{"id":90,"date":"2011-02-22T15:58:14","date_gmt":"2011-02-22T13:58:14","guid":{"rendered":"http:\/\/www.melen.org\/u\/jan\/wp\/?p=90"},"modified":"2011-02-22T16:00:07","modified_gmt":"2011-02-22T14:00:07","slug":"packet-filter-nat-that-uses-ng_eiface-addreses","status":"publish","type":"post","link":"https:\/\/www.melen.org\/u\/jan\/wp\/?p=90","title":{"rendered":"packet filter NAT that uses ng_eiface addreses"},"content":{"rendered":"<p>In the previous <a href=\"https:\/\/www.melen.org\/u\/jan\/wp\/?p=82\">post<\/a> I described how you can create virtual interfaces which can be used to fetch unique address for each interface using dhclient(8). To use these different addresses assigned to different virtual interfaces in your packet filter NAT you can use following pf.conf. It is important to note that the last filter policy needs to be floating as the packets will flow out from the physical interface and the return packets will arrive on the virtual interface.<\/p>\n<pre>\r\n#\r\n# Macros\r\n#\r\nINT_IF = \"em0\"\r\nEXT_IF = \"bge0\"\r\nVIRT_IF1 = \"ngeth0\"\r\nVIRT_IF2 = \"ngeth1\"\r\nVIRT_IF3 = \"ngeth2\"\r\n\r\ntable &lt;private_nets&gt; persist { 127\/8, 10\/8, 172.16\/12, 192.168\/16, 169.254\/16 }\r\n\r\n#\r\n# Options and default policy\r\n#\r\nset block-policy drop\r\nset state-policy if-bound\r\n\r\n#\r\n# Packet normalization\r\n#\r\nscrub in                          all\r\nscrub out on $EXT_IF all random-id\r\nscrub        on $EXT_IF all reassemble tcp\r\n\r\n#\r\n# NAT\/redirects\r\n#\r\n\r\n# NAT\r\nnat on $EXT_IF from &lt;private_nets&gt; to any -&gt; \\\r\n    { ($EXT_IF), ($VIRT_IF1), ($VIRT_IF2), ($VIRT_IF3) }\r\n\r\n#\r\n# Filter rules\r\n#\r\nblock log all\r\npass on $INT_IF all\r\npass out all\r\npass out on $EXT_IF from { ($VIRT_IF1), ($VIRT_IF2), ($VIRT_IF3) } to \\\r\n    any keep state (floating)\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>In the previous post I described how you can create virtual interfaces which can be used to fetch unique address for each interface using dhclient(8). To use these different addresses assigned to different virtual interfaces in your packet filter NAT you can use following pf.conf. It is important to note that the last filter policy [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/www.melen.org\/u\/jan\/wp\/index.php?rest_route=\/wp\/v2\/posts\/90"}],"collection":[{"href":"https:\/\/www.melen.org\/u\/jan\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.melen.org\/u\/jan\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.melen.org\/u\/jan\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.melen.org\/u\/jan\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=90"}],"version-history":[{"count":4,"href":"https:\/\/www.melen.org\/u\/jan\/wp\/index.php?rest_route=\/wp\/v2\/posts\/90\/revisions"}],"predecessor-version":[{"id":94,"href":"https:\/\/www.melen.org\/u\/jan\/wp\/index.php?rest_route=\/wp\/v2\/posts\/90\/revisions\/94"}],"wp:attachment":[{"href":"https:\/\/www.melen.org\/u\/jan\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=90"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.melen.org\/u\/jan\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=90"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.melen.org\/u\/jan\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=90"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}