pf and pppoe help!

Mike Tancsa mike at sentex.net
Wed Jan 2 09:19:45 PST 2008 

I have a Soekris 5501 that I want to use to do natting for a number 
of subnets with a number of static IPs and am not sure what the best 
way to handle the multiple IPs aliases is. In the past, when I 
aliased the /32s to lo0, I had stability problems and the box would 
deadlock.  That firewall was on fibre, so it was easy to move the IPs 
to the external nic and alias them there. That box sees a lot of 
traffic with a LOT of internal hosts and is very stable 
now.  However, for PPPoE its a bit different since the interface 
comes and goes and there is also the issue of mss

Right now in the lab I have been trying the following config and it 
seems to work. However, not sure when it goes live with a lot of 
traffic if this is the best way to go.

In my ppp.linkup I have

pppoe:
  iface clear
  iface add 2.2.2.205/32 1.1.1.1
  iface add 2.2.2.206/32 1.1.1.2
  iface add 2.2.2.207/32 1.1.1.3
  ! /sbin/pfctl -f /etc/pf.conf


where 2.2.2.x are a bunch of /32 publicly routed IP addresses


The box has 1 PPPoE connection (tun0)
RFC1918 subnet 192.168.1.0/24 (vr1)
DMZ 2.2.2.0/30 (vr2)
RFC1918 10.0.0.0/24 (vr3)
as well as a couple of BINATs on vr1


# for pppoe MSS fixup for the DMZ host
scrub in on vr2 max-mss 1400 fragment reassemble
scrub out on vr2 max-mss 1400 fragment reassemble

#let the office people surf via one public IP and the transient sales 
force use a different one on the wireless
nat on $ext_if from {$internaloffice}  to any -> ($ext_if:0)
nat on $ext_if from {$internal204,!$server1,!$server2}  to any -> 
$officepublicIP
nat on $ext_if from {$wireless}  to any -> $publicwireless
binat on $ext_if from $server1 to any -> $publicserver1
binat on $ext_if from $server2 to any -> $publicserver2

pass in quick on lo0 all
pass out quick on lo0 all

block in log on $ext_if all

#DMZ cust machine has its own rules
pass in on vr2 from any to any keep state

pass in on $ext_if from any to  {$publicserver1, 
$publicserver2,$server1,$server2, $dmzhost } keep state
pass in log on tun0 proto tcp from $trustedhosts to any port 22 keep state
pass out all keep state


Is there a better way to handle all the aliased IP addresses then to 
manually put them on tun0 ?


         ---Mike




--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

More information about the freebsd-pf mailing list