[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use two nat's for an extra IP



On Sun, 2005-01-02 at 06:56, Daniel Johansson wrote:
> Hi, my setup looks like the usual one. Internet -> router with openbsd 3.5 ->
> switch -> hosts. 
> 
> I recently got a second IP from my ISP but I don't want to use it on an
> external box directly to the internet. So I used ifconfig alias and added the
> second IP tp my openbsd box. 
> 
> I just needed ssh, http and https to an internal box but with the new IP so I used PF 
> and added this rule, 192.168.1.12 is the internal ip of the box I want to
> forward the traffic. I also wanted all traffic from 192.168.1.12 to use the
> new IP and not my old one.
> 
> nat on $ext inet from 192.168.1.12/32 to any -> new_ip
> 
> I already had this rule in my config:
> 
> nat on $ext inet from ($int)/24 to any -> old_ip
> 
> I then added my rdr-rules to the new box. It all seems to work perfectly but
> what I would like to know if is this is a correct way of doing what I want to
> do or is there any better or more correct solution? 
if it works the way you want, then no--i wouldn't say there's a "more
correct" way to do it.  if $new_ip is solely dedicated to 192.168.1.12;
you could use "binat" instead of "nat" + "rdr" but that's really just a
matter of preference.
> Does it matter which one of my nat rules comes first in my config?
yes.  from man 5 pf.conf
     For each packet processed by the translator, the translation rules
     are evaluated in sequential order, from first to last.  The first
     matching rule decides what action is taken.
-j
--
"Silly customer, you cannot hurt a Twinkie!"
	--The Simpsons