Re: how 2 address&port map outbound traffic to multiple/different IPs on a single intfc?

2007-06-12 Thread Vasily Ivanov 
Hello.

On 12 June 2007 09:20, snowcrash+freebsd wrote:
[- snip -]

> (2) from the POOLS discussion, 'simple' outbound NAT:
>
>   nat on $ext_if from z.z.z.102 port 25 to any -> ($ext_if)
>   nat on $ext_if from z.z.z.102 port 25 to any -> ($ext_if)
>
> doesn't do it either - i dno't think -- as $ext_if picks up the
> "primary IP" assigned via the pppoe startup, x.x.x.1.

You can specify required IP explicitly, like 

nat on $ext_if from z.z.z.102 port 25 to any -> x.x.x.2

You don't even need aliases on interface (at least it works for my ethernet 
connection, dunno about pppoe). Just make sure your upstream routes traffic 
to your x.x.x.x/29 into your box.

>
> so, i think i'm in the right ballpark with *nat of some sort, but how
> do i get this done correctly?
>
> cheers!
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"

-- 
wbr, 
Vasily
http://www.academ.org
mailto: <[EMAIL PROTECTED]>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: how 2 address&port map outbound traffic to multiple/different IPs on a single intfc?

2007-06-12 Thread snowcrash 

hi greg,


There's a number of ways to do this.

Add the extra addresses as aliases to the internet facing interface. E.g

gw2:~ # cat /etc/rc.early /etc/rc.conf | egrep -i 'outside|alias' | sed -e
.
/sbin/ifconfig rue0 name outside
network_interfaces="lo0 outside inside"
ifconfig_outside="inet xx.yy.zz.251 netmask 0xfff8 up"
ifconfig_outside_alias0="inet xx.yy.zz.252 netmask 0x"
ifconfig_outside_alias1="inet xx.yy.zz.253 netmask 0x"


i am using aliases, but, atm, only for INTERNAL addresses on the
router/firewall. e.g., in rc.conf,

int_if = "sis0"
lo_if  = "lo0"
ifconfig_sis0="inet x.x.x.80 netmask 255.255.255.0 mtu 1492 polling"
ifconfig_sis0_alias0="x.x.x.81 netmask 255.255.255.0 mtu 1492 polling"
ifconfig_sis0_alias1="x.x.x.82 netmask 255.255.255.0 mtu 1492 polling"
ifconfig_sis0_alias2="x.x.x.83 netmask 255.255.255.0 mtu 1492 polling"
ifconfig_sis0_alias3="x.x.x.84 netmask 255.255.255.0 mtu 1492 polling"
dhcpd_ifaces="sis0"

the $ext_if, "tun0" (pppoe) is not created UNTIL ppp launches -- later.

so, iiuc -- which i may well not -- setting aliases for the ext intfc
would NOT work in rc.conf (early), but only (later) after ppp int'd
the alias ...

don't know what issues that causes for maintaining any/all required
synchronization with pf ... which would be expecting/addressing  those
external intfc aliases on startup.

so, don't think this is a viable option :-/

unless ...


Or. If you have control of the upstream router from your firewall add
static routes for either the entire cidr block or /32 host routes for each
address in the /29 you control.

The routes should point to the external address of the firewall.


aha.

i assume you really DO mean the upstream router here, NOT any router
capabilities ON the firewall box itself, yes?

if so, after pppoe setup/connect, ifconfig shows,

 tun0: flags=8051 mtu 1492
 inet x.x.x.1 --> aa.bb.cc.dd netmask 0x
 Opened by PID 511

and the upstream router, aa.bb.cc.dd, is my ISP's.

checking established routes, as per in "ppp.conf",

 add default HISADDR

checking routes, i see the one,

 netstat -nr | grep aa.bb.cc.dd
   defaultaa.bb.cc.ddUGS 0   19   tun0
   aa.bb.cc.ddx.x.x.1UH  13   tun0

now, looking at that, i suspect i MIGHT be able to add add'l routes in
the ppp.conf transaction config -- e.g., instead of (just?)

 add default HISADDR

add something 'like'

 set ifaddr x.x.x.1 x.x.x.2 x.x.x.3 255.255.255.255
 add x.x.x.0/29 HISADDR

but, i have to search/fumble around with the correct pppoe-time syntax.

i assume that this would (?) set up additional external intfcs, which
would then be pf-addressable?

thoughts?

thanks!
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: how 2 address&port map outbound traffic to multiple/different IPs on a single intfc?

2007-06-12 Thread Greg Hennessy 
> so, i think i'm in the right ballpark with *nat of some sort, but how
> do i get this done correctly?
> 

There's a number of ways to do this. 

Add the extra addresses as aliases to the internet facing interface. E.g

gw2:~ # cat /etc/rc.early /etc/rc.conf | egrep -i 'outside|alias' | sed -e
.
/sbin/ifconfig rue0 name outside
network_interfaces="lo0 outside inside"
ifconfig_outside="inet xx.yy.zz.251 netmask 0xfff8 up"
ifconfig_outside_alias0="inet xx.yy.zz.252 netmask 0x"
ifconfig_outside_alias1="inet xx.yy.zz.253 netmask 0x"

Or. If you have control of the upstream router from your firewall add
static routes for either the entire cidr block or /32 host routes for each 
address in the /29 you control. 

The routes should point to the external address of the firewall. 


Greg



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"