route-to rule.
Daniel Hartmeier
daniel at benzedrine.cx
Tue Jan 25 15:45:19 PST 2005
On Tue, Jan 25, 2005 at 04:22:45PM -0700, Stephane Raimbault wrote:
> Looking into audities... it seems that the nat that goes across this line
> right now:
>
> nat on $ext_if1 from $internal_net to any -> ($ext_if1)
>
> seems to round robin the external IP as I have several IP's aliased on
> $ext_if1 if I replace the above line with this:
>
> nat on $ext_if1 from $internal_net to any -> ($ext_ip1)
>
> where $ext_ip1 is the external IP I want the nat to go out, however when I
> do this... the lan can no longer establish new connections... any thoughts
> on this?
You can put () around an interface name, meaning 'dynamic interface name
to address translation'. In the first example, as you noted, this means
pf will round-robin through all addresses of the interface to pick a
source address for NATed connections.
The second example makes no sense. If what you want is to use a constant
source address for NAT, just use
-> $ext_ip1
without the parentheses. If you expect $ext_if1 to change its address
dynamically, and you want to use its 'main' address as replacement (but
not round-robin through aliases, if it has any), use
-> ($ext_if1:0)
If you want still something else, please explain.
What you actually have in your second example is (surprisingly) not a
syntax error, but
-> (10.1.2.3)
Which means the interface with name "10.1.2.3". There is no such
interface, of course, but since pf accepts non-existant interfaces
(which could exist later on, think USB or PCMCIA nics), it accepts this.
It's still non-sensical, don't use () around IP addresses. :)
Daniel
More information about the freebsd-pf
mailing list