From owner-freebsd-pf@FreeBSD.ORG Tue Feb 15 18:50:51 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 614FB1065672 for ; Tue, 15 Feb 2011 18:50:51 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 30A848FC27 for ; Tue, 15 Feb 2011 18:50:50 +0000 (UTC) Received: by iwn39 with SMTP id 39so473154iwn.13 for ; Tue, 15 Feb 2011 10:50:50 -0800 (PST) Received: by 10.42.218.66 with SMTP id hp2mr7205977icb.244.1297794457880; Tue, 15 Feb 2011 10:27:37 -0800 (PST) Received: from kkPC (not.enough.unixsluts.com [76.10.166.187]) by mx.google.com with ESMTPS id d21sm3796496ibg.9.2011.02.15.10.27.35 (version=SSLv3 cipher=OTHER); Tue, 15 Feb 2011 10:27:36 -0800 (PST) From: "kevin" To: Date: Tue, 15 Feb 2011 13:27:22 -0500 Message-ID: <00a401cbcd3d$fe313d10$fa93b730$@com> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcvNPfxCnS/ZyeOKTfOwVLtt4y9p/w== Content-Language: en-us Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Questions about PF + Multiple gateways + CARP on a public ip network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2011 18:50:51 -0000 Hello, I have a generally simplistic question about a potential scenario for a FreeBSD PF with multiple gateways/routes. The backend network would not consist of local or private ip addresses - every device will have a public IP. There will be about 7 public subnets that will be handled by the freebsd PF gateway. What would be the ideal configuration for this scenario? Would I need to configure all 7 subnets as persistate routes in rc.conf, and then have a nat directive in pf for each subnet as well? I realize this question is simplistic in nature, but I have only used pf in a public -> private network scenario. My concerns are just maintaining this moving forward. As I grow and add more public subnets , I want to keep managing and maintaining the configuration easy, if possible. So in rc.conf : static_routes="net1 net2 net3 net4 net5 net6 net7" route_net1="-net b.b.b.b/a.a.a.a.a" route_net2="-net c.c.c.c/a.a.a.a.a" route_net3="-net d.d.d.d/a.a.a.a.a" route_net4="-net e.e.e.e/a.a.a.a.a" route_net5="-net f.f.f.f/a.a.a.a.a" route_net6="-net g.g.g.g/a.a.a.a.a" route_net7="-net h.h.h.h/a.a.a.a.a" "a.a.a.a" would be the gateway for one of the 7 subnets. Each subnet should have its own gateway that this freebsd router can route too from inside > outside. Should the freebsd gateway have a gateway ip for each subnet itself? Taken my scenario at face value - what would the best way to configure the PF / Gateway? Keeping in mind that all ips are going to be public ips. If more information is required , please let me know. This is FreeBSD 8.0-RELEASE i386. Thanks!