On Thu, 5 Jul 2007, Попов Игорь Николаевич wrote:
> I have router under OpenBSD, it main purpose is NAT.
>
> some rules from /etc/pf.conf
>
> #...
> table <nat_addr> const { 80.0.0.21 80.0.0.22 80.0.0.23 80.0.0.24 }
> table <lan_addr> const { 192.168.0.0/25 192.168.10.0/24 }
>
> # NAT
> nat pass on $ext_if inet tagged LAN_INET -> <nat_addr> round-robin
> sticky-address
>
> #...
>
> # nat marker
> pass in on $int_if inet from <lan_addr> to !(self) keep state flags S/SA \
> tag LAN_INET queue q_traff
>
> #...
>
> There are 4 ip addresses (aliases) on $ext_if - the first is used for
> controlling router, others are used for NAT.
> And question is how to make ftp-proxy work in this situation?
> Both source addresses for control and data connections must be the same -
> many ftp servers deny data connection when control connection has another ip.
ftp-proxy will always make sure to use the same IP for the control and
data connection. You can force the address with -a, otherwise ftp-proxy
lets the kernel pick the source address for the connection.
round-robin among your NAT addresses would be possible, but you have to
run multiple instances of ftp-proxy. Something like this probably works
(untested, and the addresses _must_ be aliases for -a and -b to work):
ftp-proxy -b 80.0.0.21 -a 80.0.0.21
ftp-proxy -b 80.0.0.22 -a 80.0.0.22
ftp-proxy -b 80.0.0.23 -a 80.0.0.23
ftp-proxy -b 80.0.0.23 -a 80.0.0.24
Then use a:
rdr on $int_if from <lan_addr> to any port 21 -> <nat_addr> port 8021 \
round-robin
(NOTE: it would be better to use 127.0.0.2, 127.0.0.3, etc. for the -b
addresses and round-robin among those, so they are not easily reachable
from the outside. It would clutter the example though.)
Let us know if it works. :-)
--
Cam
