{"id":4695,"date":"2015-02-06T15:40:04","date_gmt":"2015-02-06T13:40:04","guid":{"rendered":"http:\/\/skeletor.org.ua\/?p=4695"},"modified":"2015-02-06T15:40:04","modified_gmt":"2015-02-06T13:40:04","slug":"nat-with-multiple-outgoing-ips","status":"publish","type":"post","link":"https:\/\/skeletor.org.ua\/?p=4695","title":{"rendered":"NAT with multiple outgoing IPs"},"content":{"rendered":"<h2><strong><span style=\"color: #0000ff;\">IPFilter<\/span><\/strong><\/h2>\n<p><code>map net0 10.10.10.0\/24 -&gt; 192.168.0.2\/24 round-robin<br \/>\nmap net0 10.10.10.0\/24 -&gt; 192.168.0.3 round-robin<\/code><\/p>\n<h2><strong><span style=\"color: #0000ff;\">Iptables<\/span><\/strong><\/h2>\n<p><code># iptables -t nat -A POSTROUTING -s 192.168.1.0\/24 -o eth1\u00a0-j SNAT --to 1.2.3.0\/24<br \/>\n# iptables -t nat -A POSTROUTING -s 192.168.1.0\/24 -o eth1\u00a0-j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254<\/code><\/p>\n<p><!--more--><\/p>\n<h2><strong><span style=\"color: #0000ff;\">PF<\/span><\/strong><\/h2>\n<ul>\n<li><tt>bitmask<\/tt> &#8211; grafts the network portion of the pool address over top of the address that is being modified (source address for <tt>nat-to<\/tt> rules, destination address for <tt>rdr-to<\/tt> rules). Example: if the address pool is 192.0.2.1\/24 and the address being modified is 10.0.0.50, then the resulting address will be 192.0.2.50. If the address pool is 192.0.2.1\/25 and the address being modified is 10.0.0.130, then the resulting address will be 192.0.2.2.<\/li>\n<li><tt>random<\/tt> &#8211; randomly selects an address from the pool.<\/li>\n<li><tt>source-hash<\/tt> &#8211; uses a hash of the source address to determine which address to use from the pool. This method ensures that a given source address is always mapped to the same pool address. The key that is fed to the hashing algorithm can optionally be specified after the <tt>source-hash<\/tt> keyword in hex format or as a string. By default, <a href=\"http:\/\/www.openbsd.org\/cgi-bin\/man.cgi?query=pfctl&amp;sektion=8&amp;manpath=OpenBSD+5.6\">pfctl(8)<\/a> will generate a random key every time the ruleset is loaded.<\/li>\n<li><tt>round-robin<\/tt> &#8211; loops through the address pool in sequence. This is the default method and also the only method allowed when the address pool is specified using a <a href=\"http:\/\/www.openbsd.org\/faq\/pf\/tables.html\">table<\/a>.<\/li>\n<\/ul>\n<p>Except for the <tt>round-robin<\/tt> method, the address pool must be expressed as a <a href=\"http:\/\/public.swbell.net\/dedicated\/cidr.html\">CIDR<\/a> (Classless Inter-Domain Routing) network block. The <tt>round-robin<\/tt> method will accept multiple individual addresses using a <a href=\"http:\/\/www.openbsd.org\/faq\/pf\/macros.html#lists\">list<\/a> or <a href=\"http:\/\/www.openbsd.org\/faq\/pf\/tables.html\">table<\/a>.<\/p>\n<p>The <tt>sticky-address<\/tt> option can be used with the <tt>random<\/tt> and <tt>round-robin<\/tt> pool types to ensure that a particular source address is always mapped to the same redirection address.<\/p>\n<p><code>match out on $ext_if inet nat-to { 192.0.2.5, 192.0.2.10 }<br \/>\nmatch out on $ext_if inet nat-to 192.0.2.4\/31 source-hash<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>IPFilter map net0 10.10.10.0\/24 -&gt; 192.168.0.2\/24 round-robin map net0 10.10.10.0\/24 -&gt; 192.168.0.3 round-robin Iptables # iptables -t nat -A POSTROUTING -s 192.168.1.0\/24 -o eth1\u00a0-j SNAT &#8211;to 1.2.3.0\/24 # iptables -t nat -A POSTROUTING -s 192.168.1.0\/24 -o eth1\u00a0-j SNAT &#8211;to 1.2.3.0-1.2.3.4 &#8211;to 1.2.3.6-1.2.3.254<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,5,25,24],"tags":[],"class_list":["post-4695","post","type-post","status-publish","format-standard","hentry","category-freebsd","category-linux","category-openbsd","category-solaris"],"_links":{"self":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/4695","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4695"}],"version-history":[{"count":1,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/4695\/revisions"}],"predecessor-version":[{"id":4696,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/4695\/revisions\/4696"}],"wp:attachment":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4695"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4695"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4695"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}