[email protected] wrote:
Hello,
I have two boxes set up with WAN CARP IP's which are NAT'ed to different
Virtual server pools. This is working slicker than banana peels in a Bug
Bunny cartoon. The only problem is that I would like to be able to have
the outbound traffic NAT'ed to the inbound CARP IPs, but I can not find
how to do this in the outbound NAT settings unless I opt for 1:1 NAT
which I would rather not if possible.
Example:
Inbound to CARP IP 1.2.3.4 is NAT'ed to a virtual server pool at
192.168.1.10 which is load balanced to 192.168.1.11 and 192.168.1.12
Inbound to CARP IP 1.2.3.5 is NAT'ed to to a virtual server pool at
192.168.1.50 which is load balanced to 192.168.1.25 and 192.168.1.26
With no manual outbound NAT all outbound traffic gets the address of the
Firewall WAN interface as is expected.
If I try to use manual outbound NAT I can only set it for an entire
network so I could set outbound to either 1.2.3.4 or 1.2.3.5, not really
optimal.
I would like to have the outbound traffic appear to be returning from
the respective CARP addresses. In other words, when a client makes a
request to 1.2.3.4, the return packets should have the IP of 1.2.3.4.
When a request is made to 1.2.3.5 the return packets should have the IP
of 1.2.3.5. I have only seen the ability to specify an entire network
(or any???) to outbound NAT such that all return packets would have the
IP of either 1.2.3.4 or 1.2.3.5.
In Linux iptables world I would do something like:
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.11 -j SNAT
--to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.25 -j SNAT
--to-source 1.2.3.5
Am I mising something? I hope so.
Thank You for any suggestions,
JohnM
On 9/26/2012 2:28 PM, Adam Thompson wrote:
To translate outbound packets to anything other than the interface's primary
address, you have to override the default rules.
On the NAT screen, you should see an either-or choice between Automatic rules
and manual (maybe called advanced, not sure as I'm not at a computer right now).
You'll have to turn off the automatic NAT rules and use your own. IIRC, when
you switch modes, it exposes the automatic rules currently in place, so you can
probably just edit them.
-Adam
Thank You Adam,
Hope you don't mind I moved to bottom post, answers after question and
all that. It is a personal thing :-)
I had done as you suggested prior to the mail but I am unable to figure
out how to get the manual outbound to apply to anything other than the
entire network. In the outbound NAT rules page there is a drop down
that has only two choices, network or any. Are you saying that I should
use network with a /32 to limit it to a single address?
I would try this before replying but with all the changes made for
testing I seem to have borked my VPN a bit and need to find out what I
messed up so I can get back to a known starting point.
Thanks,
JohnM
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
