On Aug 28, 12:45=A0am, [EMAIL PROTECTED] wrote:
> Hi
>
> I have 2 external interfaces on my router. One interface is via DSL
> (vr0) and one interface is a tunnel over the DSL (tun0).
> vr0 provides 1 dynamic ip address and tun0 four static ip addresses.
> All there addresses are external internet addresses.
> I also have an internal interface, fxp0 where the router is 10.0.0.1
> and is providing clients with 10.0.0.x addresses via DHCP.
>
> What I would like to do here is:
> =A0* Map four internal 10.0.0.x addresses of the internal intefrace to
> the external addresses provided by the tunnel
> =A0* Map the rest of the 10.0.0.x addresses of the internal interface
> directly to the DSL connection with NAT.
>
> My pf.conf is supplied below
> What I experience is that the BINAT rules works great. The mapping
> between the four static internal addresses and the internal four
> addresses works great.
>
> The NAT rules however does not seem to work:
> nat on $ext_if from $int_if:network to any -> { $ext_if }
>
> This works however:
> nat on $tun_if from $int_if:network to any -> { $tun_if }
>
> But I dont want to pass this traffic into the tunnel because of its
> bandwidth limitations
>
> A BINAT rule from one internal address to the external DSL interface
> here works good as well however this is only 1:1 mapping and I need
> many 10.0.0.x internal addresses to map to this external dynamic
> address.
>
> If anyone can give me some hints or suggestions about this problem I
> would greatly appriciate it
> Thanks in advance
> /Jens
>
> # =A0 =A0 =A0 $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=3D1 and/or
> net.inet6.ip6.forwarding=3D1
> # in /etc/sysctl.conf if packets are to be forwarded between
> interfaces.
>
> ext_if=3D"vr0" =A0 =A0 =A0 #DSL interface, 1 external dynamic ip address
> tun_if=3D"tun0" =A0 =A0 #OpenVPN tunnel via vr0. Provides 4 external stat=
ic
> ip addresses
> int_if=3D"fxp0" =A0 =A0 =A0#Internal interface 10.0.0.0/24
>
> int_net=3D"10.0.0.0/24"
>
> #The following computers need to be mapped to their external IP
> addresses
> intaddr_whiterussian=3D"10.0.0.1"
> intaddr_irishcoffe=3D"10.0.0.6"
> intaddr_bloodymary=3D"10.0.0.3"
> intaddr_longislandicetea=3D"10.0.0.8"
>
> #External ip addresses
> tunaddr_whiterussian=3D"55.55.55.51"
> tunaddr_irishcoffe=3D"55.55.55.52"
> tunaddr_bloodymary=3D"55.55.55.53"
> tunaddr_longislandicetea=3D"55.55.55.54"
>
> set skip on lo
>
> #Map internal addresses to external
> binat on $tun_if proto {tcp, udp, icmp} from $intaddr_irishcoffe to
> any -> $tunaddr_irishcoffe
> binat on $tun_if proto {tcp, udp, icmp} from $intaddr_bloodymary to
> any -> $tunaddr_bloodymary
> binat on $tun_if proto {tcp, udp, icmp} from $intaddr_longislandicetea
> to any -> $tunaddr_longislandicetea
>
> #Traffic on addresses not mapped with BINAT should be NATed via vr0
> (ie. not be pushed via the tunnel but rather pushed directly on the
> DSL line)
> #The below does not work though
> nat on $ext_if from $int_if:network to any -> { $ext_if }
>
> #Enabling the below makes it possible to access the Internet via
> $ext_if from 10.0.0.10 but only 10.0.0.10.
> #This is what I want with NAT above but for the whole 10.0.0.0/24 net
> (except BINATed addresses).
> #binat on $tun_if proto {tcp, udp, icmp} from 10.0.0.10 to any ->
> $ext_if:0
>
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port
> 8021
> anchor "ftp-proxy/*"
>
> block in
> pass out
>
> #Internal network
> pass in on { $int_if } inet proto tcp from $int_net to any flags S/SA
> modulate state
> pass in on { $int_if } inet proto { udp, icmp } from $int_net to any
> keep state
>
> #Internet
> pass in quick proto tcp to any port 22 keep state
>
> pass in on { $tun_if } proto { tcp, udp } from any to
> $tunaddr_longislandicetea port 33666 keep state
> pass in on { $tun_if } proto { tcp } from any to $tunaddr_whiterussian
> port { 20, 21, 22, 25, 80, 110, 119, 136, 137, 138, 139, 143, 443,
> 993, 995 }
>
> pass in on { $tun_if } proto { tcp } from any to $tunaddr_irishcoffe
> port { 51413 }Dinally I found a solution... If I made the NAT rule look like this it worked: nat on $tun_if from $int_if:network to any -> $ext_if Now the uestion is why.... I think it is completely crazy that $tun_if is even part of this rule. Anyone know how this works and can explain it to me? BR/ Jens
