On 6/21/11 12:30 AM, Gary Gatten wrote: > On 6/20/11 5:07 PM, Martin McCormick wrote: > > I was kinda going this route as well - policy based routing type thing, but, > is there an "easier" way? > > 1.) Temporarily enable ipforwarding - not my favorite > 2.) Instead of a second NIC, bind the new IP to the org nic (alias). > > man ifconfig specifically mentions using alias during ip renumbering: > > " alias Establish an additional network address for this interface. This > is sometimes useful when changing network numbers, and one wishes to accept > packets addressed to the old interface. If the address is on the same subnet > as the first network address for this interface, a non-conflicting netmask > must be given. Usually 0xffffffff is most appropriate." > > Once everything is transitioned, you may reconfigure the interface with the > "permanent" config. > > G > >
Alias lets your interface have multiple IP addresses, however it will not address your routing issue. Find below the configuration we're using on firewalls both in the 195.158.0.0/16 network and 46.182.0.0/16 network. In the case of a simple access rule: # PASS quick SSH from trusted IPs pass in quick on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_195) inet proto tcp from <allowed_ssh> to <myself_wan_195> port 22 pass in quick on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_46) inet proto tcp from <allowed_ssh> to <myself_wan_46> port 22 In the case of a RDR , where we redirect traffic to another host: First we tag the packets in the RDR rule, then we make our access rule only match the tagged packets. # To VPN backoffice on both IP ranges rdr on $ifvlan13 inet proto tcp from any to <myself_wan_195> port 1195 tag rdr_195_1195 -> 10.104.10.244 port 1195 rdr on $ifvlan13 inet proto tcp from any to <myself_wan_46> port 1195 tag rdr_46_1195 -> 10.104.10.244 port 1195 # PASS in openvpn backoffice pass in log on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_195) inet proto tcp from any to <openvpn> port 1195 tagged rdr_195_1195 keep state label "PASS in openvpn_bo_195" pass in log on $ifvlan13 reply-to ($ifvlan13 $neo_vrrp_46) inet proto tcp from any to <openvpn> port 1195 tagged rdr_46_1195 keep state label "PASS in openvpn_bo_46" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
