From owner-freebsd-questions@FreeBSD.ORG Tue Jun 12 13:44:23 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2CFA816A400 for ; Tue, 12 Jun 2007 13:44:23 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.225]) by mx1.freebsd.org (Postfix) with ESMTP id CB20A13C447 for ; Tue, 12 Jun 2007 13:44:22 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so1222898wra for ; Tue, 12 Jun 2007 06:44:22 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=m43ZPMpbAjJds2MFJ/RZOzbbxzOo+MFP7JHjQmZe/UkREf/aNpKxK4Tbi/CY4+/1yFNG9uGTuqHvb6YkgjsXLtzZkirzylZQJhF75PFP3WIsnGaGEQ/5A5aJkoKFZg7Z/QSQDOtvbrrRsvRa+dYbyMUkjGYZ0Ioq+x7xuQSzI08= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UTPR/8ClvQkavYQgnEXjbLy1dv++V0q4e63Hk+UN7p9D+xSgGrfGJmI0+1ubenTI/HEUU4V5YF9JuDmsMXl4Qk7UW3RENxgrhRnKiGwGShc6QZ3IA83tJKzb1qj//H8CbPkyK2y+1g0Qj3s9TKC+Bgw4unCnj3lx6EGOznTqUJ0= Received: by 10.90.50.1 with SMTP id x1mr6393184agx.1181655862204; Tue, 12 Jun 2007 06:44:22 -0700 (PDT) Received: by 10.90.50.6 with HTTP; Tue, 12 Jun 2007 06:44:22 -0700 (PDT) Message-ID: <70f41ba20706120644y401ee52bpe2baaf4d8c9753ef@mail.gmail.com> Date: Tue, 12 Jun 2007 06:44:22 -0700 From: snowcrash To: "Greg Hennessy" In-Reply-To: <781957739614121600@unknownmsgid> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20706111920x2e9e2d71ma2bcb3dd074daa60@mail.gmail.com> <781957739614121600@unknownmsgid> Cc: freebsd-questions@freebsd.org, freebsd-pf Subject: Re: how 2 address&port map outbound traffic to multiple/different IPs on a single intfc? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: schneecrash@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 13:44:23 -0000 hi greg, > There's a number of ways to do this. > > Add the extra addresses as aliases to the internet facing interface. E.g > > gw2:~ # cat /etc/rc.early /etc/rc.conf | egrep -i 'outside|alias' | sed -e > ..... > /sbin/ifconfig rue0 name outside > network_interfaces="lo0 outside inside" > ifconfig_outside="inet xx.yy.zz.251 netmask 0xfffffff8 up" > ifconfig_outside_alias0="inet xx.yy.zz.252 netmask 0xffffffff" > ifconfig_outside_alias1="inet xx.yy.zz.253 netmask 0xffffffff" i am using aliases, but, atm, only for INTERNAL addresses on the router/firewall. e.g., in rc.conf, int_if = "sis0" lo_if = "lo0" ifconfig_sis0="inet x.x.x.80 netmask 255.255.255.0 mtu 1492 polling" ifconfig_sis0_alias0="x.x.x.81 netmask 255.255.255.0 mtu 1492 polling" ifconfig_sis0_alias1="x.x.x.82 netmask 255.255.255.0 mtu 1492 polling" ifconfig_sis0_alias2="x.x.x.83 netmask 255.255.255.0 mtu 1492 polling" ifconfig_sis0_alias3="x.x.x.84 netmask 255.255.255.0 mtu 1492 polling" dhcpd_ifaces="sis0" the $ext_if, "tun0" (pppoe) is not created UNTIL ppp launches -- later. so, iiuc -- which i may well not -- setting aliases for the ext intfc would NOT work in rc.conf (early), but only (later) after ppp int'd the alias ... don't know what issues that causes for maintaining any/all required synchronization with pf ... which would be expecting/addressing those external intfc aliases on startup. so, don't think this is a viable option :-/ unless ... > Or. If you have control of the upstream router from your firewall add > static routes for either the entire cidr block or /32 host routes for each > address in the /29 you control. > > The routes should point to the external address of the firewall. aha. i assume you really DO mean the upstream router here, NOT any router capabilities ON the firewall box itself, yes? if so, after pppoe setup/connect, ifconfig shows, tun0: flags=8051 mtu 1492 inet x.x.x.1 --> aa.bb.cc.dd netmask 0xffffffff Opened by PID 511 and the upstream router, aa.bb.cc.dd, is my ISP's. checking established routes, as per in "ppp.conf", add default HISADDR checking routes, i see the one, netstat -nr | grep aa.bb.cc.dd default aa.bb.cc.dd UGS 0 19 tun0 aa.bb.cc.dd x.x.x.1 UH 1 3 tun0 now, looking at that, i suspect i MIGHT be able to add add'l routes in the ppp.conf transaction config -- e.g., instead of (just?) add default HISADDR add something 'like' set ifaddr x.x.x.1 x.x.x.2 x.x.x.3 255.255.255.255 add x.x.x.0/29 HISADDR but, i have to search/fumble around with the correct pppoe-time syntax. i assume that this would (?) set up additional external intfcs, which would then be pf-addressable? thoughts? thanks!