Re: Two external interfaces routing issues?? int_if, ext_if, tun_if

Sat, 30 Aug 2008 02:31:58 -0700 

On Aug 29, 3:10=A0pm, [EMAIL PROTECTED] (Karl O. Pinc) wrote:
> On 08/28/2008 08:13:50 AM, [EMAIL PROTECTED] wrote:
>
>
>
> > On Aug 28, 12:45=3DA0am, [EMAIL PROTECTED] wrote:
> > > # =3DA0 =3DA0 =3DA0 $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk=
 Exp
> > $
> > > #Map internal addresses to external
> > > binat on $tun_if proto {tcp, udp, icmp} from $intaddr_irishcoffe to
> > > any -> $tunaddr_irishcoffe
> > > binat on $tun_if proto {tcp, udp, icmp} from $intaddr_bloodymary to
> > > any -> $tunaddr_bloodymary
> > > binat on $tun_if proto {tcp, udp, icmp} from
> > $intaddr_longislandicetea
> > > to any -> $tunaddr_longislandicetea
>
> > > #Traffic on addresses not mapped with BINAT should be NATed via vr0
> > > (ie. not be pushed via the tunnel but rather pushed directly on the
> > > DSL line)
> > > #The below does not work though
> > > nat on $ext_if from $int_if:network to any -> { $ext_if }
>
> > > #Enabling the below makes it possible to access the Internet via
> > > $ext_if from 10.0.0.10 but only 10.0.0.10.
> > > #This is what I want with NAT above but for the whole 10.0.0.0/24
> > net
> > > (except BINATed addresses).
> > > #binat on $tun_if proto {tcp, udp, icmp} from 10.0.0.10 to any ->
> > > $ext_if:0
>
> > > nat-anchor "ftp-proxy/*"
> > > rdr-anchor "ftp-proxy/*"
> > > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port
> > > 8021
> > If I made the NAT rule look like this it worked:
>
> > nat on $tun_if from $int_if:network to any -> $ext_if
>
> > Now the uestion is why....
>
> It's because your binat rule has already translated the datagrams
> IP addresses before your nat rule sees the datagrams, so as
> originally written the nat rule does not match.
>
> FYI, binat rules are done before nat rules regardless of the
> order in which they appear in pf.conf.
>
> Karl <[EMAIL PROTECTED]>
> Free Software: =A0"You don't pay back, you pay forward."
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 -- Robert A. Heinlein

Thank you very much for the reply
But... The BINAT rule is between $int_if and $tun_if
And the NAT rule is between $int_if and $ext_if

I cannot see how the BINAT rule could translate anything which makes
this not work.

BINAT only handles 3 ip addresses in the 10.0.0.0/24 net.
Then the rest of the addresse is not affected I thought?
Wouldnt the NAT rule handle the rest of them then?
and push it over to the $ext_if interface?

BR/
Jens

Reply via email to