Project

General

Profile

Actions
Copy link

Feature #820

closed

Expose interface for PF address pools on outbound NAT rules

Added by Erik Fonnesbeck over 13 years ago. Updated over 13 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
2.0
Start date:
08/11/2010
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

There are various scenarios where it would be useful to expose an interface on outbound NAT rules to use subnets or aliases as the translation address and also access the address pool options available in PF.

For example, if you have less public IP addresses than client systems and want to balance IP addresses between them, you could specify the subnet if you have the whole subnet and select source-hash as the address selection method. This would automatically decide which clients will use each IP and keep the assignments static until the next time the ruleset is reloaded. Another option available is bitmask, which does assignments similar to binat but without forwarding inbound connections.

There are also random and round-robin selection methods that pick a different IP each time, but you can use the sticky-address option to make sure it uses the same IP address mapping for a given client system on every connection.

All of these options could be made available when using a subnet, and round-robin would be the method used when you use a multi-IP alias.

Documented at http://www.openbsd.org/faq/pf/pools.html

Actions
Copy link
 #1

Updated by Erik Fonnesbeck over 13 years ago

I just wanted to note that the linked documentation is for the newer pf syntax, but the applicable section is still relevant (the address pool options are unchanged).

Actions
Copy link
 #2

Updated by Jim Pingle over 13 years ago

  • Status changed from New to Feedback
  • Target version changed from Future to 2.0
  • % Done changed from 0 to 100

You can now use address pools for outbound NAT in three different ways after commits I made today:

  • By picking a subnet of proxy ARP VIPs from the drop-down list
  • By picking a host-type alias from the drop-down list
  • By picking "Other Subnet" from the drop-down list and specifying an arbitrary IP/CIDR format subnet.

The subnet choices can use any of pf's pool option types (round robin, random, source hash, and bitmask, details here: http://www.openbsd.org/faq/pf/pools.html ) and the 'sticky address' option can be used with round-robin and random types to ensure an internal-external host relationship as long as there are open states between the two.

Actions
Copy link
 #3

Updated by Chris Buechler over 13 years ago

  • Status changed from Feedback to Resolved

looks like this is all good.

Actions
Copy link

Also available in: Atom PDF