On Mon, Nov 25, 2019 at 04:31:45PM +0100, Henry Jensen wrote:
> Hi,
>
> my ISP provides me with a /29 subnet, including 5 usable public IPv4
> addresses.
>
> Until now my router uses only one of this public IPs (11.22.33.40),
> with port forwarding of port 443 to an host in a DMZ(192.168.1.0/24)
> like this:
>
> pass in on egress proto tcp from any to any port 443 rdr-to 192.168.1.2
>
> Now I plan to have a second host in the DMZ which should use another
> public IP from the subnet the ISP gave me.
>
> In other words, I want to do the following
>
> 192.168.1.2 < rdr-to/nat-to > 11.22.33.40
> 192.168.1.3 < rdr-to/nat-to > 11.22.33.41
>
> I plan to give the outgoing interface the second public IP
> (11.22.33.41) as an alias, so the egress interface holds both public IP
> addresses. Question is, how do I do the routing so that DMZ host
> 192.168.1.3 uses public IP 11.22.33.41 exclusively?
>
> Do I have to use rtables and rdomains or is there a simpler approach?
>
> Thanks in advance,
>
> Henry
>
>
>
>
>
>
I have something similar: a fixed IP address which I use for all
internet-facing services (http, mail, etc) and a DHCP-assigned address
which is used for all outgoing stuff. Fortunately enough the
DHCP-address is pretty much static, which makes things easier, and very
similar to your use case. Relevant pf excerpts:
ext_if = "<internet-facing-interface>"
ext_nat = "<dhcp-assigned-but-pretty-much-static-address>"
ext_dmz = "<static ip address>"
dmz = <dmz_network_segment>
lan = <lan_network_segment>
(...)
pass out quick on $ext_if inet from { 127.0.0.1, $dmz } to any nat-to $ext_dmz
pass out quick on $ext_if inet from $lan to any nat-to $ext_nat
pass in log on $ext_if inet proto tcp to $ext_dmz port $webports rdr-to
$websvr
pass in log on $ext_if inet proto tcp to $ext_dmz port $mailports rdr-to
$mailsvr
(etc)
--
