Dear all,
I need to configure my firewall in a way that 4 servers are binatted (including traffic originating from them), and the outbound traffic from all other hosts (quit large network, 8 subnets) is natted.
Thought it would be easy like this:
Unfortunately, outbound traffic is always natted to $nat_ext, no matter where it originates from. Inbound traffic is binatted fine.
I thought it might be "last matching rule" which does the trouble so I put general nat above binats:
but it made no difference.
I know I could create a table like this (not exactly but you got the point):
and modify the rule to
but I hope someone can point me to more elegant solution because in the future I expect to have even more subnets and binatted hosts, so maintaining such table would be major pain.
Thank you in advance,
PS: This is actually on OpenBSD 5.0 i386, but I guess that should make no difference.
I need to configure my firewall in a way that 4 servers are binatted (including traffic originating from them), and the outbound traffic from all other hosts (quit large network, 8 subnets) is natted.
Thought it would be easy like this:
Code:
match on $ext_if inet from $srv1_int to any binat-to $srv1_ext
match on $ext_if inet from $srv2_int to any binat-to $srv2_ext
match on $ext_if inet from $srv3_int to any binat-to $srv3_ext
match on $ext_if inet from $srv4_int to any binat-to $srv4_ext
match out on $ext_if inet from any to any received-on $int_if nat-to $nat_ext
Unfortunately, outbound traffic is always natted to $nat_ext, no matter where it originates from. Inbound traffic is binatted fine.
I thought it might be "last matching rule" which does the trouble so I put general nat above binats:
Code:
match out on $ext_if inet from any to any received-on $int_if nat-to $nat_ext
match on $ext_if inet from $srv1_int to any binat-to $srv1_ext
match on $ext_if inet from $srv2_int to any binat-to $srv2_ext
match on $ext_if inet from $srv3_int to any binat-to $srv3_ext
match on $ext_if inet from $srv4_int to any binat-to $srv4_ext
but it made no difference.
I know I could create a table like this (not exactly but you got the point):
Code:
table <generalnat> { subnet1 subnet2 subnetX !$srv1 !$srv2 etc }
and modify the rule to
Code:
match out on $ext_if inet from <generalnat> to any received-on $int_if nat-to $nat_ext
but I hope someone can point me to more elegant solution because in the future I expect to have even more subnets and binatted hosts, so maintaining such table would be major pain.
Thank you in advance,
PS: This is actually on OpenBSD 5.0 i386, but I guess that should make no difference.