Hi all! Making a script for turning on/off Internet for our clients I have the following trouble:
Some of our clients may need a real IP-adress. Sometimes pairs of internal/external IP may change. For these needs i put in pf.conf the following strings: #nat on $ext_if from <internet> to any -> 192.168.1.21 #binat-anchor real_ip In the case of "real_ip" field, the script must make BINAT on the IP that we have in that field, but it doesn't do it! Originally the rules were: #ifconfig xl0 $ip_ext netmask 255.255.255.0 alias #echo "binat on xl0 from $ip_int to any -> $ip_ext" | pfctl -a real_ip:$ip_ext -f - Anchor with the complex name real_ip:$ip_ext is necessary so as, in case of turning off the Internet on that IP we were able to turn off binat rules only for that particular IP. But in practice when we add the following rule: #echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl -a real_ip:192.168.1.26 -f - we have: #pfctl -sn -a real_ip:192.168.1.26 #binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26 But actually we were masked by 192.168.1.21 But if: #echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl -a real_ip -f - we have: #pfctl -sn -a real_ip #binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26 And now we were masked by 192.168.1.26 - that's what we need! But we can't do this that way. That's why We desided to use subanchors: #echo "anchor 192.168.1.26" | pfctl -a real_ip -f - #echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl -a real_ip/192.168.1.26 -f - #pfctl -vsA real_ip real_ip/192.168.1.26 #pfctl -sn -a real_ip/192.168.1.26 #binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26 And now we again were masked by 192.168.1.21 How can i solve this problem? We have no ability to statically write binat rules in pf.conf. FreeBSD 6.2-Release