Date: Sun, 25 Sep 2011 20:52:17 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: h bagade <bagadeh@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: problem in defining pool ip addresses in the round robin manner Message-ID: <4E7F7861.9070804@quip.cz> In-Reply-To: <CAARSjE1KYcxn8bPxbpFuj3R7VX-_r-X0cQr%2BfowD6jqT4kPEYw@mail.gmail.com> References: <CAARSjE1KYcxn8bPxbpFuj3R7VX-_r-X0cQr%2BfowD6jqT4kPEYw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
h bagade wrote:
[...]
> for instance, I want to nat ip addresses from 192.168.0.0/24 network to the
> range of 10.10.10.1- 10.10.20.20 ip addresses in round robin. In pf rule I
> should list the ip addresses in range one by one like this:
>
> nat on $ext_if from { 192.168.0.0/24} to any -> {10.10.10.1, 10.10.10.2,
> ...., 10.10.10.254, 10.10.11.1, ...., 10.10.20.20}
According to pf.conf manpage, you can use network range on the right
side od the "nat" definition.
There is example from manpage:
# NAT LOAD BALANCE
# Translate outgoing packets' source addresses using an address pool.
# A given source address is always translated to the same pool address by
# using the source-hash keyword.
nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash
So I think you can use the same syntax with round-robin instead of
source-hash
> which number of ip addresses on the right side is more that 2550 which could
> be reduced extremely by defining network addresses {e.g. 10.10.10.0/24,
> 10.10.11.0/24, ... }.
There is grammar syntax for pf.conf at the end of the manpage:
nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ]
[ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] [ "static-port" ] ]
So you can use redirhost or redirhost-list on the right side.
redirhost = address [ "/" mask-bits ]
redirhost-list = redirhost [ [ "," ] redirhost-list ]
I did not try it on the real, but fast syntax check is correct for the
following example:
nat on bge0 inet from any to any -> { 10.1.1.0/24, 10.1.1.1/24,
10.1.1.2/24 } round-robin
You can test it like this
# echo 'nat on bge0 inet from any to any -> { 10.1.1.0/24, 10.1.1.1/24,
10.1.1.2/24 } round-robin' | pfctl -nvvf -
No syntax error message was printed.
Let us know if it works for you.
Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E7F7861.9070804>