interface definition with aliases

Damien Fleuriot ml at my.gd
Wed Jan 11 10:24:43 UTC 2017 

On 11 January 2017 at 01:58, Harry Duncan <usr.src.linux at gmail.com> wrote:
> Hi Guys,
>
> I get my net connection to my freebsd box by pppoe. I have a /29
> allocation, so I have to add my additional IP's at the public interface on
> my bsd box, so I add them with
>
> ifconfig tun0 alias 121.171.163.226 netmask 255.255.255.255 181.191.100.212
>
> and I end up with a tun0 looking like:
>
> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
>         options=80000<LINKSTATE>
>         inet 121.171.163.225 --> 181.191.100.212  netmask 0xffffffff
>         inet 121.171.163.226 --> 181.191.100.212  netmask 0xffffffff
>         inet 121.171.163.227 --> 181.191.100.212  netmask 0xffffffff
>         inet 121.171.163.228 --> 181.191.100.212  netmask 0xffffffff
>         inet 121.171.163.229 --> 181.191.100.212  netmask 0xffffffff
>         inet 121.171.163.230 --> 181.191.100.212  netmask 0xffffffff
>         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>         groups: tun
>         Opened by PID 4207
>
> In the normal course of events, with a single wan ip, I just declare ext_if
> = "tun0" in pf.conf and it resolves to the wan ip.
>
> What I want to be able to do here is reference specific aliases in rules,
> so for example, port forward port 22 on .225 to one lan host, port forward
> the same port on .226 to another lan host
>
> I also want to direct all traffic out from specific lan hosts to go out on
> specific ip addresses and not randomly across the range.
>
> I have accomplished this before with intefrace aliases where pppoe has not
> been used, but am stuck conceptually on how to implement this where the ip
> aliases are all on the same interface.
>
> Anyone got any thoughts if this is going to be possible?
>
> My alternate course of action will be to try and bring up a tun device for
> each of the aliases with a different ppp dialer, just not sure routing wise
> if that is going to work so I'm just curious to know if you guys think it
> can be accomplished with the above?
>


Heya Harry,


You could always create macros in your pf.conf, like so :

ip1="1.2.3.4"
ip2="2.3.4.5"
ip3="3.4.5.6"


You can then reference them in your rules :

pass in quick on $tun0 inet proto tcp from <trust> to $tun0:0 port 10
$tcpflags # this references only your primary IP on $tun0
pass in quick on $tun0 inet proto tcp from <trust> to $ip1 port 11
$tcpflags # and these applies to your macros
pass in quick on $tun0 inet proto tcp from <trust> to $ip2 port 12
$tcpflags # ditto
pass in quick on $tun0 inet proto tcp from <trust> to $ip3 port 13
$tcpflags # ditto


Once you've set up your macros, you're free to do whatever you like.

# Redirect SSH to public IP 1 to an internal host :
rdr pass on $tun0 inet proto tcp from <trust> to $ip1 port 22 -> 192.168.0.1

# NAT outgoing from internal host to a specific tun0 IP :
nat pass on $tun0 inet from 192.168.0.1 to any -> $ip3


I hope I did not misunderstand your question and that is what you were
looking for.

More information about the freebsd-pf mailing list