pf multipath nat

ŁukaszDudek mocart at pinco.pl
Tue Nov 9 05:13:22 PST 2004 

Dnia Pon, Lis 08, 2004 o godzinie 04:21:39 +0100, Max Laier napisał(a):
> On Monday 08 November 2004 15:30, Łukasz Dudek wrote:
> > i've tried to configure multipath nat using RELENG_5 box
> > (when it was current and now when it became stable)
> >
> > this are simplified rules schema i've been using


# Macros: define common values, so they can be referenced and changed easily.
ext_if="fxp0"
ext_if2="fxp2"
int_if="fxp1"	# replace with actual internal interface name i.e., dc1
internal_net="192.168.0.1/23"
external_addr="10.53.28.234"
gateway="10.53.28.233"
gateway2="10.10.8.1"

scrub in all

nat on $ext_if from $internal_net to any -> ($ext_if)
nat on $ext_if2 from $internal_net to any -> ($ext_if2)

rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 1100 -> 192.168.0.2 port 1100
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 1101 -> 192.168.0.2 port 1101
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 4664 -> 192.168.0.2 port 4664
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 4666 -> 192.168.0.4 port 4666
rdr on $ext_if proto { tcp, udp } from any to $external_addr/32 port 4670 -> 192.168.1.4 port 4670

rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

no rdr on { lo0, lo1 } from any to any

pass in all
pass out all

block in all

pass  in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
pass  in on $ext_if2 inet proto tcp from any to $ext_if2 user proxy keep state

pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
pass  in  on $ext_if proto tcp from any to $ext_if port 25 keep state
pass  in  on $ext_if proto tcp from any to $ext_if port 80 keep state
pass  in  on $ext_if proto tcp from any to $ext_if port 110 keep state
pass  in  on $ext_if proto tcp from any to $ext_if port 443 keep state
pass  in  on $ext_if proto tcp from any to $ext_if port 465 keep state
pass  in  on $ext_if proto tcp from any to $ext_if port 995 keep state

pass  in  on $ext_if proto udp from any to $ext_if port 53 keep state

pass  out on $ext_if proto { tcp, udp, icmp } all keep state
pass  out on $ext_if2 proto { tcp, udp, icmp } all keep state


pass  in  quick on $int_if proto udp from $internal_net to 192.168.0.1 port 53 keep state

pass  in on $int_if proto { tcp, udp, icmp } all keep state
pass  out on $int_if proto { tcp, udp, icmp } all keep state

pass  in  on lo0 proto { tcp, udp, icmp } all keep state
pass  out on lo0 proto { tcp, udp, icmp } all keep state

pass in on $int_if \
       route-to { ( $ext_if $gateway), ( $ext_if2 $gateway2 ) } round-robin \
       from $internal_net to any keep state

pass out on $ext_if2 route-to ($ext_if $gateway) from $ext_if to any
pass out on $ext_if route-to ($ext_if2 $gateway2) from $ext_if2 to any

> 
> 
> Are you *sure* that you had debug.mpsafenet=0 in the end? You know that it is 
> only changeable during the loader and *not* in the live system?
> 

yes i'm sure /boot/loader.conf is a place where i keep such tunables.

Regards,
Lukasz Dudek

More information about the freebsd-pf mailing list