On Mon, May 01, 2006 at 08:26:37PM -0400, jared r r spiegel wrote:
> my5addrs="1.2.0.1 1.2.0.2 1.2.0.3 1.2.0.4 1.2.0.5"
>
> nat on $ext -> { $my5addrs }
>
> i've never dealt personally with multiple egress IPs, but that
> syntax passes the parser
Yes, that should work. pf will automatically cycle through those
addresses when you establish multiple non-TCP/UDP/ICMP connections to
the same external host. You don't need special syntax to enable that.
When you already have an ongoing VPN connection from, say, 10.1.2.3
to 62.65.145.30 NATed to 1.2.0.1, and then open another one (from
any other 10/8 to 62.65.145.30), it will also try to use 1.2.0.1 as
replacement address, note the conflict with the existing state entry,
then try the next one (1.2.0.2). Only when you exhaust all four
addresses (try to establish a fifth concurrent VPN connection to
62.65.145.30), there will be a state insertion failure.
Daniel
