On 11 January 2017 at 01:58, Harry Duncan <usr.src.li...@gmail.com> wrote: > Hi Guys, > > I get my net connection to my freebsd box by pppoe. I have a /29 > allocation, so I have to add my additional IP's at the public interface on > my bsd box, so I add them with > > ifconfig tun0 alias 121.171.163.226 netmask 255.255.255.255 181.191.100.212 > > and I end up with a tun0 looking like: > > tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492 > options=80000<LINKSTATE> > inet 121.171.163.225 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.226 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.227 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.228 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.229 --> 181.191.100.212 netmask 0xffffffff > inet 121.171.163.230 --> 181.191.100.212 netmask 0xffffffff > nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > groups: tun > Opened by PID 4207 > > In the normal course of events, with a single wan ip, I just declare ext_if > = "tun0" in pf.conf and it resolves to the wan ip. > > What I want to be able to do here is reference specific aliases in rules, > so for example, port forward port 22 on .225 to one lan host, port forward > the same port on .226 to another lan host > > I also want to direct all traffic out from specific lan hosts to go out on > specific ip addresses and not randomly across the range. > > I have accomplished this before with intefrace aliases where pppoe has not > been used, but am stuck conceptually on how to implement this where the ip > aliases are all on the same interface. > > Anyone got any thoughts if this is going to be possible? > > My alternate course of action will be to try and bring up a tun device for > each of the aliases with a different ppp dialer, just not sure routing wise > if that is going to work so I'm just curious to know if you guys think it > can be accomplished with the above? >
Heya Harry, You could always create macros in your pf.conf, like so : ip1="1.2.3.4" ip2="2.3.4.5" ip3="3.4.5.6" You can then reference them in your rules : pass in quick on $tun0 inet proto tcp from <trust> to $tun0:0 port 10 $tcpflags # this references only your primary IP on $tun0 pass in quick on $tun0 inet proto tcp from <trust> to $ip1 port 11 $tcpflags # and these applies to your macros pass in quick on $tun0 inet proto tcp from <trust> to $ip2 port 12 $tcpflags # ditto pass in quick on $tun0 inet proto tcp from <trust> to $ip3 port 13 $tcpflags # ditto Once you've set up your macros, you're free to do whatever you like. # Redirect SSH to public IP 1 to an internal host : rdr pass on $tun0 inet proto tcp from <trust> to $ip1 port 22 -> 192.168.0.1 # NAT outgoing from internal host to a specific tun0 IP : nat pass on $tun0 inet from 192.168.0.1 to any -> $ip3 I hope I did not misunderstand your question and that is what you were looking for. _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
