Okan Demirmen wrote:
On Fri 2004.07.23 at 23:33 +0200, Daniel Hartmeier wrote:
On Fri, Jul 23, 2004 at 03:24:25PM -0500, eric wrote:
So, I know there's a way to tell pf to route traffic from a
source-ip, I just forgot how and can't find it in the manpages.
Also, is a way to make traffic from 172.16.43.54 appear as though
it's coming from 10.9.9.3, and the other machines behind gateway
appear as though they're coming from 10.9.9.2?
Instead of
nat on $ext_if from $int_net to any -> ($ext_if)
try
nat on $ext_if from 172.16.43.54 to any -> 10.9.9.3 nat on $ext_if from $int_net to any -> 10.9.9.2
The form ($ext_if) is useful when you get a single address assigned to
$ext_if dynamically (and it changes automatically). If you have aliases
and want specific addresses used like this, don't use (if).
correct me if i'm wrong, but can't you also do:
nat on $ext_if from 172.16.43.54 to any -> 10.9.9.3 nat on $ext_if from $int_net to any -> ($ext_if:0)
Sure. To make things clear, with 3.5:
home# echo "nat on sis0 -> (sis0)" | pfctl -nvf- nat on sis0 all -> (sis0) round-robin
See the "round-robin" keyword added? That mean if there is more than one address assigned to sis0, PF will round-robin through available addresses for each new outgoing connection. Consider adding source-track in that case.
On the other end, adding ":0" tells PF we're interrested in the main address only, and PF won't add the round-robin keyword in that case:
home# echo "nat on sis0 -> (sis0:0)" | pfctl -nvf- nat on sis0 all -> (sis0:0)
This is faster too, so PPL upgrading to 3.5 should look at their ruleset
and think if they need to add that ":0" or not. Pre-3.5, (if) would only take
the first address in any case.
Cedric
