NAT with IP != primary external IP
Pyun YongHyeon
yongari at kt-is.co.kr
Mon Oct 25 22:24:09 PDT 2004
On Sat, Oct 23, 2004 at 12:15:21PM +0100, Aled Treharne wrote:
> Hi guys.
>
> I'm trying to set up a firewall on a box for a friend. The arrangement is
> fairly simple, bunch of machines behind the FBSD box, FBSD box connected to
> ADSL. What I'd like to do (because I wanted to in the first place, and now
> it's annoying me) is to have 2 Ips on the external i/f on the FBSD box, and
> have one as the machine's primary IP and t'other solely as the NAT IP. I've
> tried putting various Ips in the places that make sense to me, but I just
> couldn't get it to work[1].
>
AFAIK, pf maintains a table for $interface and ($interface)
is stored in a <table>. If interface $interface has aliases,
round-robin through them would be performed automatically by pf.
If you want to disable the automatic round-robin in NAT
you should let pf not to do so.
For instance:
nat on $interface inet from $internal_ips to any -> ($interface:0)
or
nat on $interface inet from $internal_ips to any -> $interface:0
or specify explicit IP address to use
nat on $interface inet from $internal_ips to any -> $primary_ip
> Is this possible, and if so, would someone be so kind as to tell me how? I'm
> trying to move over to pf from ipfw, and if I can get it working, I've got a
> strong case for using it at work as well.
>
> Thanks in advance for your sage advice. :)
>
> Cheers,
> Aled.
>
> [1] This is just one place where I prefer linux's eth0:alias1 type labelling
> of sub-interfaces over FreeBSD's just-put-multiple-ips-on-one-interface way.
>
--
Regards,
Pyun YongHyeon
http://www.kr.freebsd.org/~yongari | yongari at freebsd.org
More information about the freebsd-pf
mailing list