# multiple ip and gateways



## wolffnx (Aug 5, 2021)

Hi, my problem is very simple but I dont know how to solve it
in my router(FBSD 13) I have 2 network interfaces , 1 is the WAN and the other is the LAN, pretty normal

but in the WAN interface I have multiples Ip's , Rdr rules and one gateway

the traffic from outside ,just enter fine to the firewall, but sometimes get back from the wrong gateway and the conecction from outside
get a timeout

sorry for the simple post,when I have more time I give more info


here is thebig picture:

2 range of public statics ip's associed to various services(I change the ip's for obvius reasons)

wan ip1: 200.54.12.11 / gateway 200.54.12.10
wan ip2: 220.11.11.11 / gateway 220.11.11.10
lan ip    : 10.1.1.1

so, in the interface em0(external) I have the wan ip1 as principal and wan ip2 as alias
in the internal (em1) I have the lan ip

in the PF rules i have:

ext_if="em0"
int_if="em1"

ip1="200.54.12.11"
ip2="220.11.11.11"

*nat on $ip2 from 10.1.1.11 to any -> $ip2*

rdr pass  log(all)  on $ext_if  proto tcp from any to $ip1  port 3000 -> 10.1.1.10  port 22
rdr pass  log(all)  on $ext_if  proto tcp from any to $ip2  port 3001 -> 10.1.1.11  port 22


and in the route table I have 200.54.12.10 as default gateway
so the login attemps to ip2 ends out in timeout because the trafics enter but not go out
(I debug it with tcpdump)


----------



## covacat (Aug 5, 2021)

you need separate nat rules too
and a route-to rule


----------



## wolffnx (Aug 5, 2021)

covacat said:


> you need separate nat rules too
> and a route-to rule


I forgot to paste the nat rule


----------



## covacat (Aug 5, 2021)

after aliasing to ip2 you need to set next hop to the gw for ip2 with a route-to rule


----------



## wolffnx (Aug 5, 2021)

covacat said:


> after aliasing to ip2 you need to set next hop to the gw for ip2 with a route-to rule


Im not the guy who wont investigate or test new things,
But can you give me an example?
I lookup for examples on google but seems dificult


----------



## covacat (Aug 6, 2021)

i suck at pf (and just searched for the equivalent of ipfw fwd)
for ipfw would be
ipfw add 999 fwd $gw2_ip ip from $ext2_ip  to any #this rule should come after aliasing to $ext2_ip
without such a rule the packets will reach $gw1_ip where would probably be dropped by egress filtering 
maybe this thread will help https://forums.freebsd.org/threads/pf-2-nat.21623/


----------



## Jose (Aug 6, 2021)

I think what you need is `reply-to`


> The _reply-to_    option is similar to _route-to_, but routes packets that
> pass    in the opposite    direction (replies) to the specified inter-
> face.  Opposite direction is    only defined in    the context of a state
> entry, and _reply-to_ is useful only in rules that create state.  It
> ...








						pf.conf(5)
					






					www.freebsd.org
				




It looks like `reply-to` is only available in pass/block rules, so you'll have to split up your `rdr` and `pass` rules. Maybe something like

```
rdr on $ext_if proto tcp from any to $ip2 port 3001 -> 10.1.1.11 port 22
pass in on $ext_if proto tcp from any to $ip2 port 3001 reply-to 220.11.11.10
```
These are completely untested.


----------



## wolffnx (Aug 12, 2021)

Thanks covacat  and Jose  , btw , Jose  the reply-to was in wrong syntax(PF gives a syntax error) but I use it anyway,but no luck
at the end I choose to make 2 firewalls, maybe is a KISS decision,but it works like a charm


----------



## sko (Aug 12, 2021)

You could leverage multiple FIBs to simplify that setup, although IMHO FreeBSDs PF syntax in regard to FIBs feels a bit clunky compared to OpenBSD and routing domains, but it also gets the job done.

Each FIB would only know about a single external IP and gateway. Ideally you should also use different prefixes (and vlans) on the internal side to keep traffic separated. E.g. use one public IP only for traffic to/from your client LAN, the other one only for your services which internally run in a separate DMZ network.


----------

