Hi all, I'm trying to accomplish something that I think should be pretty simple, but cannot figure out how to do... Here is my scenario:
I am building a remote access server which will accept ssh connections on three private IP addresses in the same subnet. The users coming in will need to have their IP sourced from the same IP as they arrived on because current infrastructure is in place to firewall and segment those connections to prevent unauthorized access to assets. Incoming access will be controlled by radius based on IP address. Outbound traffic will be controlled via an external firewall based on IP address (thus the need to lock users to the IP address they arrive on). The server has four interfaces configured, the physical interface (bce0) and three virtual (tap0, tap1, tap2). I have rebuilt my kernel to allow NAT in PF as well as multiple routing tables. I found a good article which describes source based routing with multiple routing tables but I think my problem stems from having all the IP addresses on the same network subnet. I have successfully been able to have the outbound NAT to a single IP but I'm still unclear on how PF works so I'm basically mucking around trying to find something that works (please forgive my ignorance): My current pf.conf: nat on ! tap0 from any to any port ssh -> 10.1.9.59 nat on ! tap1 from any to any port ssh -> 10.1.9.60 nat on ! tap2 from any to any port ssh -> 10.1.9.61 All outbound traffic now translates to 10.1.9.59 regardless of which IP I arrived on. I need to basically match the incoming IP and nat outbound TCP 22 traffic across the same IP. Anyone have any ideas or suggestions as to how to accomplish this? Many thanks in advance for any guidance. James _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
