Date: Wed, 11 Jan 2017 11:24:41 +0100 From: Damien Fleuriot <ml@my.gd> To: Harry Duncan <usr.src.linux@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: interface definition with aliases Message-ID: <CAE63ME6E0xo61H9evchXyK=Y73%2BwON4KJ3K7r_JSTaeoOFCFqw@mail.gmail.com> In-Reply-To: <CAHAPYVBWopDmP4hOAcFN8F-TeOx8DhFP429HoqR3g6kxZCUhPg@mail.gmail.com> References: <CAHAPYVBWopDmP4hOAcFN8F-TeOx8DhFP429HoqR3g6kxZCUhPg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11 January 2017 at 01:58, Harry Duncan <usr.src.linux@gmail.com> wrote: > Hi Guys, > > I get my net connection to my freebsd box by pppoe. I have a /29 > allocation, so I have to add my additional IP's at the public interface on > my bsd box, so I add them with > > ifconfig tun0 alias 121.171.163.226 netmask 255.255.255.255 181.191.100.212 > > and I end up with a tun0 looking like: > > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492 > options=80000<LINKSTATE> > inet 121.171.163.225 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.226 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.227 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.228 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.229 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.230 --> 181.191.100.212 netmask 0xffffffff > nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > groups: tun > Opened by PID 4207 > > In the normal course of events, with a single wan ip, I just declare ext_if > = "tun0" in pf.conf and it resolves to the wan ip. > > What I want to be able to do here is reference specific aliases in rules, > so for example, port forward port 22 on .225 to one lan host, port forward > the same port on .226 to another lan host > > I also want to direct all traffic out from specific lan hosts to go out on > specific ip addresses and not randomly across the range. > > I have accomplished this before with intefrace aliases where pppoe has not > been used, but am stuck conceptually on how to implement this where the ip > aliases are all on the same interface. > > Anyone got any thoughts if this is going to be possible? > > My alternate course of action will be to try and bring up a tun device for > each of the aliases with a different ppp dialer, just not sure routing wise > if that is going to work so I'm just curious to know if you guys think it > can be accomplished with the above? > Heya Harry, You could always create macros in your pf.conf, like so : ip1="1.2.3.4" ip2="2.3.4.5" ip3="3.4.5.6" You can then reference them in your rules : pass in quick on $tun0 inet proto tcp from <trust> to $tun0:0 port 10 $tcpflags # this references only your primary IP on $tun0 pass in quick on $tun0 inet proto tcp from <trust> to $ip1 port 11 $tcpflags # and these applies to your macros pass in quick on $tun0 inet proto tcp from <trust> to $ip2 port 12 $tcpflags # ditto pass in quick on $tun0 inet proto tcp from <trust> to $ip3 port 13 $tcpflags # ditto Once you've set up your macros, you're free to do whatever you like. # Redirect SSH to public IP 1 to an internal host : rdr pass on $tun0 inet proto tcp from <trust> to $ip1 port 22 -> 192.168.0.1 # NAT outgoing from internal host to a specific tun0 IP : nat pass on $tun0 inet from 192.168.0.1 to any -> $ip3 I hope I did not misunderstand your question and that is what you were looking for.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAE63ME6E0xo61H9evchXyK=Y73%2BwON4KJ3K7r_JSTaeoOFCFqw>