Date: Thu, 16 Sep 2004 04:11:41 -0000 From: Muhammad Reza <reza@mra.co.id> To: Max Laier <max@love2party.net> Cc: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: pf and ipfw Message-ID: <411AEAE5.9080106@mra.co.id> In-Reply-To: <200408111550.56346.max@love2party.net> References: <411722A1.1020108@mra.co.id> <200408091840.53308.max@love2party.net> <4118C330.8090609@mra.co.id> <200408111550.56346.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier wrote: >On Tuesday 10 August 2004 14:44, Muhammad Reza wrote: > > >># nat outgoing connections on each internet interface >>nat on $ext_if1 from $lan_net to any -> $gw1 >>nat on $ext_if2 from $lan_net to any -> $gw2 >>nat on $ext_if1 from $dmz_net to any -> $gw1 >>nat on $ext_if2 from $dmz_net to any -> $gw2 >> >># smtp access from outside >>rdr on $ext_if proto tcp from any to $server_ext port smtp -> >>$server_dmz port smtp >> >> > >That can't work! For a client connecting to your smtp that would look like the >following: >1) $client:cport connects to $server_ext:25 >2) pf RDRs to $server_dmz:25 >3) $server_dmz:sport replies to $client:cport >4) pf NATs to on of $gw1:sport1 or $gw2:sport2 >5) $client does not recognize as it is expecting to receive a reply from >$server_ext and not from $gw1 or $gw2 > >You have to make sure that replies from $server_dmz are translated to >$server_ext. > > > Thanks list for great response. to make sure that replies from $server_dmz are tranlated to $server_ext, i add this line (cmiiw) nat on $ext_if1 from $dmz_net to any -> $server_ext This rule says to perform NAT on the $ext_if interface for any packets coming from $dmz_net and to replace the source IP address with $server_ext. but still can't work :(. But if add default gateway to internet. it redirect can work, but not with load balance. please help me regards reza cmmiw:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?411AEAE5.9080106>