Routing return NAT traffic based on interface
Kevin Wilcox
kevin.wilcox at gmail.com
Mon Nov 19 22:54:10 UTC 2012
On Nov 19, 2012 3:12 PM, "Peter McAlpine" <peter at aoeu.ca> wrote:
>
> Thanks for your reply. I've tried the configuration you suggested but
> it's providing the same issue I was encountering before.
>
> My goal is to route all traffic from the tunnel out the external
> interface nat'ing it on the way out. Any traffic coming in on the
> external interface should be un-nat'd (if applicable), then sent back
> down the tunnel unless it's destined for the external interface's IP
> (post-un-nat).
>
> Is such a configuration possible with PF?
It is. The "pass in" rule I used in my example assumes the inside interface
and the other devices it talks to are in the same network. If you want to
pass anything that interface sees, change the rules so that they accept
traffic from any IP range : "from $int_if:network to any" becomes "from
any to any".
I have a couple of routers that pass traffic for 10.x.y.z but their inside
IPs are 172.16.a.b addresses and they were configured much the same way in
early testing, before filters were added.
If changing the rule to pass everything doesn't square you away, a network
diagram may be useful (as would me actually looking at my pf configs).
kmw
More information about the freebsd-pf
mailing list