From owner-freebsd-pf@FreeBSD.ORG Mon Jan 24 23:44:02 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46A8016A4CE for ; Mon, 24 Jan 2005 23:44:02 +0000 (GMT) Received: from hotmail.com (bay24-f8.bay24.hotmail.com [64.4.18.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2EDA43D49 for ; Mon, 24 Jan 2005 23:44:01 +0000 (GMT) (envelope-from segr@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 24 Jan 2005 15:44:01 -0800 Message-ID: Received: from 198.53.131.3 by by24fd.bay24.hotmail.msn.com with HTTP; Mon, 24 Jan 2005 23:43:59 GMT X-Originating-IP: [198.53.131.3] X-Originating-Email: [segr@hotmail.com] X-Sender: segr@hotmail.com From: "Stephane Raimbault" To: freebsd-pf@freebsd.org Date: Mon, 24 Jan 2005 16:43:59 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 24 Jan 2005 23:44:01.0020 (UTC) FILETIME=[9473C3C0:01C5026E] Subject: RE: route-to rule. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jan 2005 23:44:02 -0000 Hi, I also have some binat's setup for some servers, however they are only on one interface... Can I simply add these binat rules to the the suggested pf.conf file? binat on $ext_if1 from $server1_int to any -> $server1_out binat on $ext_if1 from $server2_int to any -> $server2_out where server?_int = internal IP and server?_out = public IP? Thanks, Stephane. ---------- try this one: set state-policy if-bound lan = ext_if1 = ext_if2 = gw1 = gw2 = 1 = "(" $ext_if1 $gw1 ")" 2 = "(" $ext_if2 $gw2 ")" nat on $ext_if1 from $internal_net to any -> ($ext_if1) nat on $ext_if2 from $internal_net to any -> ($ext_if2) #local pass in quick on $lan inet from $lan:network to $lan keep state pass out quick on $lan inet from $lan to $lan:network keep state #wans pass in on $ext_if1 tag $ext_if1 keep state pass out on $lan reply-to $1 tagged $ext_if1 keep state pass in on $ext_if2 tag $ext_if2 keep state pass out on $lan reply-to $2 tagged $ext_if2 keep state # balance pass in on $lan route-to { $0 $1 } round-robin keep state #OUT pass out on $ext_if1 route-to $0 keep state pass out on $ext_if1 route-to $1 keep state and tell us if worked for you. Chris. ----- Original Message ----- From: "Stephane Raimbault" To: Sent: Tuesday, January 25, 2005 12:24 AM Subject: route-to rule. >I have a freebsd box with 2 wan interfaces, 1 lan interface and 1 tun >interface. > >I have pf setup so that 10.1.0.64/26 and 10.1.0.128/25 go out our second >wan interface like this: > >nat on $ext_if1 from $internal_net to any -> ($ext_if1) >nat on $ext_if2 from $internal_net to any -> ($ext_if2) > >pass in on $int_if route-to ($ext_if2 $ext_gw2) from { 10.1.0.64/26 , >10.1.0.128/25 } to any > >pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any >pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any > > >However, any traffic destined to 10.0.0.0/26 accessible via the tun0 >interface doesn't get routed as I'm guessing it goes out to the 2nd wan >interface ( $ext_if2 ). > >I've tried modifying the pass in line like this: > >pass in on $int_if route-to ($ext_if2 $ext_gw2) from { 10.1.0.64/26 , >10.1.0.128/25 } to { 0.0.0.0/0, !10.0.0.0/26 } > >However it did not work. Any suggestions on this? > >thanks, >stephane. > >_________________________________________________________________ >Take charge with a pop-up guard built on patented Microsoft® SmartScreen >Technology. >http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines >Start enjoying all the benefits of MSN® Premium right now and get the first >two months FREE*. > >_______________________________________________ >freebsd-pf at freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org" _________________________________________________________________ Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.