--- Cedric Berger <[EMAIL PROTECTED]> wrote: Paul Cusbish wrote:
[ All, a bit of a late followup, but i've included some rules this time. Thanks for your help ]
Hi there,
I have a common setup (seen it a few times on this list) -
xl0 LAN fxp0 Cable / dynamic address fxp1 ADSL / static (DNS, SMTP, HTTP etc...)
The default gateway is fxp0, of which is nat'd.
The fxp1 link is, as specified above, the "services" link. I have some reply-to rules for SMTP, HTTP etc, to avoid asymmetric routing, which works great.
I have BOTH links natting now.
I do tend to use IRC and Mail from the gateway, and not from the internal network. How would the rules differ?
Here are the route-to rules that do not work: nat on $cable_if from $internal_net to any -> ($cable_if) (NOTE: This is the default route) nat on $adsl_if from $internal_net to any -> ($adsl_if)
pass out quick on $adsl_if route-to ($adsl_if $adsl_route) inet proto tcp from any to any port 25 modulate state
Problem is that this rule cannot work. The default route is set on $cable_if, therefore the "pass out quick on $ADSL_IF" rule will never be kicks in. That is the classical chicken-and-egg problem. you need to do something like:
pass out quick on $CABLE_IF route-to ($ADSL_IF...
But then, your nat rules will also need adjustments. That's a PITA to get right, but that's doable. Have fun! Cedric -----------------------------
Hi Cedric,
Thanks for your reponse.
Regarding the nat rules, could you give me a pointer in the general direction of what needs to be adjusted please?
Well, basically you just need to be more selective
>>nat on $cable_if from $internal_net to any -> ($cable_if) >>nat on $adsl_if from $internal_net to any -> ($adsl_if)
NAT occur before filtering, so you need to make sure packets don't get NATTed 2 times, and that they get NATTed to the right IP.
so your NAT might look like:
nat on $cable_if inet proto tcp from any to any port 25 -> ($adsl_if)
Now there is many different ways to do that, you could use tags as well.
Cedric
