route-to rule.

Stephane Raimbault segr at hotmail.com
Mon Jan 24 15:44:02 PST 2005


Hi, I also have some binat's setup for some servers, however they are only 
on one interface... Can I simply add these binat rules to the the suggested 
pf.conf file?

binat on $ext_if1 from $server1_int to any -> $server1_out
binat on $ext_if1 from $server2_int to any -> $server2_out

where server?_int = internal IP and server?_out = public IP?

Thanks,
Stephane.

----------
try this one:

set state-policy if-bound

lan = <lan_nic>
ext_if1 = <your_ext_nic1>
ext_if2 = <your_ext_nic2>
gw1 = <your_gw1>
gw2 = <your_bw2>

1 = "(" $ext_if1 $gw1 ")"
2 = "(" $ext_if2 $gw2 ")"

nat on $ext_if1 from $internal_net to any -> ($ext_if1)
nat on $ext_if2 from $internal_net to any -> ($ext_if2)

#local
pass in quick on $lan inet from $lan:network to $lan keep state
pass out quick on $lan inet from $lan to $lan:network keep state

#wans
pass in on  $ext_if1  tag  $ext_if1 keep state
pass out on $lan reply-to $1 tagged  $ext_if1 keep state

pass in on  $ext_if2 tag $ext_if2 keep state
pass out on $lan reply-to $2 tagged $ext_if2 keep state

# balance
pass in on $lan route-to { $0 $1 } round-robin keep state

#OUT
pass out on $ext_if1 route-to $0 keep state
pass out on $ext_if1 route-to $1 keep state

and tell us if worked for you.

Chris.


----- Original Message -----
From: "Stephane Raimbault" <segr at hotmail.com>
To: <freebsd-pf at freebsd.org>
Sent: Tuesday, January 25, 2005 12:24 AM
Subject: route-to rule.


>I have a freebsd box with 2 wan interfaces, 1 lan interface and 1 tun 
>interface.
>
>I have pf setup so that 10.1.0.64/26 and 10.1.0.128/25 go out our second 
>wan interface like this:
>
>nat on $ext_if1 from $internal_net to any -> ($ext_if1)
>nat on $ext_if2 from $internal_net to any -> ($ext_if2)
>
>pass in on $int_if route-to ($ext_if2 $ext_gw2) from { 10.1.0.64/26 , 
>10.1.0.128/25 } to any
>
>pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
>pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
>
>
>However, any traffic destined to 10.0.0.0/26 accessible via the tun0 
>interface doesn't get routed as I'm guessing it goes out to the 2nd wan 
>interface ( $ext_if2 ).
>
>I've tried modifying the pass in line like this:
>
>pass in on $int_if route-to ($ext_if2 $ext_gw2) from { 10.1.0.64/26 , 
>10.1.0.128/25 } to { 0.0.0.0/0, !10.0.0.0/26 }
>
>However it did not work.  Any suggestions on this?
>
>thanks,
>stephane.
>
>_________________________________________________________________
>Take charge with a pop-up guard built on patented Microsoft® SmartScreen 
>Technology. 
>http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
>Start enjoying all the benefits of MSN® Premium right now and get the first 
>two months FREE*.
>
>_______________________________________________
>freebsd-pf at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

_________________________________________________________________
Take advantage of powerful junk e-mail filters built on patented Microsoft® 
SmartScreen Technology. 
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines 
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.



More information about the freebsd-pf mailing list