View Single Post
  #1   (View Single Post)  
Old 25th November 2015
jasonvp's Avatar
jasonvp jasonvp is offline
Real Name: Jason
Port Guard
Join Date: Nov 2015
Location: Northern VA
Posts: 15
Default PF and NAT: Specify SRC IP Address?

Hey folks -

In the final step of migrating every system in my house from Linux to FreeBSD, I did the router yesterday. That was... challenging to say the least. Partially because the router needs to NAT some outbound connections while allowing others to just pass through (or route through) natively. NAT'd connections should be sourced from a different IP address than the router's egress IP.

More words: I have a Verizon business class FIOS connection with a block of "almost a /28" of IPs (VZ are a bunch of idiots when it comes to IP addressing). The router has to bridge my public VLAN with Verizon's, and that works fine. Interface bridge0 on the router has its own external IP address (XX.YY.ZZ.AA/24) and an alias on it for NAT (XX.YY.ZZ.BB/32). I'd like to force PF to NAT outbound connections to the second of those IPs, never the first. I can't figure out how to do that without ... some inventiveness.

The NAT rules look like so:
# Get NAT going for the RFC1918 space
no nat on $br from $external_ipv4_lan to $local_ipv4_lan
no nat on $br from $local_ipv4_lan to $external_ipv4_lan
nat on $br from $local_ipv4_lan to any -> ...
It's the ellipses part of that statement that I'm trying to figure out. If I put $br (which is bridge0), it'll sometimes use the main IP, and sometimes use the alias IP. I can't put an actual IP where the ellipses are because that's not allowed.

My solution thus far is to create interface lo100, assign the NAT IP to that, and then make the last line look like:
nat on $br from $local_ipv4_lan to any -> lo100
That works. Or at least it appears to. I'm wondering if there's another way to accomplish what I'm trying to do?
Reply With Quote