Shouldn't that be nat on vlan0 not nat on bge1? Not quite sure how this is working actually. I'm surprised we give access to the parent interface of a vlan trunk.
--Bill On 9/3/07, Eugen Leitl <[EMAIL PROTECTED]> wrote: > > I (still) have an unresolved issue with my work firewall > (1.2-RC2) which I could really use some help with. > > To recap, my configuration (which works just fine, but) > looks like this, with the last octet xxxed out in > strategic places: > > # ifconfig -a > bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING> > inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 > inet6 fe80::21b:24ff:fe2d:b00b%bge0 prefixlen 64 scopeid 0x1 > ether 00:1b:24:2d:b0:0b > media: Ethernet autoselect (1000baseTX <full-duplex>) > status: active > bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING> > inet6 fe80::21b:24ff:fe2d:b00c%bge1 prefixlen 64 scopeid 0x2 > inet 10.0.2.6 netmask 0xfffffffc broadcast 10.0.2.7 > ether 00:1b:24:2d:b0:0c > media: Ethernet autoselect (1000baseTX <full-duplex>) > status: active > enc0: flags=41<UP,RUNNING> mtu 1536 > pflog0: flags=100<PROMISC> mtu 33208 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > pfsync0: flags=41<UP,RUNNING> mtu 2020 > pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128 > vlan0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500 > inet 62.245.148.xxx netmask 0xffffffc0 broadcast 62.245.148.xxx > inet6 fe80::21b:24ff:fe2d:b00b%vlan0 prefixlen 64 scopeid 0x7 > ether 00:1b:24:2d:b0:0c > media: Ethernet autoselect (1000baseTX <full-duplex>) > status: active > vlan: 3 parent interface: bge1 > > (the vlan0 is due to a switch VLAN since I can only use 2 NICs > out of 4 at the moment, until FreeBSD 7.x lands) and the ISP is > rewriting the traffic originating from 10.0.2.6 to appear as if > coming from 62.245.254.xxx. > > # pfctl -s nat > nat-anchor "pftpx/*" all > nat-anchor "natearly/*" all > nat-anchor "natrules/*" all > nat on bge1 inet from 192.168.0.0/24 to any -> (bge1) round-robin > rdr-anchor "pftpx/*" all > rdr-anchor "slb" all > no rdr on bge0 proto tcp from any to <vpns> port = ftp > rdr on bge0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 > rdr-anchor "imspector" all > rdr-anchor "miniupnpd" all > > What I'm trying to do is to formulate the pf equivalent of > (Linux) iptables ... -j SNAT --to-source 62.245.148.xxx > > I've tried adding some via Firewall->(advanced)NAT->Outbound which > resulted in > > nat on bge1 inet from 192.168.0.0/24 to 62.245.148.xxx -> (bge1) > round-robin > > which has no effect if added to the existing > > nat on bge1 inet from 192.168.0.0/24 to any -> (bge1) round-robin > > rule, and if used alone removes connectivity of machines behind NAT > (the firewall still works fine, and whenever I check my apparent IP > by > > fetch http://whatismyip.com && cat whatismyip.com | grep > 'WhatIsMyIP.com -' > > it's unchanged). > > So I'm stuck with doing something stupid, and could really use a rule > or a pfctl incantation to try that rule, which does the equivalent of > > iptables ... -j SNAT --to-source 62.245.148.xxx > > ? > > Can I has a nice rule plz? Kthx. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
