On Thu, 5 Jul 2007, Попов Игорь Николаевич wrote: > I have router under OpenBSD, it main purpose is NAT. > > some rules from /etc/pf.conf > > #... > table <nat_addr> const { 80.0.0.21 80.0.0.22 80.0.0.23 80.0.0.24 } > table <lan_addr> const { 192.168.0.0/25 192.168.10.0/24 } > > # NAT > nat pass on $ext_if inet tagged LAN_INET -> <nat_addr> round-robin > sticky-address > > #... > > # nat marker > pass in on $int_if inet from <lan_addr> to !(self) keep state flags S/SA \ > tag LAN_INET queue q_traff > > #... > > There are 4 ip addresses (aliases) on $ext_if - the first is used for > controlling router, others are used for NAT. > And question is how to make ftp-proxy work in this situation? > Both source addresses for control and data connections must be the same - > many ftp servers deny data connection when control connection has another ip.
ftp-proxy will always make sure to use the same IP for the control and data connection. You can force the address with -a, otherwise ftp-proxy lets the kernel pick the source address for the connection. round-robin among your NAT addresses would be possible, but you have to run multiple instances of ftp-proxy. Something like this probably works (untested, and the addresses _must_ be aliases for -a and -b to work): ftp-proxy -b 80.0.0.21 -a 80.0.0.21 ftp-proxy -b 80.0.0.22 -a 80.0.0.22 ftp-proxy -b 80.0.0.23 -a 80.0.0.23 ftp-proxy -b 80.0.0.23 -a 80.0.0.24 Then use a: rdr on $int_if from <lan_addr> to any port 21 -> <nat_addr> port 8021 \ round-robin (NOTE: it would be better to use 127.0.0.2, 127.0.0.3, etc. for the -b addresses and round-robin among those, so they are not easily reachable from the outside. It would clutter the example though.) Let us know if it works. :-) -- Cam