Solved Dynamic NAT

This?

http://www.firewall.cx/networking-topics/network-address-translation-nat/231-nat-dynamic-part-1.html

This can be achieved with PF by using one or more of the following options for the nat operation, source-hash and round-robin are probably the most useful:

Code: 
POOL OPTIONS
     For nat and rdr rules, (as well as for the route-to, reply-to and dup-to
     rule options) for which there is a single redirection address which has a
     subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP
     address), a variety of different methods for assigning this address can
     be used:

     bitmask
           The bitmask option applies the network portion of the redirection
           address to the address to be modified (source with nat, destination
           with rdr).

     random
           The random option selects an address at random within the defined
           block of addresses.

     source-hash
           The source-hash option uses a hash of the source address to deter‐
           mine the redirection address, ensuring that the redirection address
           is always the same for a given source.  An optional key can be
           specified after this keyword either in hex or as a string; by
           default pfctl(8) randomly generates a key for source-hash every
           time the ruleset is reloaded.

     round-robin
           The round-robin option loops through the redirection address(es).

           When more than one redirection address is specified, round-robin is
           the only permitted pool type.

     static-port
           With nat rules, the static-port option prevents pf(4) from modify‐
           ing the source port on TCP and UDP packets.

Let's say you have three public addresses, 1.2.3.4, 1.2.3.5 and 1.2.3.6. The nat rule that uses the round-robin method could be:

Code: 
nat on $ext_if inet from ! $ext_if to any -> { 1.2.3.4, 1.2.3.5, 1.2.3.6 } round-robin
 
kpa said:
Let's say you have three public addresses, 1.2.3.4, 1.2.3.5 and 1.2.3.6. The nat rule that uses the round-robin method could be:

Code: 
nat on $ext_if inet from ! $ext_if to any -> { 1.2.3.4, 1.2.3.5, 1.2.3.6 } round-robin
Click to expand...

Yes, I mean exactly this, but didn't worked for me
I use 10.1 version bsdFreeBSD.
Any suggestion?
 
Do I need arp publish etc? I can not NAT on public IP except my interface IP.
What could cause this?
 
Not that I've done dynamic NAT but I would expect so. Otherwise when packets come back, the upstream router is going to ARP for one of those additional IP addresses but get no response as nothing is configured to use it.

/etc/rc.conf
Code: 
ifconfig_xyz0="inet 1.1.1.1 netmask real-netmask"
ifconfig_xyz0_alias0="inet 1.1.1.2 netmask 255.255.255.255"
ifconfig_xyz0_alias1="inet 1.1.1.3 netmask 255.255.255.255"
(Edit: Changed example IP addresses to show they're all in same network)
 
You must log in or register to reply here.
Back
Top