Hi I have situation where I am connecting 2 networks via a fibre connection and need to perform some source natting to allow ssh connections to destination wan but have the requests appear to come from a different subnet to the wan interface. To add further complexity one side of the network will be listening for requests on a network that has been imposed on the other.
I have foolishly tried to do this on a snapgear 310 and had no success with the source nating
host a 10.79.30.17 |c 10.79.30.49/30 |(em1)d.10.79.30.49/30|(em0)e.192.168.1.45/24 h.192.168.1.25
b 10.79.30.25 |-------------------------------|--------------- g.10.79.30.210
| i.10.79.30.209/29
a,b,c are their side of the fence and e,f are ours with i and g being the network imposed on us to allow communication between us and them
c to d is the wan interface
in a nutshell a&b are the hosts that need to communicate with g as this is a printer it needs to still be accessible on the existing subnet of 192.168.1.0/24. The lan needs to be able to ssh into a&b
i is the supposed to be the nat gateway that a&b will be listening for connections on from 192.168.1.0/24
em0 the lan interface has the ip address of 192.168.1.45
The other party has imposed the subnet 10.79.30.209 for devices on our network
I am thinking a pf ruleset of the following should at least get the basics running.
I am aware that a stock freebsd 8 kernel won't do this out of the box. Do I only need to add
device pf and device pflog to make this happen or are there other devices/options to add.
Thanks in advance for any suggestions or constructive criticisms.
I have foolishly tried to do this on a snapgear 310 and had no success with the source nating
host a 10.79.30.17 |c 10.79.30.49/30 |(em1)d.10.79.30.49/30|(em0)e.192.168.1.45/24 h.192.168.1.25
b 10.79.30.25 |-------------------------------|--------------- g.10.79.30.210
| i.10.79.30.209/29
a,b,c are their side of the fence and e,f are ours with i and g being the network imposed on us to allow communication between us and them
c to d is the wan interface
in a nutshell a&b are the hosts that need to communicate with g as this is a printer it needs to still be accessible on the existing subnet of 192.168.1.0/24. The lan needs to be able to ssh into a&b
i is the supposed to be the nat gateway that a&b will be listening for connections on from 192.168.1.0/24
em0 the lan interface has the ip address of 192.168.1.45
The other party has imposed the subnet 10.79.30.209 for devices on our network
I am thinking a pf ruleset of the following should at least get the basics running.
Code:
wan="em1"
lan="em0"
ssh_dest="{10.79.30.17,10.79.30.25}"
nat_gw="10.79.30.209"
printer="10.79.30.209"
lanprinter="192.168.1.25"
lan="192.168.1.0/24"
Code:
#rule to allow ssh connections to them and have the source as 10.79.30.209
nat on $wan from $nat_gw to ssh
rdr on $wan from $ssh_dest to $printer inet proto tcp port 9100I am aware that a stock freebsd 8 kernel won't do this out of the box. Do I only need to add
device pf and device pflog to make this happen or are there other devices/options to add.
Thanks in advance for any suggestions or constructive criticisms.
