Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 12 Jun 2007 06:44:22 -0700
From:      snowcrash <schneecrash@gmail.com>
To:        "Greg Hennessy" <Greg.Hennessy@nviz.net>
Cc:        freebsd-questions@freebsd.org, freebsd-pf <freebsd-pf@freebsd.org>
Subject:   Re: how 2 address&port map outbound traffic to multiple/different IPs on a single intfc?
Message-ID:  <70f41ba20706120644y401ee52bpe2baaf4d8c9753ef@mail.gmail.com>
In-Reply-To: <781957739614121600@unknownmsgid>
References:  <70f41ba20706111920x2e9e2d71ma2bcb3dd074daa60@mail.gmail.com> <781957739614121600@unknownmsgid>

next in thread | previous in thread | raw e-mail | index | archive | help
hi greg,

> There's a number of ways to do this.
>
> Add the extra addresses as aliases to the internet facing interface. E.g
>
> gw2:~ # cat /etc/rc.early /etc/rc.conf | egrep -i 'outside|alias' | sed -e
> .....
> /sbin/ifconfig rue0 name outside
> network_interfaces="lo0 outside inside"
> ifconfig_outside="inet xx.yy.zz.251 netmask 0xfffffff8 up"
> ifconfig_outside_alias0="inet xx.yy.zz.252 netmask 0xffffffff"
> ifconfig_outside_alias1="inet xx.yy.zz.253 netmask 0xffffffff"

i am using aliases, but, atm, only for INTERNAL addresses on the
router/firewall. e.g., in rc.conf,

 int_if         = "sis0"
 lo_if          = "lo0"
 ifconfig_sis0="inet x.x.x.80 netmask 255.255.255.0 mtu 1492 polling"
 ifconfig_sis0_alias0="x.x.x.81 netmask 255.255.255.0 mtu 1492 polling"
 ifconfig_sis0_alias1="x.x.x.82 netmask 255.255.255.0 mtu 1492 polling"
 ifconfig_sis0_alias2="x.x.x.83 netmask 255.255.255.0 mtu 1492 polling"
 ifconfig_sis0_alias3="x.x.x.84 netmask 255.255.255.0 mtu 1492 polling"
 dhcpd_ifaces="sis0"

the $ext_if, "tun0" (pppoe) is not created UNTIL ppp launches -- later.

so, iiuc -- which i may well not -- setting aliases for the ext intfc
would NOT work in rc.conf (early), but only (later) after ppp int'd
the alias ...

don't know what issues that causes for maintaining any/all required
synchronization with pf ... which would be expecting/addressing  those
external intfc aliases on startup.

so, don't think this is a viable option :-/

unless ...

> Or. If you have control of the upstream router from your firewall add
> static routes for either the entire cidr block or /32 host routes for each
> address in the /29 you control.
>
> The routes should point to the external address of the firewall.

aha.

i assume you really DO mean the upstream router here, NOT any router
capabilities ON the firewall box itself, yes?

if so, after pppoe setup/connect, ifconfig shows,

  tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
          inet x.x.x.1 --> aa.bb.cc.dd netmask 0xffffffff
          Opened by PID 511

and the upstream router, aa.bb.cc.dd, is my ISP's.

checking established routes, as per in "ppp.conf",

  add default HISADDR

checking routes, i see the one,

  netstat -nr | grep aa.bb.cc.dd
    default            aa.bb.cc.dd        UGS         0       19   tun0
    aa.bb.cc.dd        x.x.x.1            UH          1        3   tun0

now, looking at that, i suspect i MIGHT be able to add add'l routes in
the ppp.conf transaction config -- e.g., instead of (just?)

  add default HISADDR

add something 'like'

  set ifaddr x.x.x.1 x.x.x.2 x.x.x.3 255.255.255.255
  add x.x.x.0/29 HISADDR

but, i have to search/fumble around with the correct pppoe-time syntax.

i assume that this would (?) set up additional external intfcs, which
would then be pf-addressable?

thoughts?

thanks!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?70f41ba20706120644y401ee52bpe2baaf4d8c9753ef>