# PF NAT with multiple public IP addresses



## mlager (May 10, 2012)

I've got a FreeBSD NAT router using PF. It looks like this:


```
bge0 (Public Interface)
  A.A.A.1
  A.A.A.2
  A.A.A.3

bge1 (Internal Interface)
  172.16.10.1
  172.16.10.10
```

My NAT line in /etc/pf.conf looks like this:


```
nat on bge0 from 172.16.10.0/24 to any -> (bge0)
```
Everything works well, hosts behind this router get the Internet just fine. I also have a jail on the same system that is bound to 172.16.10.10. The problem I am having is the jail's traffic randomly goes out different public addresses on bge0. How do I tell PF to just translate internal traffic out through A.A.A.1 on bge0? A.A.A.2 and A.A.A.3 are bound to jails so outbound traffic from the jail 172.16.10.10 should never show from A.A.A.2 and A.A.A.3.

Any advice would be great!


----------



## bbzz (May 10, 2012)

```
nat on bge0 from 172.16.10.0/24 to any -> (bge0[B]:0[/B])
```


----------



## mlager (May 11, 2012)

When I reload that rule I get:



```
/etc/pf.conf:59: interface bge0*:0* has bad modifier
```

*** IGNORE THIS... That's how it appeared on the ipad in my E-mail. Sheesh.


----------



## reddy (Jun 23, 2019)

I am exactly in the same situation however I do not understand the command posted, can anyone please help?

I have multiple public IP addresses attached to my NIC (and listed by ifconfig). I have nat configured for incoming traffic redirection however outbound traffic is randomly assigned to any IP address. What I want to do is assign a jail a certain public IP address.


----------



## Vallenhack (Jun 23, 2019)

```
ext_if="re0"
int_if="ue0"

#set skip on lo
#nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

#LAN

rdr pass on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 9050
rdr pass on $int_if proto tcp from any to any port 443 -> 127.0.0.1 port 9050

rdr pass on $int_if proto tcp from any to any port 53 -> 127.0.0.1 port 9053
rdr pass on $int_if proto udp from any to any port 53 -> 127.0.0.1 port 9053
```

`rdr pass on bge1 proto all from any to any  -> bge0` - Now?


----------



## reddy (Jun 23, 2019)

It did work, however because I already had a nat rule and only nat rules are evaluated for outbound traffic as per the man page, I had to replace replace rdr pass with nat.

So the rule I am using is:
 nat on $external_interface inet proto tcp from $my_jail_internal_ip to any -> $external_ip_i_want_to_associate_to_the_jail_outbound_traffic

I initially got burned because I used $internal_interface instead of $external_interface however it makes sense that the interface on which the translation will occur be specified, I was confused. It may by the way be the real reason rdr pass didn't work for me.

Thank you


----------



## Vallenhack (Jun 23, 2019)

on the rdr rule is possible Round-Robined.


```
# RDR ROUND ROBIN
     # Translate incoming web server connections to a group of web servers on
     # the internal network.
     rdr on $ext_if proto tcp from any to any port 80 -> {    10.1.2.155, 10.1.2.160,    10.1.2.161 } round-robin
```

therefore I use it, but probably port must be exacly the same, and it no work for TOR, is need two steps, rdr from 80 to 9050, 443 to 9050, and then round-robined. Port 443 is basically lock for opening from _tor user. This is uncheck solution. And it no sense for attack some site from 1000 TOR adress  



_View: https://www.youtube.com/watch?v=Uiiy8YuWHcY_


----------

