Date: Mon, 19 Nov 2012 17:54:07 -0500 From: Kevin Wilcox <kevin.wilcox@gmail.com> To: Peter McAlpine <peter@aoeu.ca> Cc: freebsd-pf@freebsd.org Subject: Re: Routing return NAT traffic based on interface Message-ID: <CAFpgnrO9r_L1syR4STqvNJHTQ2cCFo6U711JNc_Uu-_eEkTQfg@mail.gmail.com> In-Reply-To: <CAEDV4ypG9vA4iDVkHD2gSJ3J81DNSMjjoU2_98Jd-2V=nXHz7g@mail.gmail.com> References: <CAEDV4ypAo21-4KYws0LTxC%2BXSNNtSmWvMpvFGro6BqNH2z==Wg@mail.gmail.com> <CAFpgnrO3o1==XtxDK__KmEhX1C947DHhj5N_NptKomFBba3fzQ@mail.gmail.com> <CAEDV4ypG9vA4iDVkHD2gSJ3J81DNSMjjoU2_98Jd-2V=nXHz7g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 19, 2012 3:12 PM, "Peter McAlpine" <peter@aoeu.ca> wrote: > > Thanks for your reply. I've tried the configuration you suggested but > it's providing the same issue I was encountering before. > > My goal is to route all traffic from the tunnel out the external > interface nat'ing it on the way out. Any traffic coming in on the > external interface should be un-nat'd (if applicable), then sent back > down the tunnel unless it's destined for the external interface's IP > (post-un-nat). > > Is such a configuration possible with PF? It is. The "pass in" rule I used in my example assumes the inside interface and the other devices it talks to are in the same network. If you want to pass anything that interface sees, change the rules so that they accept traffic from any IP range : "from $int_if:network to any" becomes "from any to any". I have a couple of routers that pass traffic for 10.x.y.z but their inside IPs are 172.16.a.b addresses and they were configured much the same way in early testing, before filters were added. If changing the rule to pass everything doesn't square you away, a network diagram may be useful (as would me actually looking at my pf configs). kmw
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFpgnrO9r_L1syR4STqvNJHTQ2cCFo6U711JNc_Uu-_eEkTQfg>