Date: Thu, 05 Jan 2006 21:14:03 +0200 From: Leon Botes <leon@trusc.net> To: freebsd-pf@freebsd.org Subject: PF ruleset NAT assistance Message-ID: <43BD6FFB.10807@trusc.net>
next in thread | raw e-mail | index | archive | help
I have a strange scenario that i am sure pf can cope with but i am not sure how to write the ruleset and i cant find clarification on it. We have a gateway freebsd box with the following interfaces ext_if1 (internet connection 1) ext_if1_rt (router ip connected to the ext_if1) ext_if1_ip (the ip of ext_if1) ext_if1_ip2 (the 2nd ip of ext_if1) ext_if2 (internet connection 2) ext_if2_rt (router ip connected to the ext_if2) ext_if2_ip (the ip of ext_if2) ext_if2_ip2 (the 2nd ip of ext_if2) ext_if3 (internet connection 3) ext_if3_rt (router ip connected to the ext_if3) ext_if3_ip (the ip of ext_if3) ext_if3_ip2 (the 2nd ip of ext_if3) dmz_if (DMZ server interface) dmz_srv (DMZ server ip) dmz_if_ip (DMZ interface ip) lan_if (lan pc network interface)# network diagram lan_if_ip (lan interface ip) pri_net (entire subnet of the lan pc's) The default gateway is the router ext_if_rt. All external interfaces need to be natted. The second ips on the interfaces are intended for binat use which is where the problem comes in. I need to allow various ports in on all the ext_if's and be redirected to the dmz server. The returning packets must then be sent back out the same interface they arrived on. These rules seem logical but dont seem to work (specific ports omitted) Can anyone point out my fault? nat on $ext_if1 from pri_net to any -> $ext_if1_ip binat on ext_if1 from dmz_srv to any -> ext_if1_ip2 nat on $ext_if2 from pri_net to any -> $ext_if2_ip binat on ext_if2 from dmz_srv to any -> ext_if2_ip2 nat on $ext_if3 from pri_net to any -> $ext_if3_ip binat on ext_if3 from dmz_srv to any -> ext_if3_ip2 Can someone help me with these three binat rules plz. -- Regards Leon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43BD6FFB.10807>