pf, nat, 2 public IP-addresses

Volker volker at vwsoft.com
Sun Nov 27 02:01:05 GMT 2005 

Hi folks,

while trying to manage some PPTP trouble at a border gateway (using
RELENG_5_4 + pf + altq) I tried to have some packets being NATed
differently (using an alias'ed IP address).

The network in question is using private IP address space (so I need
to NAT). The server has a 2 MBit connection and I've temporarily
(for testing it out) two public IP addresses bound to the machine.

example setup:

+-------------+                        /  IP 1.2.3.2/29  \
|  fbsd54     | -- IF em1-- <                              > --
router: IP 1.2.3.1  (public internet)
+-------------+                        \  IP 1.2.3.3/32  /

IP 1.2.3.3/32 is an alias.
default gateway for that machine is 1.2.3.1

While regular traffic is being NATed with 1.2.3.2 and sent to the
default gateway 1.2.3.1, some traffic should be NATed by using the
source address 1.2.3.3.

So I tried (for NATing traffic to a known destination):

nat on em1 from any to 123.234.123.234/32 -> 1.2.3.3
while all other traffic is being NATed by:
nat on em1 from any to any -> 1.2.3.2

Using pftop and generating some traffic to 123.234.123.234/32 I do
see rules to the destination network but the source (local) address
is 1.2.3.2 (expected source address is 1.2.3.3). I'm wondering if pf
is unable to use an alias'ed IP address on the same interface as a
NAT address?

I also tried to setup a pass rule with the route-to option (pass out
on em1 route-to (em1 1.2.3.3) from any to .... keep state but this
even didn't work to have packets going out with a different (NAT)
source address.

I really need to do that because I have to run poptop as a VPN
server (for some M$ clients) and also need to pass PPTP traffic out
via the PPTP proxy 'frickin'. If both daemon processes are running,
they seem to conflict with listening on the GRE protocol at the same
IP address. Traffic for the frickin proxy is being handled by poptop
as both are listening to GRE.

Please DON'T tell me not to use M$-PPTP VPN - I already know this is
a bad idea, but management want's to use that.... they don't know
it's a bad idea (I already told them but they do not care about, so
I have to solve the trouble it's causing).

Any hints for the 2nd IP address NAT problem? Is that a known issue?

The _real_ problem is not poptop + frickin at the same machine. It's
to solve the problem to have more than one MS-PPTP VPN client
connecting to the same destination VPN server being NATed blues. If
there would be a better solution than frickin....?

Thanks for any hints!

Volker

More information about the freebsd-pf mailing list