NAT using 3 Interfaces

M

matto25

Hey guys,

Let me first apologize if this has already been posted but I am not sure how to make this work... here we go...

I have DSL with a static IP and a block of 8 so /29 going into 1 NIC (em0) <-- PPPOE from that I route my block on fxp0. I now have run into the problem where I need more IP's but they do not need to be WAN IP's so I would like to just NAT to the third NIC (xl0). My question is, can I NAT ONLY the xl0 interface leaving the ISP /29 block as is no NAT? The way I am understanding it right now is that it will NAT everything because I haven't seen a way to specify NAT between em0 and xl0.

I hope I explained this well enough for you to understand what I want to do..

Thanks!

Matt
 
If you're using e.g. PF, you can NAT between interfaces by name, e.g.

Code: 
ext_if="em0"
int_if="xl0"
nat on $ext_if from $int_if to any -> $ext_if:0

This will not affect traffic between fxp0 and em0. The $ext_if:0 notation will make sure NAT'ing happens on the primary IP address on em0.
 
Thanks for the reply DutchDaemon. Do these go into natd.conf? I've never had to setup NAT on BSD and of course the first time that I do need to do it, I have to make it extra complicated with a 2nd LAN interface and not NAT to one of them :P
 
Indeed.. Thanks.. So I had to recompile my kernel again but that's done took your config and put it in pf.conf and when I do a pfctl -vnf /etc/pf.conf I get:

Code: 
ext_if = "tun0"
int_if = "xl0"
nat on tun0 inet from 192.168.0.1 to any -> 111.222.23.24 <-(My WAN IP)
so it looks good but there is no connection to the web but I am able to ping the gateway. So this is likely a firewall issue or it's not doing the NAT. What firewall rules do you need if so for ipfw?
 
You will have to translate your existing IPFW rules to PF. It's not that hard. PF is a lot easier to configure in my opinion.
 
If you'd told us you were already using a firewall I might have suggested a different solution. Anyway: ipfw(8) now has built-in NAT as well, so you can probably adjust your rules to do in-kernel NAT instead of calling a daemon.

[cmd=]man ipfw | less +/"^NETWORK ADDRESS"[/cmd]

But as SirDice said, migrating to PF shouldn't prove too difficult.
 
You must log in or register to reply here.
Back
Top