Hello, and please help me retain what little hair I still have left :) Basic scenario - 5 interfaces, 3 outside (public), 2 inside (private).
At this point I'm not trying to load balance just use different routes to the outside world depending upon the source inside address. I have tried different rulesets, none have worked so far - I see no packets arriving from the inside on the 2 new outside interfaces. Currently I'm attempting the following - Interfaces and gateways (att is default route and does work always - I also define their addresses - adx): Outside: att_if wow_4_if wow_4_gw wow_8_if wow_8_gw Inside: s3_if alt_if Tables (different addresses should get routed through different outside interfaces): <att_bound> <wow_4_bound> <wow_8_bound> Nat rules: nat on $wow_8_if inet tag WOW_8_NAT tagged WOW_8 -> $wow_8_ad1 nat on $wow_4_if inet tag WOW_4_NAT tagged WOW_4 -> $wow_4_ad1 nat on $att_if inet tag ATT_NAT tagged ATT -> $att_ad1 Filtering (narrowing to s3_if in for now): pass in on $s3_if proto tcp from $s3_if:network to !$alt_if:network port $tcp_ports tag ATT flags S/SA keep state pass in on $s3_if proto tcp from <wow_8_systems> to !$alt_if:network port $tcp_ports tag WOW_8 flags S/SA keep state pass in on $s3_if proto tcp from <wow_4_systems> to !$alt_if:network port $tcp_ports tag WOW_4 flags S/SA keep state pass out on $att_if proto tcp all keep state flags S/SA pass out on $att_if route-to ($wow_4_if $wow_4_gw) proto tcp all tagged WOW_4_NAT keep state flags S/SA pass out on $att_if route-to ($wow_8_if $wow_8_gw) proto tcp all tagged WOW_8_NAT keep state flags S/SA pass out on $wow_4_if proto tcp all keep state flags S/SA pass out on $wow_8_if proto tcp all keep state flags S/SA So if this looks like I'm confused - I am! I've tried putting the route-to on the pass-in rules which hasn't helped so far either, so I thought I would try the above to no avail. It seems that the pass in rules should tag the packets, the nat rules should then nat to the correct address based on those tags and retag the packets as natted (_NAT). The tagged natted packets will start for the default route and then get rerouted, if necessary, based on their tags. Please show me the error of my ways. Thank you. -- Chris
