From owner-freebsd-pf@FreeBSD.ORG Sun Aug 21 08:13:17 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65443106566C for ; Sun, 21 Aug 2011 08:13:17 +0000 (UTC) (envelope-from s.khanchi@gmail.com) Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com [209.85.210.45]) by mx1.freebsd.org (Postfix) with ESMTP id 417B08FC13 for ; Sun, 21 Aug 2011 08:13:17 +0000 (UTC) Received: by pzk33 with SMTP id 33so13233871pzk.18 for ; Sun, 21 Aug 2011 01:13:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=tI0s1+qiyC1S9dUUO47wdhrZv26ZkvsuvZHRqp0yUmA=; b=NTbF6OBzDDn1pDxJk/NojJiLvCqXXnVvLWqaZP7/xQUBMUJuiBUaq5RC2RKJ8XhZNg hPWZ9q/PDjzHgOBmktFWHyVwsakKIc1MBiQapd/twer+ghl613QO7owKgEd2H5w6pxpB N2uK8RoGRn8X/L2JvZKCc59Wn6buDa/zlXjPY= MIME-Version: 1.0 Received: by 10.142.210.21 with SMTP id i21mr870585wfg.190.1313912904622; Sun, 21 Aug 2011 00:48:24 -0700 (PDT) Sender: s.khanchi@gmail.com Received: by 10.142.53.6 with HTTP; Sun, 21 Aug 2011 00:48:24 -0700 (PDT) Date: Sun, 21 Aug 2011 12:18:24 +0430 X-Google-Sender-Auth: hQhit-mraw39dLSt_Mi9HaOUQOc Message-ID: From: h bagade To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2011 08:13:17 -0000 Hi all, I am trying to use pf nat rules with pool support on FreeBsd 8.0, working together with ipfw as the main firewall. According to the natting concepts i faced in manuals and docs, nat concept is to map the source address to the natted address when sending the packets from that source and then map the destination address of the related reply packets. but when I define pf nat rules with a pool of IP addresses not available on the outside interface ip addresses, the outgoing traffic is natted to one of the pool addresses but the response is not received via that interface so the pf can map the destination address to the real one. here is one of my configs i used during my tests: *configurations:* *pf.conf:* nat on eth1 from { 11.11.11.0/24} to any -> {172.16.10.1,172.16.10.2,172. 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} main system configurations: eth0: 11.11.11.1 eth1: 172.16.10.64 system A: directly connected to eth0- 11.11.11.11 system B: directly connected to eth1- 172.16.10.65 in this configs the dafult route of system A and system B are the middle systems connected ip address. as mentioned, when systemA pings systemB, the ping requests are natted to 172.16.10.1 and received at systemB but systemB doesn't send icmp replies because it doesn't know to whom it should send the replies (no answer to system B 's ARP requests about who has the natted IP). now my question is, isn't it the pf nat responsibilty to manage this condition and send the ARP replies to SystemB? or, are my configs wrong? or i misunderstood the nat concepts? any ideas or helps are really appreciated as i have to set this nat on my main system, asap. Thanks in advance.