Just correcting the tables names (they do match, regardless of what I previously typed).
On Tuesday 21 August 2007, Chris Smith wrote: Hello, and please help me retain what little hair I still have left :) > Basic scenario - 5 interfaces, 3 outside (public), 2 inside (private). > At this point I'm not trying to load balance just use different routes to the outside world depending upon the source inside address. > I have tried different rulesets, none have worked so far - I see no packets arriving from the inside on the 2 new outside interfaces. > Currently I'm attempting the following - > Interfaces and gateways (att is default route and does work always - I also define their addresses - adx): > Outside: att_if wow_4_if wow_4_gw wow_8_if wow_8_gw > Inside: s3_if alt_if > Tables (different addresses should get routed through different outside interfaces): <att_bound> <wow_4_systems> <wow_8_systems> > Nat rules: > nat on $wow_8_if inet tag WOW_8_NAT tagged WOW_8 -> $wow_8_ad1 nat on $wow_4_if inet tag WOW_4_NAT tagged WOW_4 -> $wow_4_ad1 nat on $att_if inet tag ATT_NAT tagged ATT -> $att_ad1 > Filtering (narrowing to s3_if in for now): > pass in on $s3_if proto tcp from $s3_if:network to !$alt_if:network port $tcp_ports tag ATT flags S/SA keep state pass in on $s3_if proto tcp from <wow_8_systems> to !$alt_if:network port $tcp_ports tag WOW_8 flags S/SA keep state pass in on $s3_if proto tcp from <wow_4_systems> to !$alt_if:network port $tcp_ports tag WOW_4 flags S/SA keep state > pass out on $att_if proto tcp all keep state flags S/SA pass out on $att_if route-to ($wow_4_if $wow_4_gw) proto tcp all tagged WOW_4_NAT keep state flags S/SA pass out on $att_if route-to ($wow_8_if $wow_8_gw) proto tcp all tagged WOW_8_NAT keep state flags S/SA > pass out on $wow_4_if proto tcp all keep state flags S/SA pass out on $wow_8_if proto tcp all keep state flags S/SA > So if this looks like I'm confused - I am! I've tried putting the route-to on the pass-in rules which hasn't helped so far either, so I thought I would try the above to no avail. > It seems that the pass in rules should tag the packets, the nat rules should then nat to the correct address based on those tags and retag the packets as natted (_NAT). The tagged natted packets will start for the default route and then get rerouted, if necessary, based on their tags. > Please show me the error of my ways. > Thank you. -- Chris
