Hi
I have 2 external interfaces on my router. One interface is via DSL
(vr0) and one interface is a tunnel over the DSL (tun0).
vr0 provides 1 dynamic ip address and tun0 four static ip addresses.
All there addresses are external internet addresses.
I also have an internal interface, fxp0 where the router is 10.0.0.1
and is providing clients with 10.0.0.x addresses via DHCP.
What I would like to do here is:
* Map four internal 10.0.0.x addresses of the internal intefrace to
the external addresses provided by the tunnel
* Map the rest of the 10.0.0.x addresses of the internal interface
directly to the DSL connection with NAT.
My pf.conf is supplied below
What I experience is that the BINAT rules works great. The mapping
between the four static internal addresses and the internal four
addresses works great.
The NAT rules however does not seem to work:
nat on $ext_if from $int_if:network to any -> { $ext_if }
This works however:
nat on $tun_if from $int_if:network to any -> { $tun_if }
But I dont want to pass this traffic into the tunnel because of its
bandwidth limitations
A BINAT rule from one internal address to the external DSL interface
here works good as well however this is only 1:1 mapping and I need
many 10.0.0.x internal addresses to map to this external dynamic
address.
If anyone can give me some hints or suggestions about this problem I
would greatly appriciate it
Thanks in advance
/Jens
# $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between
interfaces.
ext_if="vr0" #DSL interface, 1 external dynamic ip address
tun_if="tun0" #OpenVPN tunnel via vr0. Provides 4 external static
ip addresses
int_if="fxp0" #Internal interface 10.0.0.0/24
int_net="10.0.0.0/24"
#The following computers need to be mapped to their external IP
addresses
intaddr_whiterussian="10.0.0.1"
intaddr_irishcoffe="10.0.0.6"
intaddr_bloodymary="10.0.0.3"
intaddr_longislandicetea="10.0.0.8"
#External ip addresses
tunaddr_whiterussian="55.55.55.51"
tunaddr_irishcoffe="55.55.55.52"
tunaddr_bloodymary="55.55.55.53"
tunaddr_longislandicetea="55.55.55.54"
set skip on lo
#Map internal addresses to external
binat on $tun_if proto {tcp, udp, icmp} from $intaddr_irishcoffe to
any -> $tunaddr_irishcoffe
binat on $tun_if proto {tcp, udp, icmp} from $intaddr_bloodymary to
any -> $tunaddr_bloodymary
binat on $tun_if proto {tcp, udp, icmp} from $intaddr_longislandicetea
to any -> $tunaddr_longislandicetea
#Traffic on addresses not mapped with BINAT should be NATed via vr0
(ie. not be pushed via the tunnel but rather pushed directly on the
DSL line)
#The below does not work though
nat on $ext_if from $int_if:network to any -> { $ext_if }
#Enabling the below makes it possible to access the Internet via
$ext_if from 10.0.0.10 but only 10.0.0.10.
#This is what I want with NAT above but for the whole 10.0.0.0/24 net
(except BINATed addresses).
#binat on $tun_if proto {tcp, udp, icmp} from 10.0.0.10 to any ->
$ext_if:0
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port
8021
anchor "ftp-proxy/*"
block in
pass out
#Internal network
pass in on { $int_if } inet proto tcp from $int_net to any flags S/SA
modulate state
pass in on { $int_if } inet proto { udp, icmp } from $int_net to any
keep state
#Internet
pass in quick proto tcp to any port 22 keep state
pass in on { $tun_if } proto { tcp, udp } from any to
$tunaddr_longislandicetea port 33666 keep state
pass in on { $tun_if } proto { tcp } from any to $tunaddr_whiterussian
port { 20, 21, 22, 25, 80, 110, 119, 136, 137, 138, 139, 143, 443,
993, 995 }
pass in on { $tun_if } proto { tcp } from any to $tunaddr_irishcoffe
port { 51413 }
