Hi Gerard Lally
i think it won't work like this as you said :
match out on $ext_if1 from $lan_net nat-to ($ext_if1)
pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \
port ftp route-to ($ext_if1 $ext_gw1)
pass in quick on $int_if inet proto tcp to port 21 \
divert-to 127.0.0.1 port 8021
the problem is that when divert-to 127.0.0.1 port 8021 , the ftp-proxy just can
only goes through the
default gateway ----fxp0 - WAN interface to ISP - xxx.xxx.xxx.116 .
so if you don't use the ftp-proxy ,it will work for you like that:
match out on $ext_if1 from $lan_net nat-to ($ext_if1)
pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \
port ftp route-to ($ext_if1 $ext_gw1)
herein you must use the ftp passive mode
>OpenBSD 5 i386
>
>fxp0 - WAN interface to ISP - xxx.xxx.xxx.116
>xl0 - WAN interface to head office via Cisco VPN - xxx.xxx.xxx.131
>xl1 - LAN interface to internal network - 192.168.1.0/24
>
>I need to route a small amount of FTP traffic to head office through a
>second WAN connection, which connects to the company VPN through a
>Cisco router over which I have no control. The remaining Internet
>traffic exits via a standard DSL link to the ISP.
>
>I do not need link aggregation of the two WAN interfaces.
>
>1) Do I delete /etc/mygate and add routes instead to hostname.xl0 and
>hostname.fxp0?
>
>e.g.,
>/etc/hostname.fxp0
>inet xxx.xxx.xxx.116 255.255.255.240
>!route add 0.0.0.0 xxx.xxx.xxx.113
>
>/etc/hostname.xl0
>inet xxx.xxx.xxx.131 255.255.255.192
>!route add -net 123.456.789 xxx.xxx.xxx.129
>
>2) I have two rules for NAT in pf.conf.
>
>match out on $ext_if1 from $lan_net nat-to ($ext_if1)
>match out on $ext_if2 from $lan_net nat-to ($ext_if2)
>
>What I am not clear about is how to deal with FTP to head office. I
>have ftp-proxy running. Do I use route-to on the internal interface
>before FTP traffic for head office from the LAN has been re-directed to
>ftp-proxy ...
>
>
>pass in on $int_if proto tcp from $lan_net to 123.456.789.xxx \
> port ftp route-to ($ext_if1 $ext_gw1)
>
>pass in quick on $int_if inet proto tcp to port 21 \
> divert-to 127.0.0.1 port 8021
>
>
>... or on the external interface, after it has been re-directed
>through ftp-proxy:
>
>
>pass in quick on $int_if inet proto tcp to port 21 \
> divert-to 127.0.0.1 port 8021
>
>pass out on $ext_if proto tcp from lo0 to 123.456.789.xxx \
> port ftp route-to ($ext_if1 $ext_gw1)
>
>
>?
>
>--
>Gerard Lally
>
>[demime 1.01d removed an attachment of type application/pgp-signature which
>had a name of signature.asc]
>
= = = = = = = = = = = = = = = = = = = =
!!!!!!!!!!!!!!!!VB
@q#!
!!!!!!!!!!!!!!!!co...@tetrachina.com
!!!!!!!!!!!!!!!!co...@tetrachina.com
!!!!!!!!!!!!!!!!!!!!2011-11-15
