From owner-freebsd-pf@FreeBSD.ORG Sun Sep 25 19:08:26 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DBDDC106566B for ; Sun, 25 Sep 2011 19:08:26 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 979B68FC20 for ; Sun, 25 Sep 2011 19:08:26 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 53C1528423; Sun, 25 Sep 2011 20:52:19 +0200 (CEST) Received: from [192.168.1.2] (ip-86-49-61-235.net.upcbroadband.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 5E33328422; Sun, 25 Sep 2011 20:52:18 +0200 (CEST) Message-ID: <4E7F7861.9070804@quip.cz> Date: Sun, 25 Sep 2011 20:52:17 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: h bagade References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: problem in defining pool ip addresses in the round robin manner X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2011 19:08:26 -0000 h bagade wrote: [...] > for instance, I want to nat ip addresses from 192.168.0.0/24 network to the > range of 10.10.10.1- 10.10.20.20 ip addresses in round robin. In pf rule I > should list the ip addresses in range one by one like this: > > nat on $ext_if from { 192.168.0.0/24} to any -> {10.10.10.1, 10.10.10.2, > ...., 10.10.10.254, 10.10.11.1, ...., 10.10.20.20} According to pf.conf manpage, you can use network range on the right side od the "nat" definition. There is example from manpage: # NAT LOAD BALANCE # Translate outgoing packets' source addresses using an address pool. # A given source address is always translated to the same pool address by # using the source-hash keyword. nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash So I think you can use the same syntax with round-robin instead of source-hash > which number of ip addresses on the right side is more that 2550 which could > be reduced extremely by defining network addresses {e.g. 10.10.10.0/24, > 10.10.11.0/24, ... }. There is grammar syntax for pf.conf at the end of the manpage: nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] [ "->" ( redirhost | "{" redirhost-list "}" ) [ portspec ] [ pooltype ] [ "static-port" ] ] So you can use redirhost or redirhost-list on the right side. redirhost = address [ "/" mask-bits ] redirhost-list = redirhost [ [ "," ] redirhost-list ] I did not try it on the real, but fast syntax check is correct for the following example: nat on bge0 inet from any to any -> { 10.1.1.0/24, 10.1.1.1/24, 10.1.1.2/24 } round-robin You can test it like this # echo 'nat on bge0 inet from any to any -> { 10.1.1.0/24, 10.1.1.1/24, 10.1.1.2/24 } round-robin' | pfctl -nvvf - No syntax error message was printed. Let us know if it works for you. Miroslav Lachman