View Single Post
  #4   (View Single Post)  
Old 1st December 2015
jasonvp's Avatar
jasonvp jasonvp is offline
Real Name: Jason
Port Guard
 
Join Date: Nov 2015
Location: Northern VA
Posts: 15
Default

Quote:
Originally Posted by jggimi View Post
I understand you have multiple external IP addresses, so perhaps a bidirectional NAT (binat) configuration would enable you to provision em0 and re0 on separate Ethernets.
Allow me to apologize for the seemingly dismissive last reply. I've never really been a fan of the obfuscatia that comes along with NAT. It does create some interesting troubleshooting problems; I see that sort of thing in production environments all the time.

I am, however, warming up to the idea of doing it, because it'll allow the router to ... well... route. Sorta.

I'm proposing a series of changes to my pf.conf that will look like this:
Code:
vz_int = "em0"
ext_int = "re1"
int_int = "re0"

host1_priv = "192.168.0.210"
host1_pub = "XX.YY.ZZ.210"
host2_priv = "192.168.0.211"
host2_pub= "XX.YY.ZZ.211"
# .
# .
# .
# until host_11
#
# NAT rules
pass on $vz_int from $host1_priv to any binat-to $host1_pub
pass on $vz_int from $host2_priv to any binat-to $host2_pub
# .
# .
# .
# until host_11
Here's where it gets a bit confusing for me, but it probably is pretty easy. I've been avoiding NAT for my existing RFC1918 LAN when the destination is my public servers. In other words: I want the public servers to see SRC==192.168.xx.yy, not the NAT IP. If a public server has to start a conversation with the private LAN, I also want that to be native. I only want the private LAN to be NAT'd when it leaves the building.

See this post for explanation. I'm going to have to change the NAT lines, and I think this will accomplish what I'm after?
Code:
no nat on $ext_int from $local_ipv4_lan to $external_ipv4_lan
nat on $vz_int from $local_ipv4_lan to any -> XX.YY.ZZ.221
My gut tells me the first line is superfluous because the second line only says NAT on outgoing on the Verizon interface. Thoughts? This should allow the now BiNAT'd IPs to get to the RFC1918 space with their respective public IPs, right (assuming it they pass further rules in PF of course)?
Reply With Quote