From owner-freebsd-pf@FreeBSD.ORG Fri Apr 18 00:16:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 475BB106566B for ; Fri, 18 Apr 2008 00:16:41 +0000 (UTC) (envelope-from jay@jcornwall.me.uk) Received: from vps1.jcornwall.me.uk (vps1.jcornwall.me.uk [193.227.111.74]) by mx1.freebsd.org (Postfix) with ESMTP id 0A5558FC18 for ; Fri, 18 Apr 2008 00:16:41 +0000 (UTC) (envelope-from jay@jcornwall.me.uk) Received: from [82.70.152.17] (cobra.home.jcornwall.me.uk [82.70.152.17]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by vps1.jcornwall.me.uk (Postfix) with ESMTP id 8A31C520030 for ; Fri, 18 Apr 2008 00:59:59 +0100 (BST) Message-ID: <4807E452.4090304@jcornwall.me.uk> Date: Fri, 18 Apr 2008 00:59:14 +0100 From: "Jay L. T. Cornwall" User-Agent: Thunderbird 2.0.0.12 (X11/20080227) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: PF + if_bridge + NAT anomaly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2008 00:16:41 -0000 Hi, I have a bridging FreeBSD machine configured as follows: LAN <---> vr0 ---bridge0--- vr1 <--> WAN With the following PF ruleset: int_if = "vr0" ext_if = "vr1" bridge_if = "bridge0" nat_from_ips = "192.168.1.0/24" nat_to_ip = "" set skip on lo0 scrub in all nat on $ext_if from $nat_from_ips to any -> $nat_to_ip block in all #block out all *commented out* antispoof quick for { lo0 } pass in quick on $int_if pass out quick on $int_if pass in quick on $bridge_if #pass out quick on $bridge_if *commented out* pass out quick on $ext_if This configuration works correctly. Machines on the LAN with private IPs are NAT'd to a public IP and others with their own public IPs are routed correctly. However, note that I have commented out the 'block out all' rule. Commenting this and the later 'pass out quick on $ext_if' back in works correctly for LAN machines with public IPs. However, doing this disables NAT. Even without 'block out all', the simple presence of: pass out quick on $bridge_if Causes NAT to stop. tcpdump on vr1 shows that packets with private IPs are passing to the WAN (and being filtered upstream). What is causing NAT to stop functioning by the presence of a loose rule? Does the default 'pass all' have additional flags necessary for NAT to function correctly? Thanks, -- Jay L. T. Cornwall http://www.jcornwall.me.uk/