# question about pf settings



## wonslung (Dec 11, 2009)

I've set up pf a couple different ways for different things....but now i want to do something and i can't figure out the exact way to do it.

I know it's probably easy, but let me explain my system for now.

This is a single interface server with 4 public ip's.  When i originally set it up, i set it up to have a single public ip and to use NAT for different jails.


One of the jails is running rtorrent, one is running SABnzbd and another is sftp/ftp

i originally set it up with each jail using an ip in the 10.0.0.0/24 range, using NAT.

What i'd like to do now is keep the jails the way they are, but instead of using only one public ip i'd like to have a different incomming public ip for each user.  The reason i want to do this is so i can monitor the bandwidth use for each user easier.  I'd also like to get ALTQ working eventually but i'm not exactly sure how to make it work the way i need.

Anyways, i'm sure i could do this with some fancy redirect rules....but i'm not sure...

would it just be as asy as something like this:

```
rdr on $ext_if proto tcp $public1 any to any port $rt_port1 -> $rtorrent_jail
```

and would changing my nat rule to this work?

```
nat on $ext_if from 10.0.0.0/24 to any -> ($ext_if)
```

this is what i would THINK should work...but i don't know


----------



## Orum (Dec 14, 2009)

I actually just had this exact issue not 24 hours ago.  If you have the jail on an aliased IP on an internal interface (I'll call it $int_if) and you are natting to an external interface, you need to be very careful with how you write the rule.

Aliased IP addresses should always use a /32 mask.  So, taking your example, if you were to write the rule as you suggested, the aliased IP addresses would *NOT* get natted.  In order for nat to work for an aliased IP address on an interface, you need to be explicit.  i.e.

```
[I][U]Won't work for aliased IPs (your example):[/U][/I]
nat on $ext_if from 10.0.0.0/24 to any -> ($ext_if)

[I][U]Will work for aliased IP $public1:[/U][/I]
nat on $ext_if from { 10.0.0.0/24, $public1 } to any -> ($ext_if)

[I][U]...or, if using a macro or the internal interface name[/U][/I]
nat on $ext_if from $int_if:network to any -> ($ext_if)
```

This is because the $int_if:network expands to include individual nat rules for each aliased IP address on the internal interface, which is needed for nat to work correctly on them.


----------



## wonslung (Dec 14, 2009)

Orum said:
			
		

> I actually just had this exact issue not 24 hours ago.  If you have the jail on an aliased IP on an internal interface (I'll call it $int_if) and you are natting to an external interface, you need to be very careful with how you write the rule.
> 
> Aliased IP addresses should always use a /32 mask.  So, taking your example, if you were to write the rule as you suggested, the aliased IP addresses would *NOT* get natted.  In order for nat to work for an aliased IP address on an interface, you need to be explicit.  i.e.
> 
> ...



actually, nat works fine.

i have created a new loopback interface called lo1 and all the 10.0.0.0/24 ip's work fine.  This is how i've always done it.

heres an example pf.conf

```
ext_if="sis0"
tcp_services="{ ssh, smtp, smtps, ftp, www, pop3, imap, auth, imaps, https, pop3s, 3306, 8080, 9090, 10000 }"
udp_services="{ domain, ftp }"
scgi_ports="{ 5001:5002 }"
dht_ports="{ 10001:10002 }"
rt_ports="{ 51001:51002 }"
icmp_types = "{ echoreq, unreach }"
ext_ip= "xx.xxx.xxxx.xxxx"
seed_j = "10.0.0.1"
news_j = "10.0.0.2"
#_j = "10.0.0.3"
#_j = "10.0.0.4"
#_j = "10.0.0.5"
#_j = "10.0.0.6"

#options
set loginterface $ext_if
set skip on lo0

# scrub
scrub in

# nat
nat on $ext_if from 10.0.0.0/24 to any -> $ext_ip
rdr on $ext_if proto tcp from any to any port http -> $seed_j port http
rdr on $ext_if proto tcp from any to any port https -> $seed_j port https
rdr on $ext_if proto tcp from any to any port 22222 -> $seed_j port ssh
rdr on $ext_if proto tcp from any to any port 22223 -> $news_j port ssh
#rdr on $ext_if proto tcp from any to any port 22224 -> $_j port ssh
#rdr on $ext_if proto tcp from any to any port 22225 -> $_j port ssh
#rdr on $ext_if proto tcp from any to any port 22226 -> $_j port ssh
#rdr on $ext_if proto tcp from any to any port 22227 -> $_j port ssh
rdr on $ext_if proto tcp from any to any port 8080 -> $news_j port 8080
rdr on $ext_if proto tcp from any to any port 9090 -> $seed_j port 9090
rdr on $ext_if proto tcp from any to any port 51001 -> $seed_j
rdr on $ext_if proto tcp from any to any port 51002 -> $seed_j
rdr on $ext_if proto {tcp, udp} from any to any port $dht_ports -> $seed_j

block log all
pass in log on lo1 proto tcp from any to any port $tcp_services keep state
pass in log on lo1 proto udp from any to any port $udp_services keep state
pass in     on lo1 proto tcp from any to any port $scgi_ports keep state
pass in log on lo1 proto {tcp, udp} from any to any port $dht_ports keep state
pass in log on lo1 proto tcp from any to any port $rt_ports keep state
pass in log on $ext_if proto tcp from any to any port $tcp_services keep state
pass in log on $ext_if proto udp from any to any port $udp_services keep state
pass in log on $ext_if proto {tcp, udp} from any to any port $rt_ports keep state
pass in log on $ext_if proto {tcp, udp} from any to any port $dht_ports keep state
pass inet proto icmp all icmp-type $icmp_types keep state

pass out on lo1 proto tcp from any to any keep state
pass out on lo1 proto udp from any to any keep state
pass out on $ext_if proto tcp from any to any keep state
pass out on $ext_if proto udp from any to any keep state
```

but what i was currious about is this:

what i'd like to do is set up 3 or 4 public ip's  and set each rtorrent users traffic over each ip, while still continuing to use the jail system i have now.

The easiest way to do this would have been to set all 4 public ip's on the jail and not even WORRY about nat but i have other reasons for not doing this.

Rtorrent has settings to bind to an ip while reporting a different ip to the trackers, so i thought i could do set it up where all outgoing rtorrent traffic for one user would use one ip, and all outgoing traffic for another would use a different ip.

I know theres a way to do this with pf but i can't figure it out.


----------



## Orum (Dec 15, 2009)

Nat is working?  What are the masks on your aliased IPs?

I think the easiest way to set it up would just be creating a different rtorrent jail for each user, and having each jail have a different IP address.  That way, you don't have to do anything special with PF at all.


----------



## wonslung (Dec 15, 2009)

Orum said:
			
		

> Nat is working?  What are the masks on your aliased IPs?
> 
> I think the easiest way to set it up would just be creating a different rtorrent jail for each user, and having each jail have a different IP address.  That way, you don't have to do anything special with PF at all.



yes, nat is working.
here is the relevant part of /etc/rc.conf regarding the ip's

```
ifconfig_vr0="inet xxx.xxx.xxx.xx netmask 255.255.255.0 broadcast xxx.xxx.xxx.255"
ifconfig_vr0_alias0="inet xx.xx.xxx.xxx netmask 255.255.255.0"
ifconfig_vr0_alias1="inet xx.xx.xxx.xxx netmask 255.255.255.0"
ifconfig_vr0_alias2="inet xx.xx.xxx.xxx netmask 255.255.255.0"
defaultrouter="2xx.xxx.xxx.xxx"
hostname="xxxxxx.xxxx.xxxxx"
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 10.0.0.1 netmask 255.255.255.0"
ifconfig_lo1_alias1="inet 10.0.0.2 netmask 255.255.255.0"
ifconfig_lo1_alias2="inet 10.0.0.3 netmask 255.255.255.0"
ifconfig_lo1_alias3="inet 10.0.0.4 netmask 255.255.255.0"
ifconfig_lo1_alias4="inet 10.0.0.5 netmask 255.255.255.0"
ifconfig_lo1_alias5="inet 10.0.0.6 netmask 255.255.255.0"
#ifconfig_lo1_alias6="inet 10.0.0.7 netmask 255.255.255.0"
```

as you can see, i have the public ip's set up and the jails run on clone interface lo1

this works exactly as it would if i had an int_if which is why i knew nat would work in this way.  Nat has never been the issue.  I know it would be easier to set up a jail for each public ip (or, actually, the easiest thing to do would be to create a single jail mapped to the 4 ip's) but i have other reasons for having it set up this way.


----------



## DutchDaemon (Dec 15, 2009)

Use a 255.255.255.255 netmask for aliases that are in the same network as the general IP address on a given interface.

ifconfig(8)


```
alias   Establish an additional network address for this interface.  This
             is sometimes useful when changing network numbers, and one wishes
             to accept packets addressed to the old interface.  If the address
             is on the same subnet as the first network address for this
             interface, a non-conflicting netmask must be given.  Usually
             0xffffffff is most appropriate.
```


----------



## wonslung (Dec 15, 2009)

DutchDaemon said:
			
		

> Use a 255.255.255.255 netmask for aliases that are in the same network as the general IP address on a given interface.
> 
> ifconfig(8)
> 
> ...



oh wow...man do i feel stupid.  I don't know why i set them all to 255.255.255.0

i totally screwed up.  Thanks.

so just out of curiousity...let's say i had used a bunch of 255.255.255.0 aliases on a local net like...
192.168.1.14
192.168.1.15
192.168.1.16

and so on, all with 255.255.255.0

how would other machines see these ip? because it's BEEN working..

i mean, i've been able to connect to these ip's

i imagine this is probably due to me not using other subnets on this network ATM....but now i feel like i totally misunderstood how i was supposed to set this up


----------

