anton-ny Posted October 25, 2009 Posted October 25, 2009 FREEBSD Как локалку по нат направить через один интерфейс (ext_all), а несколько отдельных клиентов по БИнату через другой (ext_binat)? Привожу свой pf.conf В итоге вся локалка на выход ломится через (ext_all), включая БИнат-ных клиентов. На вход естественно видно и тех и тех. ext_all="ext1" ext_binat="ext0" int="int0" gw_all="333.333.222.1" gw_binat="333.333.333.1" tcp_svc="22" table <lan> { 192.168.0.0/16 } set optimization normal scrub in all set skip on lo0 nat on $ext_all from <lan> to !<lan> -> 333.333.222.0/24 source-hash binat on $ext_binat inet from 192.168.1.5 to any -> 333.333.333.2 block in antispoof quick for $int pass in on $ext_all reply-to ($ext_all $gw_all) inet proto icmp to ($ext_all) tag EXT_IF_A icmp-type echoreq code 0 pass in on $ext_all inet proto icmp from ($ext_all:network) to ($ext_all) icmp-type echoreq code 0 pass in on $ext_binat reply-to ($ext_binat $gw_binat) inet proto icmp to ($ext_binat) tag EXT_IF_B icmp-type echoreq code 0 pass in on $ext_binat inet proto icmp from ($ext_binat:network) to ($ext_binat) icmp-type echoreq code 0 pass in on $ext_all reply-to ($ext_all $gw_all) inet proto tcp to ($ext_all) port { $tcp_svc } pass in on $ext_all inet proto tcp from ($ext_all:network) to ($ext_all) port { $tcp_svc } pass in on $ext_binat reply-to ($ext_binat $gw_binat) inet proto tcp to ($ext_binat) port { $tcp_svc } pass in on $ext_binat inet proto tcp from ($ext_binat:network) to ($ext_binat) port { $tcp_svc } pass in quick from ($ext_all:network) tagged EXT_IF_A keep state pass in quick reply-to ($ext_all $gw_all) tagged EXT_IF_A keep state pass in quick from ($ext_binat:network) tagged EXT_IF_B keep state pass in quick reply-to ($ext_binat $gw_binat) tagged EXT_IF_B keep state pass out inet from (self:network) pass in inet proto icmp to (self:network) pass quick on $int pass out route-to ($ext_all $gw_all) inet from ($ext_all) keep state pass out route-to ($ext_binat $gw_binat) inet from ($ext_binat) keep state pass out inet from { $ext_all $ext_binat } to (self:network) Вставить ник Quote
anton-ny Posted October 26, 2009 Author Posted October 26, 2009 Проблему, может и не корректно, но решил добавлением правил: pass in on $int route-to ($ext_all $gw_all) from <lan> to !<lan> keep state pass in on $int route-to ($ext_binat $gw_binat) from <lan> to !<lan> keep state Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.