From owner-freebsd-pf@freebsd.org Wed Jan 11 10:24:43 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8DF21CAAE38 for ; Wed, 11 Jan 2017 10:24:43 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ua0-x231.google.com (mail-ua0-x231.google.com [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5322B1FE8 for ; Wed, 11 Jan 2017 10:24:42 +0000 (UTC) (envelope-from ml@my.gd) Received: by mail-ua0-x231.google.com with SMTP id i68so403143254uad.0 for ; Wed, 11 Jan 2017 02:24:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=my-gd.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gDaAUbixpsMvFxn0BQeRqB9l2LiZuAkd66xbrc231BI=; b=r7ejv70l+1vpUO3d9+vDJ31a7lgV32COIGcBJaFdZC3R4KUdsBLKhVH8RHfi9Oi9Vt +/G8uceB7pz+RWlKvFn7QMo7QbOLfkiQ/Tw7qKs3BFxlvK/ti8CqsasxJHP1ZeeAFcKL eUUl0d/+mnARdcttVx2y4wsDkmA/2A3Ezp2IKf4Tt3tYt+KoWnK2zbKptZR+5RMpls3O OtolMi6/7hfcg4y3srx/LMZMjON/gP28mwpAm8AB67dVfqJN4csb0jwfd9wPRgItvmvd UPm77R1Ojo5XztGr7qWgdNBesjOOhAmqBTkQKRkRG23matQKTJJwdM8yl6cW7/nBF55S qxQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gDaAUbixpsMvFxn0BQeRqB9l2LiZuAkd66xbrc231BI=; b=Px8Xn21QKx4u+TwfGIS+kFF2FrDclEf+Nq1xRaCf6KErUhKMCY0E8LP9chj5vDipnD I2W4Gsdz1AeXWlnlTYHF1c5DvHgHHTpW7HiWlIypjuOQM3EQbYu3R3JA9hjMyzIZKhZn p2eMiJ2E4TrLjaNwwYET3UrvR2jaaoOggbm4Z3G8hU3qaS/hYXd7j8gFmbZZlWYQkrQ+ UcelT9wx4jbYLbKeDnNYAadFCZmtMFd9WlKCDZnkMv82eM2YNYdXCJYV47l9Ivxvv4b+ g3IsK2meaW61ud3h+UJsUobZ3qy5ae6KBQAYWEKXTJY/XaBc65rhlL6YNDuuFs19HZHY UdvQ== X-Gm-Message-State: AIkVDXLeVvBJA28EwfTUIO25sR0TCr8etNKLvoa/Yglg2WrqFctxH0gpBxTU2QScAnCadWeppWq6jhdoYG/O6g== X-Received: by 10.176.0.181 with SMTP id 50mr4190016uaj.103.1484130282046; Wed, 11 Jan 2017 02:24:42 -0800 (PST) MIME-Version: 1.0 Received: by 10.103.48.213 with HTTP; Wed, 11 Jan 2017 02:24:41 -0800 (PST) In-Reply-To: References: From: Damien Fleuriot Date: Wed, 11 Jan 2017 11:24:41 +0100 Message-ID: Subject: Re: interface definition with aliases To: Harry Duncan Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2017 10:24:43 -0000 On 11 January 2017 at 01:58, Harry Duncan wrote: > Hi Guys, > > I get my net connection to my freebsd box by pppoe. I have a /29 > allocation, so I have to add my additional IP's at the public interface on > my bsd box, so I add them with > > ifconfig tun0 alias 121.171.163.226 netmask 255.255.255.255 181.191.100.212 > > and I end up with a tun0 looking like: > > tun0: flags=8051 metric 0 mtu 1492 > options=80000 > inet 121.171.163.225 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.226 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.227 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.228 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.229 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.230 --> 181.191.100.212 netmask 0xffffffff > nd6 options=21 > groups: tun > Opened by PID 4207 > > In the normal course of events, with a single wan ip, I just declare ext_if > = "tun0" in pf.conf and it resolves to the wan ip. > > What I want to be able to do here is reference specific aliases in rules, > so for example, port forward port 22 on .225 to one lan host, port forward > the same port on .226 to another lan host > > I also want to direct all traffic out from specific lan hosts to go out on > specific ip addresses and not randomly across the range. > > I have accomplished this before with intefrace aliases where pppoe has not > been used, but am stuck conceptually on how to implement this where the ip > aliases are all on the same interface. > > Anyone got any thoughts if this is going to be possible? > > My alternate course of action will be to try and bring up a tun device for > each of the aliases with a different ppp dialer, just not sure routing wise > if that is going to work so I'm just curious to know if you guys think it > can be accomplished with the above? > Heya Harry, You could always create macros in your pf.conf, like so : ip1="1.2.3.4" ip2="2.3.4.5" ip3="3.4.5.6" You can then reference them in your rules : pass in quick on $tun0 inet proto tcp from to $tun0:0 port 10 $tcpflags # this references only your primary IP on $tun0 pass in quick on $tun0 inet proto tcp from to $ip1 port 11 $tcpflags # and these applies to your macros pass in quick on $tun0 inet proto tcp from to $ip2 port 12 $tcpflags # ditto pass in quick on $tun0 inet proto tcp from to $ip3 port 13 $tcpflags # ditto Once you've set up your macros, you're free to do whatever you like. # Redirect SSH to public IP 1 to an internal host : rdr pass on $tun0 inet proto tcp from to $ip1 port 22 -> 192.168.0.1 # NAT outgoing from internal host to a specific tun0 IP : nat pass on $tun0 inet from 192.168.0.1 to any -> $ip3 I hope I did not misunderstand your question and that is what you were looking for.