Message from discussion IP alias with OpenBSD

Path: g2news2.google.com!news3.google.com!news4.google.com!news.glorb.com!pln-e!spln!lex!newsgate.newsguy.com!newsp.newsguy.com!mdrn
From: dan...@benzedrine.cx (Daniel Hartmeier)
Newsgroups: bit.listserv.openbsd-pf
Subject: Re: IP alias with OpenBSD
Date: 2 May 2006 00:21:36 -0700
Organization: None
Lines: 22
Message-ID: <20060502071250.GW19449@insomnia.benzedrine.cx>
References: <1146488142.235661.246680@i40g2000cwc.googlegroups.com> <20060502002637.GB27930@ice-nine.org>
NNTP-Posting-Host: localhost.newsguy.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
NNTP-Posting-Date: 2 May 2006 07:21:36 GMT

On Mon, May 01, 2006 at 08:26:37PM -0400, jared r r spiegel wrote:

> my5addrs="1.2.0.1 1.2.0.2 1.2.0.3 1.2.0.4 1.2.0.5"
> 
> nat on $ext -> { $my5addrs }
> 
>   i've never dealt personally with multiple egress IPs, but that
>   syntax passes the parser

Yes, that should work. pf will automatically cycle through those
addresses when you establish multiple non-TCP/UDP/ICMP connections to
the same external host. You don't need special syntax to enable that.

When you already have an ongoing VPN connection from, say, 10.1.2.3
to 62.65.145.30 NATed to 1.2.0.1, and then open another one (from
any other 10/8 to 62.65.145.30), it will also try to use 1.2.0.1 as
replacement address, note the conflict with the existing state entry,
then try the next one (1.2.0.2). Only when you exhaust all four
addresses (try to establish a fifth concurrent VPN connection to
62.65.145.30), there will be a state insertion failure.

Daniel