On my freebsd system I want to use port forwarding to distribute incoming traffic, based on the last digit of the source IP.
The following works on linux with iptables:
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4431
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.1/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4432
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.2/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4433
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.3/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4434
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.4/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4435
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.5/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4436
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.6/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4437
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.7/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4438
What it does is that the subnet mask is applied to the last digit of the ip address calculating the modulo value.
Now, how do I do this on freebsd with packet filter? I tried the following:
rdr log on vmx1 inet proto tcp from 0.0.0.1/7 to w.x.y.z port = https -> w.x.y.z port 4432 round-robin
rdr log on vmx1 inet proto tcp from 0.0.0.2/7 to w.x.y.z port = https -> w.x.y.z port 4433 round-robin
unfortunately the 0.0.0.1/7 and 0.0.0.2/7 values get translated to 0.0.0.0/7. Therefore my conditional port forwarding does not work.
Any advice on how to do this?
PF can't do that. Since it's FreeBSD you could get away with IPFilter instead. Yes, it's perfectly fine to use a set of firewalls at the same time, although one should clearly understand their possible interference. Just in case — typically you can change the order of traffic processing by those firewalls changing their modules load order.