On Tue, 26 Nov 2019 20:06:40 -0000 (UTC)
Stuart Henderson <s...@spacehopper.org> wrote:
> On 2019-11-26, Henry Jensen <hjen...@mailbox.org> wrote:
> > On Tue, 26 Nov 2019 12:27:16 -0000 (UTC)
> > Stuart Henderson <s...@spacehopper.org> wrote:
> >
> >> > 192.168.1.2 < rdr-to/nat-to > 11.22.33.40
> >> > 192.168.1.3 < rdr-to/nat-to > 11.22.33.41
> >> >
> >> > I plan to give the outgoing interface the second public IP
> >> > (11.22.33.41) as an alias, so the egress interface holds both
> >> > public IP addresses. Question is, how do I do the routing so that
> >> > DMZ host 192.168.1.3 uses public IP 11.22.33.41 exclusively?
> >>
> >> I read this as "how do I make it so that *only* the DMZ host uses
> >> 11.22.33.41 and the router itself doesn't use it", is that right?
> >
> > Yes, but first and formost, 192.168.1.3 should use *only* 11.22.33.41
> > as gateway, 192.168.1.2 (and posibly other hosts) should use 11.22.33.40
> > as gateway.
>
> But 192.168.1.3 isn't in the 11.22.33.x network itself is it? So it
> can't use 11.22.33.*anything* as gateway because it has no way to reach
> it directly..
Sorry, my wording was unprecise: What I meant was: A packet coming from
192.168.1.3 should *only* use 11.22.33.40 as gateway, a packet from
192.168.1.2 should use 11.22.33.40.
So, would it be enough to do simply something like this?
# packets from 192.168.1.3 should go to 11.22.33.41
pass out quick on egress inet from 192.168.1.3 to any \
nat-to 11.22.33.41
# all other to 11.22.33.40
pass out on egress inet from any to any \
nat-to 11.22.33.40
