How can I link two separate internal networks to two separate external networks

Geoff Roberts geoff at apro.com.au
Tue Dec 23 17:21:22 UTC 2008 

Hi Mike,

On Tue, 23 Dec 2008 04:14:51 am you wrote:
> I think this will work.  Let's assume:
>
> $vlan10_if -> macro for your tagged VLAN 10 interface
> $vlan20_if -> macro for your tagged VLAN 20 interface
> $vlan50_if -> macro for your tagged VLAN 50 interface
> $vlan60_if -> macro for your tagged VLAN 60 interface
> $vlan50_gw = 10.10.10.9
> $vlan60_gw = 10.10.10.13
>
> pass in on $vlan10_if route-to ($vlan50_if $vlan50_gw) from any to any
> pass in on $vlan20_if route-to ($vlan60_if $vlan60_gw) from any to any
>
> That would be in conjunction with your NAT's and any RDR's as well.

Spot on! Thanks for that, it worked like a charm.

I have a couple more questions below. Firstly, just for completeness, I've 
listed what the NAT and RDRs look like for others that may be interested.

$vlan10_server -> macro for IP address of server on vlan10

nat on $vlan50_if proto {tcp udp icmp} from $vlan10_if to any -> ($vlan50_if)

rdr on $vlan50_if proto tcp from any to ($vlan50_if) port 80 -> $vlan10_server 
port 80

pass in on $vlan50_if inet proto tcp from any to $vlan10_server port 80
pass out  on $vlan50_if inet proto { tcp udp icmp }  from ($vlan50_if)  to any


Remaining questions:

a) I found I didn't need a reply-to statement on the redirect for the vlan50 
interface above. Could someone elaborate or point to a URL that might help 
explain a little more why this wasn't needed and in what circumstance I might 
need a reply-to statement.

There isn't much about reply-to in the pf pdf. Since my default route is on 
vlan60 as opposed to vlan50 where the redirect is, you'd think I need a 
reply-to at first glance.

Is the single route-to (pass in on $vlan10_if route-to ($vlan50_if $vlan50_gw) 
from any to any) covering me here?

If I had a redirect such as:

rdr on $vlan50_if proto tcp from any to ($vlan50_if) port 80 -> $vlan20_server 
port 80

would I need a reply-to?

b) I've also found I needed to assign IP addresses (doesn't matter what they 
are) to the actual interfaces the VLANs sit on within the FreeBSD box (int0 
and ext0).

If not, things don't appear work. Should this be necessary, and if so why? If 
I shouldn't need IP addresses on the actual interfaces themsleves I've 
probably mucked up someting else in the pf rules :)

For example:

      ext0 (192.168.1.1)
        |
--------------
|                |
vlan50      vlan60

Thanks again for your help,

Geoff

More information about the freebsd-questions mailing list