PF 1 server, multiple outgoing ip, and force 1 lan ip to go trough one of these

wolffnx

wolffnx

hello, my problem is this:

I have a server with PF with multiples WAN IP'S (one principal and the other with alias) for routing multiple service from outside to inside
(web server,MTA,some ssh access,etc) and everyone of these comes for diferents external ip, for example:

the ISP at my work gime one gateway and 4/5 statics IP to use, ok

so,I have:

IP
a) 200.xxx.xxx.10
b) 200.xxx.xxx.11
c) 200.xxx.xxx.12

the clients connects from outside to IP a) to access a web server in my lan
another connect to IP b) to access a ssh server in my lan
and so on..

far now i got everithyng running fine with PF
my rules was :

"ok, the coneccion from IP a) to port 80 redirects to internal LAN server, and , you, the server returns the response to IP a) "

Code: 
rdr  log(all)  on $ext_if  proto tcp from any to $ip1  port 80 -> 192.168.1.1  port 80
Code: 
nat on $ip1 from 192.168.1.1 to any -> $ip1

(later I post the resumed PF config file)

but,my problem now is , that i have to force 1 internal LAN IP to go trought the IP A)
the server behind the IP is a MTA , and I have to force to go trought that outside IP

I tried everything that is within reach of my knowledge and some wrong tests...
like
Code: 
rdr  log(all)  on $int_if  proto tcp from 192.168.1.1 to any  port 80 -> 192.168.1.1  port 80
but, if I rdr to IP and not to a gateway what's the point? the external IP dont have any rule to handle petitions to port 80

and another :

Code: 
nat on $int_if from 192.168.1.1 to any -> $ip1
Code: 
nat on $int_if from 192.168.1.1 to any port 80 -> $ip1 port 80

but NAT dont work form internal to external network if i dont go wrong


the (resumed) PF config file is this:
I removed forward ports and rdr code to make it more easy to read

Code: 
ext_if="em0"
int_if="em1"

ip1="200.xxx.xxx.10"
ip2="200.xxx.xxx.11"
ip3="200.xxx.xxx.12"
 

in_External="{25,993,143,110,53,22,3399,443,80}"




############forward int_if


forward_ports="{25,443,80,22}"
forward_ports_udp="{53}"

#########################################

 

set limit { states 50000, frags 30000, src-nodes 30000 }

set skip on lo0

scrub in on $ext_if all fragment reassemble
scrub in on $int_if all fragment reassemble

nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
nat on $int_if inet from ! ($int_if) to any -> ($int_if)



nat on $ip1 from 192.168.1.1 to any -> $ip1
nat on $ip2 from 192.168.1.2 to any -> $ip2
nat on $ip3 from 192.168.1.3 to any -> $ip3

rdr  log(all)  on $ext_if  proto tcp from any to $ip1  port 80 -> 192.168.1.1  port 80
rdr  log(all)  on $ext_if  proto tcp from any to $ip2  port 22 -> 192.168.1.2  port 22
rdr  log(all)  on $ext_if  proto tcp from any to $ip3  port 25 -> 192.168.1.3  port 25


table <servers> persist file "/conf/servers"

block log  all
    
antispoof  for $ext_if
antispoof  for $int_if
block in from no-route to any
block in from urpf-failed to any
block in quick on $int_if from any to 255.255.255.255
    


pass in on $int_if inet proto tcp from any to any  flags S/SA keep state
pass in on $int_if inet proto udp from any to any   
pass out on $int_if inet proto tcp from any to any flags S/SA keep state
pass out on $int_if inet proto udp from any to any

pass in on $int_if inet proto {tcp,udp} from any to <servers>  flags S/SA keep state
pass out on $int_if inet proto {tcp,udp} from any to <servers>  flags S/SA keep state



####outside->in
pass in on  $ext_if inet proto tcp from any to any port $in_External flags S/SA keep state

##################################################


I'am a semi-newbie to FreeBSD PF and his routing options, so guys, is any way to do this?
thanks in advance
 
You must log in or register to reply here.
Back
Top