Subject: ipfilter, multiple default routes, and NAT
To: None <>
From: David Brownlee <>
List: tech-net
Date: 07/04/2004 23:51:48
 	I have a gateway box with four interfaces.
 	Internal, DMZ, and two external.

 	The box has one visible IP address on each external interface,
 	and both the Internal and DMZ networks are all NATted (with
 	some rdr rules).

 	The problem is trying to make use of both external gateways,
 	There is a nice primer on policy based routing at:
 	but it doesn't cover combining with NAT.

 	What I need to be able to do:

 	    - Various incoming ports need to redirect through to hosts
 	      on the DMZ and internal networks.  eg:
 		  # Incoming SMTP
 		  rdr ex0 0/0 port 25 -> $mailhost port 25 tcp
 		  rdr vr0 0/0 port 25 -> $mailhost port 25 tcp
 	      This is all working without problems for a single gateway
 	      in use

 	    - Some traffic split across the two external interfaces.
 	      Outgoing port 80 switched to the 'non default' gateway
 	      would be fine.

 	The two obvious options were:

 	pass out quick on ex0 to vr0: from any to any port = 80
 	    This will send the port 80 traffic out vr0 instead of
 	    ex0, but with the ex0 source address, so return traffic
 	    comes back down ex0 and is rejected by the ipfilter
 	    rules (as well as consuming the ex0 bandwidth)

 	pass in quick on tlp0 to vr0: from any to any port = 80
 	    This send everything out vr0, but bypasses NAT so all
 	    packets have the internal source IPs (and replies fail)

 			   David Brownlee --