More NAT and Zones Tricks
By ford on Oct 25, 2005
Some people have been trying out the technique I posted to use IPFilter to provide NAT service for non-global zones. Here are a few new tidbits based on their feedback.
I had an error in my instructions (now corrected): I said to use the "down" argument on the ifconfig addif command for the global zone's imaginary address. I would have sworn that this worked for me but people reported that it didn't, so I tried it again and sure enough, it doesn't work. So the right thing is to use "up," not "down," on the "addif" step.
I didn't have time to try inbound port redirection but some other
people tried it and it works. This is very useful if you want to
run inbound network services (say, a web server) in different
zones but you don't want to give each service its own IP address.
You can use IPFilter's
rdr ipnat rule to direct incoming requests to particular zones.
The rule must use the destination port number to distinguish the
incoming requests (naturally, since the destination addresses will
all be identical) and redirect the packets to a new destination address
(the private address for the appropriate zone). This does require that
you assign each service a unique port number on your external, public,
address: If you want to run two web servers, each in its own zone,
they can't both use TCP port 80 on your public address.
rdr rule might look like this:
rdr bge0 0/0 port 80 -> 10.10.10.2 port 80 tcp