pf nat dual gateways

Ghirai ghirai at ghirai.com
Fri Jun 5 08:27:04 UTC 2009 

Hi,

I would need some help in getting this working.

The idea is pretty simple, i have a box with 3 NICs; 2 for net pipes,
and one for LAN.

Routing and NAT works, however, i need that requests to u_ips always
get NATed through u_if, and everything else through ext_if.

As it is now, everything goes through ext_if.


ext_if="tun0"
int_if="vr0"
u_if="ed0"

ext_services="{2222}"
int_services="{53,80}"
rdp_port="{3232}"
rdp_srv="{192.168.0.250}"

u_ips="{123.123.123.123}"
u_gw="192.168.1.1"

localnet=$int_if:network

set skip on lo0
set optimization aggressive
set limit states 50000


scrub in all

nat on $ext_if from $localnet to any -> ($ext_if)
nat on $u_if from $localnet to $u_ips -> ($u_if)


rdr pass on $ext_if proto tcp from any to $ext_if port $rdp_port ->
$rdp_srv port 3389

antispoof for $ext_if
antispoof for $u_if

block drop all

pass in inet proto tcp from any to any port $ext_services \
	flags S/SA keep state

pass in inet proto {tcp,udp} from $localnet to $int_if port
$int_services \ flags S/SA keep state

pass out all keep state

pass from $localnet to any keep state


And here's ifconfig:

vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500 options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
	ether 00:13:d4:a7:84:f9
	inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500 ether 52:54:00:df:92:3f
	inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255
	media: Ethernet autoselect (10baseT/UTP)
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500 options=8<VLAN_MTU>
	ether 00:02:44:59:91:d5
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0
mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu
16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
	inet 111.111.111.111 --> 111.111.111.254 netmask 0xffffffff 
	Opened by PID 449


As you can see, u_if(ed0) has IP addr 192.168.1.5, and the gateway is
192.168.1.1 (u_gw).

Running 7.2-RELEASE, amd64.

Any help is appreciated.
Thanks. 

-- 
Ghirai.

More information about the freebsd-questions mailing list