I need some help on setting up IP aliasing with NAT. The need is to create static NAT entries for some users due to a limit of 4 sessions per Public IP Address for a VPN server. I have 5 addresses from my ISP and wanted to use these to get around this 4 sessions per WAN IP. Any examples would be greatly appreciated.
On Mon, May 01, 2006 at 05:55:42AM -0700, Gnat wrote: > I need some help on setting up IP aliasing with NAT. The need is to > create static NAT entries for some users due to a limit of 4 sessions > per Public IP Address for a VPN server. I have 5 addresses from my ISP > and wanted to use these to get around this 4 sessions per WAN IP. Any > examples would be greatly appreciated.
> i've never dealt personally with multiple egress IPs, but that > syntax passes the parser
Yes, that should work. pf will automatically cycle through those addresses when you establish multiple non-TCP/UDP/ICMP connections to the same external host. You don't need special syntax to enable that.
When you already have an ongoing VPN connection from, say, 10.1.2.3 to 62.65.145.30 NATed to 1.2.0.1, and then open another one (from any other 10/8 to 62.65.145.30), it will also try to use 1.2.0.1 as replacement address, note the conflict with the existing state entry, then try the next one (1.2.0.2). Only when you exhaust all four addresses (try to establish a fifth concurrent VPN connection to 62.65.145.30), there will be a state insertion failure.
|
