DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 25th November 2015
jasonvp's Avatar
jasonvp jasonvp is offline
Real Name: Jason
Port Guard
 
Join Date: Nov 2015
Location: Northern VA
Posts: 15
Default PF and NAT: Specify SRC IP Address?

Hey folks -

In the final step of migrating every system in my house from Linux to FreeBSD, I did the router yesterday. That was... challenging to say the least. Partially because the router needs to NAT some outbound connections while allowing others to just pass through (or route through) natively. NAT'd connections should be sourced from a different IP address than the router's egress IP.

More words: I have a Verizon business class FIOS connection with a block of "almost a /28" of IPs (VZ are a bunch of idiots when it comes to IP addressing). The router has to bridge my public VLAN with Verizon's, and that works fine. Interface bridge0 on the router has its own external IP address (XX.YY.ZZ.AA/24) and an alias on it for NAT (XX.YY.ZZ.BB/32). I'd like to force PF to NAT outbound connections to the second of those IPs, never the first. I can't figure out how to do that without ... some inventiveness.

The NAT rules look like so:
Code:
# Get NAT going for the RFC1918 space
no nat on $br from $external_ipv4_lan to $local_ipv4_lan
no nat on $br from $local_ipv4_lan to $external_ipv4_lan
nat on $br from $local_ipv4_lan to any -> ...
It's the ellipses part of that statement that I'm trying to figure out. If I put $br (which is bridge0), it'll sometimes use the main IP, and sometimes use the alias IP. I can't put an actual IP where the ellipses are because that's not allowed.

My solution thus far is to create interface lo100, assign the NAT IP to that, and then make the last line look like:
Code:
nat on $br from $local_ipv4_lan to any -> lo100
That works. Or at least it appears to. I'm wondering if there's another way to accomplish what I'm trying to do?
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Address book fossala Programming 6 5th July 2011 05:26 PM
could not look up internet address for .lan idefix FreeBSD General 2 31st January 2009 02:22 PM
MAC address to IP rex FreeBSD General 9 11th November 2008 07:06 PM
Asking about IPv6 address berlowin Off-Topic 2 9th July 2008 02:39 AM


All times are GMT. The time now is 08:25 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick