Hello,
pass in on $int_if from $network nat-to $ext_if is different from
pass out on $ext_if from $network nat-to $ext_if
Also from pf.conf(5)
nat-to is usually applied outbound. If applied inbound,
nat-to
to a local IP address is not supported.
On 06/06/11 11:05, Rob Sessink wrote:
Hello,
In a multi-homed setup I am trying to routeout packets over the
secondary interface on which also NAT is done.
The environment consists of a OpenBSD 4.9 Firewall with 3 em
interfaces, connected to 2 DSL providers
em0: internal interface
em1: first DSL
em2: second DSL
I did dome testing with the understanding ruleset, where I have
specified a nat-to and route-to statement in a single rule
########### rules ###########
pass in log on em0 from 192.168.1.118 nat-to (e2gress:0) route-to
(em2 80.100.x.x)
pass out log on em2
########### states ###########
all icmp 74.125.77.104:8 <- 80.100.x.x:54000
(192.168.1.118:9035) 0:0
all icmp 80.100.x.x:54000 -> 74.125.77.104:8 0:0
This setup somewhat works. When pinging an upstream host, the packets
get send out over the secondary interface, but the first packet is
always dropped!
According to the pf.conf man page this rule specification is possible.
My question is this kind of rule specification allowed and intended to
be working in PF?
When splitting the nat-to / route-to statement in the ruleset
everything works fine.
########### rules ###########
pass in log on em0 from 192.168.1.118 route-to (em2 80.100.x.x)
pass out log on em2 from 192.168.1.118 nat-to (em2:0)
########### states ###########
all icmp 74.125.77.104:8 <- 192.168.1.118:8779 0:0
all icmp 80.100.x.x:9676 (192.168.1.118:8779) -> 74.125.77.104:8 0:0
Regards Rob
