binat-to address that's not assign to interface (4.9)
I'm embarrassed to ask such a simple question. Since 3.4 I've been running PF firewalls, but mostly for very small networks with 32 or fewer external addresses. I always assigned my external IPs to my external interface and then did NAT or bi-NAT. Now I'm building firewalls for much larger networks with /25 of external IPs. They will all be either static or dynamic NAT, so proxy-ARP doesn't seem like the way to go. Do I absolutely have to assign all these addresses to the external interface in order to use them for nat-to/binat-to, or can I simply have the upstream router set a route to one IP that I assign to the external interface (this is done already) and PF will be able to handle the translations? -- bk
Re: binat-to address that's not assign to interface (4.9)
On 01/25/2011 01:30:45 PM, Brian Keefer wrote: I'm embarrassed to ask such a simple question. Since 3.4 I've been running PF firewalls, but mostly for very small networks with 32 or fewer external addresses. I always assigned my external IPs to my external interface and then did NAT or bi-NAT. Now I'm building firewalls for much larger networks with /25 of external IPs. They will all be either static or dynamic NAT, so proxy-ARP doesn't seem like the way to go. Do I absolutely have to assign all these addresses to the external interface in order to use them for nat-to/binat-to, or can I simply have the upstream router set a route to one IP that I assign to the external interface (this is done already) and PF will be able to handle the translations? You should expect the ISP to route. (On their DSL lines, at least here, they often bridge, which is why you must fuss about with ARP.) Of course, it all depends on how the ISP does it. Karl k...@meme.com Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: binat-to address that's not assign to interface (4.9)
On Jan 25, 2011, at 12:15 PM, Karl O. Pinc wrote: On 01/25/2011 01:30:45 PM, Brian Keefer wrote: Now I'm building firewalls for much larger networks with /25 of external IPs. They will all be either static or dynamic NAT, so proxy-ARP doesn't seem like the way to go. Do I absolutely have to assign all these addresses to the external interface in order to use them for nat-to/binat-to, or can I simply have the upstream router set a route to one IP that I assign to the external interface (this is done already) and PF will be able to handle the translations? You should expect the ISP to route. (On their DSL lines, at least here, they often bridge, which is why you must fuss about with ARP.) Of course, it all depends on how the ISP does it. In this case the upstream router is maintained by our ops team and it is indeed routing (they wanted me to give them an IP to act as the gateway). So as I understand it, I should be OK to only assign a single IP (the one that the router has set it's route to for my subnet) and PF will handle the rest. Someone correct me if I'm horribly wrong there. -- bk
