On Thu, 10 Mar 2005 10:58:35 -0800, Ben <[EMAIL PROTECTED]> wrote:
> nat on rl0 from $internal_net to !$internal_net -> (rl0)
> nat on rl1 from $internal_net to !$internal_net -> (rl1)
> <snip>
> pass in on em0 route-to (rl1 128.195.88.1) from 192.168.1.142 to
> !$internal_net keep state
> pass out on rl1 from 192.168.1.142 to !$internal_net keep state
Make sure you've changed your $internal_net to be "192.168.1.0/24"
instead of "192.168.1.0" or use em0:network.
> rl0 is connected to the cable modem, rl1 is connected to the campus
> network (which is NOISY!), if I have to I can just have the wife plug her
> computer into the campus network directly, but it would be infinitely more
> prefered to be able to route all traffic from a spicific IP address through
> the campus network while still keeping a firewall between the machine and
> campus. (Also, I'd prefer not to have to add route to commands for each
> subnet she will connect to.
What I have in a similar situation (serving residents):
em0 -> public internet (y.y.y.y/29)
vlan700 connects to a private network that connects to university
network (x.x.0.0/16)
vlan101 through 109 are 10.1.1.0/24 through 10.1.9.0/24 for students
We needed to make sure student traffic to the university went out
directly on vlan700, but everything else went out the public internet
side. The university network is a publically routable /16, but the
residence and university use different ISPs so the traffic took a 4000
mile trip and made things far slower than would be liked.
Summarized rules:
nat on em0 from vlan101:network to !10.0.0.0/8 -> y.y.y.y/31 source-hash
nat on vlan700 from 10.0.0.0/8 to x.x.0.0/16 -> (vlan700)
pass in on vlan101 from vlan101:network to any keep state
pass in on vlan101 route-to (vlan700 172.16.0.129) from
vlan101:network to x.x.0.0/16 keep state
pass out on vlan101 from any to vlan101:network
pass out on vlan700 proto tcp all modulate state flags S/SA
pass out on vlan700 proto { udp, icmp } all keep state
So what you're probably looking for (very abbreviated ruleset) is:
nat on rl0 from !$wife to !em0:network -> (rl0)
nat on rl1 from $wife to !em0:network -> (rl1)
#drop junk on em0 to make the !$wife nat safer
antispoof quick for em0
pass in on em0 route-to (rl1 gw1) from $wife to any keep state
Or, try a binat rule on the rl1 interface for your wife's computer.
Spare IP might help, but you shouldn't have any problems.
binat on rl1 from $wife to any -> (rl1)
pass in on em0 route-to (rl1 gw1) from $wife to any keep state
Hopefully that helps or gives you an idea.
--
Jon Simola
Systems Administrator
ABC Communications
