Hello,

I'm trying to do some policy routing with an IPF box (NetBSD 1.6.x)
to send some specific traffic for a host in and out via a different
service provider, to save us some bandwidth charges.  The service
provider only supplies us with 1 IP address, so I'm NAT'ing
that address from the firewall as follows :

in ipnat.conf :

rdr pppoe0 a.b.c.d/32 port 22 -> 1.2.3.4 port 22

the machine at 1.2.3.4 is multiaddressed, but it should (it's linux,
it may not do the right thing ...) send traffic out on the same IP
that it received it on.

So, the firewall should get replies to it from 1.2.3.4, that I want
to send back out of the pppoe0 interface, not the normal default
route, and I also need to NAT it back to the a.b.c.d address (or the
hosts trying to connect to it will get very confused ....)

The network looks like this:


ISP 1 ---- \ sip0 (no NAT) NetBSD firewall - sip1 ---- server (1.2.3.4, 1.2.4.4) / pppoe0 (NAT) ISP 2 ----


The firewall's default route is out via sip0 to ISP1, and 1.2.3.0/x and 1.2.4.0/x are real IP address ranges that are routed via sip0 on the firewall by ISP1

My understanding of how to use IPF to do routing is a little sketchy,
what I want to know is if I have IPF do route changes to send traffic
from 1.2.3.4 ot via pppoe0, will it also NAT that traffic using the rdr
rule above?  the box is in production and I don't want to break the
firewall rules on it in testing this, so if anyone can make any
suggestions for what IPF rule(s) I may need that would be great!  It's
IPF version v3.4.29

I'm thinking something like this :

pass in quick on sip1 to pppoe0:<isp2 router> from 1.2.3.4

will that work in conjunction with this :

pass in quick on pppoe0 from any to 1.2.3.4 flags S/SA keep state

and

ipnat.conf : rdr pppoe0 a.b.c.d/32 port 22 -> 1.2.3.4 port 22

Or am I going the wrong way about this?


Chanks for any suggestions and advice,

Carl

--
=======================
Vivitec Pty. Ltd.
Suite 6, 51-55 City Rd.
Southbank, 3006.
Ph. +61 3 8626 5626
Fax +61 3 9682 1000
=======================

Reply via email to