Contributed by Dengue on from the natsturbation dept.
aaa.aaa.aaa.aaa --> bbb.bbb.bbb.bbb ddd.ddd.ddd.ddd --> eee.eee.eee.eee ggg.ggg.ggg.ggg --> hhh.hhh.hhh.hhh bbb.bbb.bbb.bbb should use gateway ccc.ccc.ccc.ccc eee.eee.eee.eee should use gateway fff.fff.fff.fff hhh.hhh.hhh.hhh should use gateway iii.iii.iii.iii.The question is, how do I ensure that traffic from bbb.bbb.bbb.bbb, destined for addresses outside of the subnet bbb.bbb.bbb.bbb is in, is sent to ccc.ccc.ccc.ccc (ibid eee.eee.eee.eee --> fff.fff.fff.fff AND hhh.hhh.hhh.hhh --> iii.iii.iii.iii)? Is this a job for the "route-to" option in pf or do I need to run something like routed, gated, or the like?
-Tom C."
This makes me shudder at the thought of troubleshooting this setup. Any help for Tom out there?
(Comments are closed)
By Christopher Kruslicky () on
Comments
By Anonymous Coward () on
As another commentor has already noted, troubleshooting this would be a nightmare - much better to use 6 NIC's.
By Daniel () on
Rather than extra network cards - a good switch with VLAN tagging support allows use of a single (or at least fewer) physical NIC and logical vlan0,... (need to be compiled in the kernel)
=== pf.conf
neta = aaa.aaa.aaa/24
neta_nat = bbb.bbb.bbb.bbb
neta_gw = ccc.ccc.ccc.ccc
netd = ddd.ddd.ddd/24
netd_nat = eee.eee.eee.eee
netd_gw = fff.fff.fff.fff
netg = ggg.ggg.ggg/24
netg_nat = hhh.hhh.hhh.hhh
netg_gw = ggg.ggg.ggg.ggg
table = { $neta $netd $netg }
int_if = fxp0
ext_if = fxp1
nat on $ext_if from $neta -> $neta_nat
nat on $ext_if from $netd -> $netd_nat
nat on $ext_if from $netg -> $netg_nat
pass in on $int_if route-to ($ext_if $neta_gw)
from $neta to ! keep state
pass in on $int_if route-to ($ext_if $netd_gw)
from $netd to ! keep state
pass in on $int_if route-to ($ext_if $netg_gw)
from $netg to ! keep state
=== note
if you use rdr or binat for a host on the LAN to be accessed from external, you will need to also use reply-to rules
Comments
By Daniel () on
in the following, replace X with 'less than', Y with 'greater than'
table Xlan_netsY = { ...
...
from $neta to ! Xlan_netsY keep state
netg_gw = iii.iii.iii.iii
By Daniel Tams () dantams at sdf-eu.org on mailto:dantams at sdf-eu.org
By Matt Van Mater () on
My question is this, does obsd have any support for those nifty multi-nic cards? I'm talking about the PCI nics that have 4 1/100 ports built into them. Using these quad nic cards you could really make a hell of a gateway box and implement a fairly complex network. I know they're a little off the wall hardware wise and I haven't heard if they're supported or not.
Comments
By Anonymous Coward () on
By Alexander Grekhov () grekhov@wgukraine.com on mailto:grekhov@wgukraine.com
Frankly I do not see how using VLANs instead of physical interfaces makes things more complicated. Your interfaces will be just named differently, that's all. As long as you know what you are doing you should be fine.
Now, if more bandwith between the internal LANs is needed, that's where I can justify using extra physical interfaces.
By Sedat Doğru () sdogru on mailto:sdogru
By Anonymous Coward () on
Comments
By Anonymous Coward () on
2.8 is well before the (in)famous ssh hole, so you're still vulnerable, unless ssh is disabled of course.
Comments
By Anonymous Coward () on