On Wed, 26 Jul 2017, Sebastian Benoit wrote:
> Eric Johnson(eri...@colossus.gruver.net) on 2017.07.26 03:48:16 -0500: > > > > Yesterday I switched from using a single address for NAT to an address > > pool. I used the round-robin for the address pool with sticky-address in > > the pf file. > > > > It seemed logical to me to add each IP address in the address pool to > > interface with ifconfig. I noticed a few minutes ago that I had forgotten > > to configure one of the addresses in the address pool with ifconfig. Yet > > it all seemed to be working just fine. > > > > So I ran a test. I looked to see which address in the pool it was using > > for a test computer. I deleted that address from the interface with > > ifconfig and then went to the test computer and used ssh to connect to > > this computer. > > > > It worked fine. And when I checked the environment variables, SSH_CLIENT > > showed the address. So I was connecting from an address that was not > > assigned to any interface! > > > > Did I see that correctly or am I halucinating? It is after 3 am here > > after all. > > What you see is expected. PF takes the pakets does NAT on them before they > reach the part of network stack that handles local ip traffic (which is > where the local configured ips come into play). > > It is fine to not configure them. > > As far as i can see, the only downside might be a bit of headscratching when > you are debugging problems. > > /B. I was sure scratching my head this morning. I'm going to do some more playing with this tomorrow morning about the same time when nothing is happening to test the limits (if I'm awake). It might be interesting to add the same IP address as a non-NATted computer behind the firewall to the pool and see what happens. Eric Johnson
