[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use two nat's for an extra IP

On Sun, 2005-01-02 at 06:56, Daniel Johansson wrote:
> Hi, my setup looks like the usual one. Internet -> router with openbsd 3.5 ->
> switch -> hosts. 
> I recently got a second IP from my ISP but I don't want to use it on an
> external box directly to the internet. So I used ifconfig alias and added the
> second IP tp my openbsd box. 
> I just needed ssh, http and https to an internal box but with the new IP so I used PF 
> and added this rule, is the internal ip of the box I want to
> forward the traffic. I also wanted all traffic from to use the
> new IP and not my old one.
> nat on $ext inet from to any -> new_ip
> I already had this rule in my config:
> nat on $ext inet from ($int)/24 to any -> old_ip
> I then added my rdr-rules to the new box. It all seems to work perfectly but
> what I would like to know if is this is a correct way of doing what I want to
> do or is there any better or more correct solution? 
if it works the way you want, then no--i wouldn't say there's a "more
correct" way to do it.  if $new_ip is solely dedicated to;
you could use "binat" instead of "nat" + "rdr" but that's really just a
matter of preference.
> Does it matter which one of my nat rules comes first in my config?
yes.  from man 5 pf.conf
     For each packet processed by the translator, the translation rules
     are evaluated in sequential order, from first to last.  The first
     matching rule decides what action is taken.
"Silly customer, you cannot hurt a Twinkie!"
	--The Simpsons