i try using binat :

###   interface  ######
## wan interface ( ip public-01 )##
ext_if="fxp0"

#### LAN Interface ( 192.168.0.0/24) ####
prv_if="fxp1"

#### DMZ Interface ( 192.168.2.0/24) ####
dmz_if="xl0"

#### ip public  & LAN ######
ext_ad01="ipublic-01"
ext_ad02="ipublic-02"
prv_ad="192.168.1.0/24"
dmz_ad="192.168.2.0/24"


##### DMZ server ip ########
dmz_www_ad ="192.168.0.2/32"
dmz_mail_ad ="192.168.0.3/32"
#############################
##### NAT section ############
nat log on $ext_if  from $prv_ad  to any  -> $ext_if
nat log on $ext_if  from $dmz_ad  to any  -> $ext_if

binat on $ext_if from $dmz_www_ad to any -> $ext_ad01
binat on $ext_if from $dmz_mail_ad to any -> $ext_ad02

---cut--

I made some test :

1. NAT from ipublic01 to 192.168.0.2/32 succsess .
2. NAT from ipublic02 to 192.168.0.3/32 not succses event no respond ?

so i made change make ip alias( ipublic02) in interface fxp0  and
made tes againt  :

1. NAT from ipublic01 to 192.168.0.2/32 succsess .
2. NAT from ipublic02 to 192.168.0.3/32 succsess.

so i have some question :
- In PIX FW cisco i just make translate ipublic to  ip dmz , so how do
it in pf without ip alias in wan interface?

thank's ...


On Fri, May 9, 2008 at 5:27 PM, Mikel Lindsaar <raasdnil@gmail.com> wrote:
quoted text
> On Fri, May 9, 2008 at 6:46 PM, sonjaya <sonjaya@gmail.com> wrote:
>> i have old pix firewall ( End Of Lifetime ) and now i want replacement
>> with openbsd .
>> bellow my network layout :
>>                     |-----------lan[192.168.1.0/24]
>> internet--------pix-fw
>>                     |-------------DMZ[192.168.0.0/24]
>>
>> Bassicly nat from interface ip public  to server (dmz zone)
>>
>> what should i use nat,binat or rdr .
>> i have 5 ip public for 5 server with 1 obsd server. any exsample and
>> good start point .
>
> The FAQ?
>
> http://www.openbsd.org/faq/pf/index.html
>
> Mikel
>



-- 
sonjaya
http://sicute.blogspot.com