Hello,
You're right, looking again at this rule, it is unwanted to do the NAT on the inbound packets of the internal interface when the firewall is connected to multiple networks/interfaces. Thanks for the pointer to pf.conf(5). But what is meant with the statement a 'local IP address' in this context?. Thx Rob Van: Bojidara Marinchovska [mailto:quintesse...@bobi.gateit.net] Verzonden: dinsdag 7 juni 2011 14:13 Aan: Rob Sessink CC: pf@benzedrine.cx Onderwerp: Re: nat-to and route-to specified in a single rule Hello, pass in on $int_if from $network nat-to $ext_if is different from pass out on $ext_if from $network nat-to $ext_if Also from pf.conf(5) nat-to is usually applied outbound. If applied inbound, nat-to to a local IP address is not supported. On 06/06/11 11:05, Rob Sessink wrote: Hello, In a multi-homed setup I am trying to route out packets over the secondary interface on which also NAT is done. The environment consists of a OpenBSD 4.9 Firewall with 3 em interfaces, connected to 2 DSL providers em0: internal interface em1: first DSL em2: second DSL I did dome testing with the understanding ruleset, where I have specified a nat-to and route-to statement in a single rule ########### rules ########### pass in log on em0 from 192.168.1.118 nat-to (e2gress:0) route-to (em2 80.100.x.x) pass out log on em2 ########### states ########### all icmp 74.125.77.104:8 <- 80.100.x.x:54000 (192.168.1.118:9035) 0:0 all icmp 80.100.x.x:54000 -> 74.125.77.104:8 0:0 This setup somewhat works. When pinging an upstream host, the packets get send out over the secondary interface, but the first packet is always dropped! According to the pf.conf man page this rule specification is possible. My question is this kind of rule specification allowed and intended to be working in PF? When splitting the nat-to / route-to statement in the ruleset everything works fine. ########### rules ########### pass in log on em0 from 192.168.1.118 route-to (em2 80.100.x.x) pass out log on em2 from 192.168.1.118 nat-to (em2:0) ########### states ########### all icmp 74.125.77.104:8 <- 192.168.1.118:8779 0:0 all icmp 80.100.x.x:9676 (192.168.1.118:8779) -> 74.125.77.104:8 0:0 Regards Rob
