DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th January 2009
DNAeon DNAeon is offline
Shell Scout
 
Join Date: Sep 2008
Location: Bulgaria
Posts: 138
Default Changing MAC address to an alias interface?

Hello, mates!

I've being wondering how should I change the MAC address of an alias interface.

This is the situation - [ Private Network ] --> [ FreeBSD Gateway ] --> [ Internet ]

The FreeBSD gateway is NAT-ing the hosts from the private network, so they can get access to the internet. I have two NICs on the FreeBSD gateway - one for the private network and the other for the external interface.

Here is my /etc/pf.conf file:
Code:
# --- MACROS section ---
ext_if = "sis0"
int_if = "fxp0"

# --- IPs given by the ISP ---
ip_addr_1 = "x.x.x.87"
ip_addr_2 = "x.x.x.88"

# --- hosts from the private network ---
host1 = "10.10.0.2"
host2 = "10.10.0.3"
host3 = "10.10.0.4"
host4 = "10.10.0.5"
host5 = "10.10.0.6"

# --- *** local DC++ hubs which are not allowed *** ---
# --- ***    to be accessed by certain hosts    *** ---
dcpp_hub1 = "dc.xxx.net"
dcpp_hub2 = "dc.xxx.com"
dcpp_hub3 = "dc.xxx.org"

# --- hosts which are not allowed to access local DC++ hubs ---
DCPP_DENIED = "{" $host1 $host3 $host4 "}"
DCPP_HUB_DENIED = "{" $dcpp_hub1 $dcpp_hub2 $dcpp_hub3 "}"

# --- hosts with internet access ---
ALLOWED = "{" $host1 $host2 $host3 $host4 $host5 "}"

# --- hosts groups ---
HOSTS_GROUP1 = "{" $host3 $host4 $host5 "}"
HOSTS_GROUP2 = "{" $host1 $host2 "}"

# --- port for incoming ftp connections ---
FTP_PORT = "2121"

# --- port for incoming torrent connections ---
TORRENT_PORT = "25581"

# --- port for incoming ssh connections ---
SSH_PORT = "2222"

# --- OPTIONS section ---
set skip on lo0

# --- SCRUB section ---
scrub in all

# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from $HOSTS_GROUP1 to any -> $ip_addr_1
nat on $ext_if from $HOSTS_GROUP2 to any -> $ip_addr_2

# --- redirect torrent traffic ---
rdr on $ext_if proto tcp from any to $ext_if port $TORRENT_PORT -> $host5 port $TORRENT_PORT

# --- redirect ftp traffic to the internal ftp server ---
rdr on $ext_if proto tcp from any to $ext_if port $FTP_PORT -> $host4 port $FTP_PORT
rdr on $ext_if proto tcp from any to $ext_if port 50000:50999 -> $host4 port 50000:50999

# --- redirect http traffic to the internal web server ---
rdr on $ext_if proto tcp from any to $ext_if port 80 -> $host4 port 80

# --- redirect incoming mail traffic ---
rdr on $ext_if proto tcp from any to $ext_if port 25 -> $host4 port 25

# --- FILTER RULES ---

# --- default policy ---
block log all

# --- antispoof protection ---
antispoof quick for $ext_if inet
antispoof quick for $int_if inet

# --- INTERNAL interface ---

# --- prevent local hosts to connect to dc++ hubs ---
block in log quick on $int_if inet from $DCPP_DENIED to $DCPP_HUB_DENIED

pass in quick on $int_if inet from $ALLOWED to any keep state
pass out quick on $int_if inet from any to any keep state

# --- EXTERNAL interface ---

# --- pass incoming torrent traffic ---
pass in quick on $ext_if inet proto tcp from any to $host5 port $TORRENT_PORT keep state

# --- pass incoming ftp traffic ---
pass in quick on $ext_if inet proto tcp from any to $host4 port $FTP_PORT keep state
pass in quick on $ext_if inet proto tcp from any to $host4 port 50000:50999 keep state

# --- pass incoming http traffic ---
pass in quick on $ext_if inet proto tcp from any to $host4 port 80 keep state

# --- pass incoming mail traffic ---
pass in quick on $ext_if inet proto tcp from any to $host4 port 25 keep state

# --- pass incoming ssh connections ---
pass in quick on $ext_if inet proto tcp from any to $ext_if port $SSH_PORT flags S/SA keep state

pass out quick on $ext_if inet from any to any keep state
Here are my interfaces configured in /etc/rc.conf
Code:
ifconfig_sis0="inet x.x.x.87  netmask 255.255.255.0"
ifconfig_sis0_alias0="inet x.x.x.88  netmask 255.255.255.255"
ifconfig_fxp0="inet 10.10.0.1  netmask 255.0.0.0"
My object here is when NAT-ing hosts from HOSTS_GROUP1 I want to use one MAC address, and when NAT-ing hosts from HOSTS_GROUP2 - another MAC address, so they appear from the outside as two different NICs.

From what I have read from ifconfig(8):
Code:
The link-level (``link'') address is specified as a series of
	     colon-separated hex digits.  This can be used to e.g. set a new
	     MAC address on an ethernet interface, though the mechanism used
	     is not ethernet-specific.	If the interface is already up when
	     this option is used, it will be briefly brought down and then
	     brought back up again in order to ensure that the receive filter
	     in the underlying ethernet hardware is properly reprogrammed.
And indeed using ifconfig sis0 link <some.mac.address> works, but how to change it for the sis0_alias0 interface? I've tried modifying /etc/rc.conf file as follows:
Code:
ifconfig_sis0_alias0="inet 78.90.73.88  netmask 255.255.255.255 link <some.other.mac.address>"
And when I run /etc/rc.d/netif restart it shouts something like sis0: bad value.

So my question is how to change that MAC address of the alias interface?

Thanks for any feedback!
__________________
"I never think of the future. It comes soon enough." - A.E

Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org
Reply With Quote
  #2   (View Single Post)  
Old 18th January 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

You cannot

What you are asking is something like:
"My name is Peter Puk a.k.a. J65nko. I want a surgeon to operate on J65nko's vocal cords, to change it from tenor to bass. The vocal cords of Peter have to stay the same."
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 18th January 2009
DNAeon DNAeon is offline
Shell Scout
 
Join Date: Sep 2008
Location: Bulgaria
Posts: 138
Default

I see, thanks for good analogy explanation
__________________
"I never think of the future. It comes soon enough." - A.E

Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org

Last edited by DNAeon; 18th January 2009 at 06:51 PM.
Reply With Quote
  #4   (View Single Post)  
Old 18th January 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

You could do something like this:
Code:
nat on $EXT_IF from 192.168.1.0/24 to any -> x.x.x.88
nat on $EXT_IF from 10.0.0.0/24 to any -> x.x.x.89
Just adjust it your two groups. See the BNF grammar at the end of the pf.conf man page.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 19th January 2009
DNAeon DNAeon is offline
Shell Scout
 
Join Date: Sep 2008
Location: Bulgaria
Posts: 138
Default

You mean that I should split the hosts group intro different ip-ranges?

Thanks,
DNAeon
__________________
"I never think of the future. It comes soon enough." - A.E

Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org
Reply With Quote
  #6   (View Single Post)  
Old 19th January 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Because I was not in spoonfeed mode, I tried to convince you to read the BNF grammar at the end of the pf.conf man page.

Code:
nat-rule       = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
                 [ "on" ifspec ] [ af ]
                 [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                 [ "->" ( redirhost | "{" redirhost-list "}" )
                 [ portspec ] [ pooltype ] [ "static-port" ] ]

hosts          = "all" |
                 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
                 "{" host-list "}" | "route" string ) [ port ] [ os ]
                 "to"   ( "any" | "no-route" | "self" | host |
                 "{" host-list "}" | "route" string ) [ port ]


host-list      = host [ [ "," ] host-list ]

host           = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 20th January 2009
DNAeon DNAeon is offline
Shell Scout
 
Join Date: Sep 2008
Location: Bulgaria
Posts: 138
Default

I got it, thanks!
__________________
"I never think of the future. It comes soon enough." - A.E

Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Web interface for rTorrent Beastie FreeBSD Ports and Packages 0 24th August 2009 11:53 AM
NAT with only one interface zapov General software and network 4 16th February 2009 03:45 AM
Mounting NAS as apache alias directory Yuka FreeBSD General 7 18th July 2008 02:58 PM
ip alias confusion hamba FreeBSD General 2 5th June 2008 10:23 AM
Web interface for pf? windependence OpenBSD Security 4 20th May 2008 03:58 AM


All times are GMT. The time now is 05:06 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick