Date: Thu, 9 Sep 2004 01:25:40 +0200 From: Michael Knudsen <none@e--molioner.dk.lh.bsd-dk.dk> To: bsd-dk@bsd-dk.dk Subject: Re: To subnets til to ADSL linier med pf
Quoting Anders S. Jensen (doozer@rocketmail.com):
> Det dutter bare ikke, for traffik fra subnet 2 kommer ikke ud
> p? ext_if2 interfacet.
>
> Jeg har klistret den sl?rede pf.conf fil ved
Det relevante er vist dette:
# NAT rules
nat on $ext_if1 inet proto $nat_proto from $subnet1 to any \
tag SUB1 -> ($ext_if1)
nat on $ext_if2 inet proto $nat_proto from $subnet2 to any \
tag SUB2 -> ($ext_if2)
# One DSL connection per subnet
pass out on $ext_if1 route-to ($ext_if1 $ext_gw1) \
tagged SUB1 keep state
pass out on $ext_if2 route-to ($ext_if2 $ext_gw2) \
tagged SUB2 keep state
Jeg tror, at problemet er, at du tagger i din nat-regel, og at
nat-reglen kun gaelder for trafik, der kommer paa $ext_if2. Trafik
kommer kun paa dette interface, hvis det er tagget. Hoenen og aegget.
I oevrigt virker din brug af tags en kende overfloedig, da tagget blot
registrerer det interface, pakken kom ind paa. Du bruger antispoof, og
den burde sikre, at der ikke kommer pakker ind fra det forkerte
netvaerk. Kan du ikke noejes med at matche paa source-ip?
nat on $ext_if2 inet proto $nat_proto from $subnet2 \
to any -> ($ext_if2)
pass in route-to ($ext_if2 $ext_gw2) from $subnet2 to any
Paa denne maade vil _indkommende_ trafik fra $subnet2 sendes til $ext_if2,
og naar det sendes _ud_ paa dette interface, vil pakken matches af
nat-reglen, der soerger for adresseoversaetning.
Mvh. Michael.
-- Winter meant the coming of the lazy wind, which couldn't be bothered to blow around people and blew right through them instead. -- (Terry Pratchett, Wyrd Sisters)
This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:43 CET