for PPPoE its a bit different since the interface comes and goes and there is also the issue of mss Right now in the lab I have been trying the following config and it seems to work. However, not sure when it goes live with a lot of traffic if this is the best way to go. In my ppp.linkup I have pppoe: iface clear iface add 2.2.2.205/32 1.1.1.1 iface add 2.2.2.206/32 1.1.1.2 iface add 2.2.2.207/32 1.1.1.3 ! /sbin/pfctl -f /etc/pf.conf where 2.2.2.x are a bunch of /32 publicly routed IP addresses The box has 1 PPPoE connection (tun0) RFC1918 subnet 192.168.1.0/24 (vr1) DMZ 2.2.2.0/30 (vr2) RFC1918 10.0.0.0/24 (vr3) as well as a couple of BINATs on vr1 # for pppoe MSS fixup for the DMZ host scrub in on vr2 max-mss 1400 fragment reassemble scrub out on vr2 max-mss 1400 fragment reassemble #let the office people surf via one public IP and the transient sales force use a different one on the wireless nat on $ext_if from {$internaloffice} to any -> ($ext_if:0) nat on $ext_if from {$internal204,!$server1,!$server2} to any -> $officepublicIP nat on $ext_if from {$wireless} to any -> $publicwireless binat on $ext_if from $server1 to any -> $publicserver1 binat on $ext_if from $server2 to any -> $publicserver2 pass in quick on lo0 all pass out quick on lo0 all block in log on $ext_if all #DMZ cust machine has its own rules pass in on vr2 from any to any keep state pass in on $ext_if from any to {$publicserver1, $publicserver2,$server1,$server2, $dmzhost } keep state pass in log on tun0 proto tcp from $trustedhosts to any port 22 keep state pass out all keep state Is there a better way to handle all the aliased IP addresses then to manually put them on tun0 ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike