NAT with multiple outgoing IPs

IPFilter

map net0 10.10.10.0/24 -> 192.168.0.2/24 round-robin
map net0 10.10.10.0/24 -> 192.168.0.3 round-robin

Iptables

# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j SNAT --to 1.2.3.0/24
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254

PF

  • bitmask — grafts the network portion of the pool address over top of the address that is being modified (source address for nat-to rules, destination address for rdr-to rules). Example: if the address pool is 192.0.2.1/24 and the address being modified is 10.0.0.50, then the resulting address will be 192.0.2.50. If the address pool is 192.0.2.1/25 and the address being modified is 10.0.0.130, then the resulting address will be 192.0.2.2.
  • random — randomly selects an address from the pool.
  • source-hash — uses a hash of the source address to determine which address to use from the pool. This method ensures that a given source address is always mapped to the same pool address. The key that is fed to the hashing algorithm can optionally be specified after the source-hash keyword in hex format or as a string. By default, pfctl(8) will generate a random key every time the ruleset is loaded.
  • round-robin — loops through the address pool in sequence. This is the default method and also the only method allowed when the address pool is specified using a table.

Except for the round-robin method, the address pool must be expressed as a CIDR (Classless Inter-Domain Routing) network block. The round-robin method will accept multiple individual addresses using a list or table.

The sticky-address option can be used with the random and round-robin pool types to ensure that a particular source address is always mapped to the same redirection address.

match out on $ext_if inet nat-to { 192.0.2.5, 192.0.2.10 }
match out on $ext_if inet nat-to 192.0.2.4/31 source-hash

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *