From owner-freebsd-pf@freebsd.org Sun Apr 2 21:01:05 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 021A8D2BAEF for ; Sun, 2 Apr 2017 21:01:05 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D42E98AA for ; Sun, 2 Apr 2017 21:01:04 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v32L01Ju054323 for ; Sun, 2 Apr 2017 21:01:04 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201704022101.v32L01Ju054323@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 02 Apr 2017 21:01:04 +0000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Apr 2017 21:01:05 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Wed Apr 5 02:18:02 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EC37BD2F11C for ; Wed, 5 Apr 2017 02:18:02 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: from mail-yb0-x235.google.com (mail-yb0-x235.google.com [IPv6:2607:f8b0:4002:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B303322E for ; Wed, 5 Apr 2017 02:18:02 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: by mail-yb0-x235.google.com with SMTP id l201so29391ybf.0 for ; Tue, 04 Apr 2017 19:18:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=yQqWy3EPEuKNZlc5fvOOFN7hS/CvG+dEQdnSvEs0O4o=; b=V8aFhBLcDyxoAHdTD+fGJo3RYWkYFJjqRSDH3Vj4uT/+XkoEuMTAY7pyScFBztNHv8 vH8AA8ya6iXhX1C8UruClAU2Hw6CJC86VOw4wvEVZ0wMNiQqO6uj1fIgdIZegxd/j0uR Vl/Gv6b3I/SDVA84gjcWe1Eu7FnRlSb1I918xMdJobtcaEAyZ55lsAtne31XZ0Vw+Zm5 Zj4yeszogRu7Uj32MSHgN+0JlfBTsAV+1p8TzsuVKLwxqLekMu3nHals4T16PX9d7jRr wpvmW4+nVPdOLo+nGyYJZDFC5lYzBkWFyi6GDajA6emqqNLANRAAgGPKD8kcmR3ncVoV ENXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=yQqWy3EPEuKNZlc5fvOOFN7hS/CvG+dEQdnSvEs0O4o=; b=DEp6K2OUEv6esFvsI1TmppdGLlTmhexN6iUo+U5XioAuLJk9FemICcrojirM1AlEKI a+OtBMo8PCPodkiNhRj+XrUVVRfUIXHLrw1v6s4zDczQq6fzQy9rpDIjm1GcOc6+EPQX gb4lpqXyA047OJZ782wQovkbZFPggxoLIimRCoipIZh+j86bBsxkIiiO3kttkqfmvdlk Dbj2/EAAdg055t1YOHmnL1YgBQqKgNlOf7LismxF8Kirv3DpFSPXErXbH7Pxrwu331U7 MUcvyBIrbL8P7OGIe5dPgTUXUseH//hBpm6lOqeEERH21dnuMzc4rq5tSxgFTEHx2yBA TF8Q== X-Gm-Message-State: AFeK/H3ewjjc3bAVkl9PkFZxU5HucnQG0e+LlmaW4kZK97OsNco0LzY3VY3mZqYsQC7SAMMQWo0lWrZnUKus/Q== X-Received: by 10.37.70.66 with SMTP id t63mr16715230yba.196.1491358681581; Tue, 04 Apr 2017 19:18:01 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.37.5 with HTTP; Tue, 4 Apr 2017 19:18:01 -0700 (PDT) From: Paul Webster Date: Wed, 5 Apr 2017 03:18:01 +0100 Message-ID: Subject: Complicated NAT setup To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 02:18:03 -0000 Hey all I am having trouble with freebsd/pf and theattached config my main issue is with the second nat; 'nat on $int_if from any to ($josh_if) -> $josh_xbox' it seems to work for TCP inbound but not for UDP or ICMP I cannot see the reason why; perhaps a binat rule would be better but I could never get it quite working (in either direction) # Macros ext_if=igb0 int_if=igb1 localnet = "{ 172.31.33.2/32, ... lots of ips }" josh_xbox="172.31.33.254" josh_if="gre0" josh_gateway="10.0.0.2" josh_vpnhost="185.157.232.30" tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s, 5901 }" udp_services = "{ domain }" # Global rules set skip on lo0 scrub in all # NAT and redirection nat on $ext_if from $localnet to any -> ($ext_if) # xBox redirection nat on $josh_if from $josh_xbox to any -> ($josh_if) nat on $int_if from any to ($josh_if) -> $josh_xbox rdr-anchor "miniupnpd" # Tables and sets table persist table persist # Filtering rules (Quick first) # Release GRE and QUICK release the protocol pass in quick on $ext_if inet proto 47 from $josh_vpnhost to any no state flags any pass out quick on $ext_if inet proto 47 from any to $josh_vpnhost no state flags any # SSH, DNS, DHCP block quick on $ext_if proto udp from any to any port 67 pass in quick on $int_if proto tcp from 172.31.33.1/24 to 172.31.33.1/32 port 22 pass in quick on $int_if proto {tcp,udp} from 172.31.33.1/24 to 172.31.33.1/32 port 53 pass in quick on $int_if proto udp from any to 172.31.33.1/32 port 63 # Pass out/in the xbox traffic (THIS MUST GO AFTER THE DNS RULES) pass in quick on $int_if from $josh_xbox rtable 1 # Swap packets from the xbox to fib1 routing table pass in quick on $josh_if rtable 0 From owner-freebsd-pf@freebsd.org Wed Apr 5 06:01:17 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EC774D2F29A for ; Wed, 5 Apr 2017 06:01:17 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AF01560 for ; Wed, 5 Apr 2017 06:01:17 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87 (FreeBSD)) (envelope-from ) id 1cvddF-000GAc-7w for freebsd-pf@freebsd.org; Wed, 05 Apr 2017 08:37:25 +0300 Subject: Re: Complicated NAT setup To: freebsd-pf@freebsd.org References: From: Max Message-ID: <47feb5d2-ff8b-3657-5d92-207ca341a6ab@als.nnov.ru> Date: Wed, 5 Apr 2017 08:37:25 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 06:01:18 -0000 Hello, Paul. > # xBox redirection > nat on $josh_if from $josh_xbox to any -> ($josh_if) > nat on $int_if from any to ($josh_if) -> $josh_xbox Something wrong with these rules. It seems that $josh_xbox is a host (xbox) in your local network. But the second rule changes source address to $josh_xbox. Probably it should be # out nat on $josh_if from $josh_xbox to any -> ($josh_if) # in rdr on $josh_if from any to ($josh_if) -> $josh_xbox nat on $int_if from any to $josh_xbox -> $int_if Can you describe in details your network setup and direction of xbox connections? 05.04.2017 5:18, Paul Webster via freebsd-pf пишет: > Hey all I am having trouble with freebsd/pf and theattached config > > my main issue is with the second nat; 'nat on $int_if from any to > ($josh_if) -> $josh_xbox' > > it seems to work for TCP inbound but not for UDP or ICMP I cannot see the > reason why; perhaps a binat rule would be better but I could never get it > quite working (in either direction) > > > > > # Macros > ext_if=igb0 > int_if=igb1 > localnet = "{ 172.31.33.2/32, ... lots of ips }" > > josh_xbox="172.31.33.254" > josh_if="gre0" > josh_gateway="10.0.0.2" > josh_vpnhost="185.157.232.30" > > tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s, 5901 }" > udp_services = "{ domain }" > > # Global rules > set skip on lo0 > scrub in all > > # NAT and redirection > nat on $ext_if from $localnet to any -> ($ext_if) > > # xBox redirection > nat on $josh_if from $josh_xbox to any -> ($josh_if) > nat on $int_if from any to ($josh_if) -> $josh_xbox > > rdr-anchor "miniupnpd" > > # Tables and sets > table persist > table persist > > # Filtering rules (Quick first) > > # Release GRE and QUICK release the protocol > pass in quick on $ext_if inet proto 47 from $josh_vpnhost to any no state > flags any > pass out quick on $ext_if inet proto 47 from any to $josh_vpnhost no state > flags any > > # SSH, DNS, DHCP > block quick on $ext_if proto udp from any to any port 67 > pass in quick on $int_if proto tcp from 172.31.33.1/24 to 172.31.33.1/32 > port 22 > pass in quick on $int_if proto {tcp,udp} from 172.31.33.1/24 to > 172.31.33.1/32 port 53 > pass in quick on $int_if proto udp from any to 172.31.33.1/32 port 63 > > # Pass out/in the xbox traffic (THIS MUST GO AFTER THE DNS RULES) > pass in quick on $int_if from $josh_xbox rtable 1 # Swap packets from > the xbox to fib1 routing table > pass in quick on $josh_if rtable 0 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Wed Apr 5 09:34:51 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DDB13D2EE77 for ; Wed, 5 Apr 2017 09:34:51 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9D5979D6 for ; Wed, 5 Apr 2017 09:34:51 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: by mail-yw0-x22b.google.com with SMTP id v76so3366858ywg.0 for ; Wed, 05 Apr 2017 02:34:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=xvjEAgD2BKd9UK6NWeZKiCpSOqhwRlGjM/wSEHy4eps=; b=CiB/cp8RD+GqPLOddHP+elfO87v//XdCOuY38ImnyVRXgeYeOIS61W+OO7aI5B8D28 DD+zLrEAc5ibVz+ceCLCgocPGNED/cUF5VhvApSuumI/Q3+/FM9GprFVMoaYXgB4v/lx shk3K5Yuww39xeR4DHsHO0sbPvGAcFKOhstHrD02oaUejua3d9Wa+Cl76W7B/FY/9aIP A3nQoBwKJKTKsN79WRzfreF/XH82Pi8YqBoPMV04gWHvjUNSaNTkY+YfO9zylYASvoEB OeY81b3QEPQsT+d91dt2XpyORyWDUgtUqj81ZIiR3Os0BRuE9/HK1R5Fg0bgUJKJyv3M jxEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=xvjEAgD2BKd9UK6NWeZKiCpSOqhwRlGjM/wSEHy4eps=; b=ZoPv6Oh12GdTGoK58EgJ3PXrvWv+5ExKgEqWTfDLhWkFN78fhjLJEDxm1QvCpu/aVl YsPXOUrj2K9CBy1yy7HIdMIM2zFVLCUKJilLLpFcxR5Flto6SythUJEAf7uymsjvvZxp mAJLd+nVwrv8QMI/9UaNjwt/6RLq5gce5aHxNZeSAI/XeHjNty0p/A0s5L+ru2y0+q7A rxBw4nDmrvZ6c44sn4/9sByYc3t4jQ5wVr/nMr3icpvdbpleSgq3AP8tDP4jG0YwwrMD D9kbkuPlRs4HuqiODDRulnFQjAeaQBF6qG/wLjOYZsh5hRFALpzMz0sNZQV21P/b0OYo PJIw== X-Gm-Message-State: AFeK/H1CFb/1s6Aqr+yVytdqPP4iLBgn8sfnS+5shl03DK6uBanQdpGgmJm9WtnI1CSxmp5hORSMtHPFBeXChQ== X-Received: by 10.129.91.86 with SMTP id p83mr17404389ywb.50.1491384890452; Wed, 05 Apr 2017 02:34:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.37.5 with HTTP; Wed, 5 Apr 2017 02:34:50 -0700 (PDT) In-Reply-To: <47feb5d2-ff8b-3657-5d92-207ca341a6ab@als.nnov.ru> References: <47feb5d2-ff8b-3657-5d92-207ca341a6ab@als.nnov.ru> From: Paul Webster Date: Wed, 5 Apr 2017 10:34:50 +0100 Message-ID: Subject: Re: Complicated NAT setup To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 09:34:52 -0000 Thank you for the fast reply mark, here is a list of interfaces with there relative ips: GW1(local lan gateway): lo0: 127.0.0.1 ::1 igb0: 86.5.192.180 (public_ip) igb1: 172.31.33.1/24 (private lan) msk0: unused/192.168.0.1 tun0: 172.19.20.2 gre0: 10.0.0.1 (via igb0) GW2(vps remote gateway): lo0: 127.0.0.1 ::1 vio0: 185.157.232.30 gre0: 10.0.0.2 (via vio0) Xbox1 ( GW1[igb1->gre0] -> GW2[gre0->vio0] ): lo0: 127.0.0.1 ::1 vtnet0: 172.31.33.254 NOTE: xbox1 in this case is really freebsd 12-current with the forced ip 172.31.33.254, because xbox really is to restrictive for debug purposes, all it requires is that I set the correct dhcp-host on GW1 to make the xbox1 172.31.33.254 though. Also the $localnet is really { 172.31.33.2-200 } so when the XBOX is 172.31.33.254 it is not going out via primary NAT rule it is instead getting caught by pass in quick on $int_if from $josh_xbox rtable 1 # Swap packets from the xbox to fib1 routing table and the corresponding NAT further up the ruleset, the 'default route' of 'fib 1' is 10.0.0.2 From owner-freebsd-pf@freebsd.org Wed Apr 5 10:10:33 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19A1BD2FBC8 for ; Wed, 5 Apr 2017 10:10:33 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CC3D7C28 for ; Wed, 5 Apr 2017 10:10:32 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: by mail-yw0-x229.google.com with SMTP id d191so3684210ywe.2 for ; Wed, 05 Apr 2017 03:10:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=NLxk7AxmHIKvyYnII3S0SHhQJJ3OpA82SMyEz2H9Anw=; b=PtBX3kJG0okxJhWmZawJc9lpwVd/L/Yare3MQPQ2XP5BDMJj2DYQPQzcnimLDnjPcI xM8Eaes92xOcDnTkNR6qSvOzgweWqxzUKoniC1+axVa0PNuHmec60EDsoiZk/l4LTvJ4 AFBcOcjpxRf9bu5I62kc8xj4xEgCrpAtqHBSwsEwXTa2D/dujHQiCE3v25KzIKHzqlRF JV/kNch5WAo5Uk2mc5DYwoF45BjZyTDSFsNKVHbCmyzrYlGHDBGRHkt5aEOiCMGFg9s9 P0UZzY+2XOr/G0+NsNoMDsySoPUoRUY2qLibPnBtwa73OBPAav3w7vRQ1W++YHLkHfQP K6bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=NLxk7AxmHIKvyYnII3S0SHhQJJ3OpA82SMyEz2H9Anw=; b=aOLiPX82x6OGbH1CoO8mT9Cibxl+hq8oWnXxTz+vhOE7h5MbAbercgjix0h8LzV0S3 bU3EnoRL4O7WuwXqlVdbUooubAlfNvWQ4cfJV/66a91qAXBgVZoABRoq/zz59kW+wIH0 MNjD3PF6YBCw+/bdn3F0sXSHF7Xl36rsTHT/IT6yo4vUdVFohtsTFGC3Ghg7jsW5oneb 3ehogU5eOyji+/5Mee9TZRIBYIjQbMGingyuirdTitGUGCU+eRh9QkHxoNXNOVjrTTwU aeIRdodxn4hzqgB5R+QM9PsIIm7JUIEqIscBKWkqEn6h+P4KvCpwfbAEGRJm9O6wTYXr MDNg== X-Gm-Message-State: AFeK/H2QIJ1eY26pFoEZKWrz8Nu7nFVYky5Zw97iO4Tk5s6vD4sJJBj/Ja6kjLhCf0b47cnZanstL9W2qQJmug== X-Received: by 10.13.194.70 with SMTP id e67mr17892125ywd.10.1491387031578; Wed, 05 Apr 2017 03:10:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.37.5 with HTTP; Wed, 5 Apr 2017 03:10:31 -0700 (PDT) In-Reply-To: References: <47feb5d2-ff8b-3657-5d92-207ca341a6ab@als.nnov.ru> From: Paul Webster Date: Wed, 5 Apr 2017 11:10:31 +0100 Message-ID: Subject: Re: Complicated NAT setup To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 10:10:33 -0000 I just read over my first post, a note would be that it does work perfectly outbound the only thing not working is ICMP and UDP inbound On 5 April 2017 at 10:34, Paul Webster wrote: > Thank you for the fast reply mark, here is a list of interfaces with there > relative ips: > > GW1(local lan gateway): > lo0: 127.0.0.1 ::1 > igb0: 86.5.192.180 (public_ip) > igb1: 172.31.33.1/24 (private lan) > msk0: unused/192.168.0.1 > tun0: 172.19.20.2 > gre0: 10.0.0.1 (via igb0) > > GW2(vps remote gateway): > lo0: 127.0.0.1 ::1 > vio0: 185.157.232.30 > gre0: 10.0.0.2 (via vio0) > > Xbox1 ( GW1[igb1->gre0] -> GW2[gre0->vio0] ): > lo0: 127.0.0.1 ::1 > vtnet0: 172.31.33.254 > > NOTE: xbox1 in this case is really freebsd 12-current with the forced ip > 172.31.33.254, because xbox really is to restrictive for debug purposes, > all it requires is that I set the correct dhcp-host on GW1 to make the > xbox1 172.31.33.254 though. > > Also the $localnet is really { 172.31.33.2-200 } so when the XBOX is 172.31.33.254 > it is not going out via primary NAT rule it is instead getting caught by > > pass in quick on $int_if from $josh_xbox rtable 1 # Swap packets > from the xbox to fib1 routing table > > and the corresponding NAT further up the ruleset, the 'default route' of > 'fib 1' is 10.0.0.2 > > > From owner-freebsd-pf@freebsd.org Wed Apr 5 11:47:53 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6646CD2FFE2 for ; Wed, 5 Apr 2017 11:47:53 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: from mail-yb0-x231.google.com (mail-yb0-x231.google.com [IPv6:2607:f8b0:4002:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 291BC849 for ; Wed, 5 Apr 2017 11:47:53 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: by mail-yb0-x231.google.com with SMTP id f204so2395265ybc.2 for ; Wed, 05 Apr 2017 04:47:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=KhiY+2iS74i/G4wvYgw6g0eGr0JQLF8pUjMmt2hE15s=; b=ZjIi85mjuxqjnFdOtxnITxxWrcgZ8TwZ1jNdqq6pc+J1rSHkPCfqkjP89QNV5eDab+ Ru0okhGb1Lco3XS1pjgUNtniLjID1/pjN81DyHKaLJJuFN+oGVhmDTUqABDLMgdJaYM9 hMQ+j2//5tq2AeGgTYFLDq2VeTQ3IA3zjwmgSP2wO/1llHwVYV4Oah6YI74Qf8XBFrlo PnJYH5UKhvT29IV4i+tw3KgNcWAU3X9vkaIngjhOTVxHQilIog8uyK78lvo0KhQZK7AN S+/RGmG+hGdoxbsqfgycV13PJWLqoa8i2V5tnCsN6pXqObJWVQrZzEJEjbo0qVN2zzCU 5qYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=KhiY+2iS74i/G4wvYgw6g0eGr0JQLF8pUjMmt2hE15s=; b=KM8szwHazsYXAeh4JWOmhMDv2mP+XAgS851RpdDI5gt9RxmS0SasO9mZq4UPuX+Fff NEDLEBuDmjWf9oiJEjG8l1rX6G2IGz+0Wef0NFS1O1fXcBJC8sMuRnd2xQE8kmSeebxh 9Pt7CEaCEM4EnlpJ7RRTIdZzo7H4+y2tieFwphb3RiyoxPnV2r6pw4vZaln34ur5wZMS R8uVrNeZsx1oJmj7b14KJ6cJbRLBmXWKB2rZr0p7nHnQHqtDBdhhi2Ka85dMWEJh8+oh G3mrbVseKmeJiXK1LIjnp9iOq7x6mD8xIMffC8kwM/dPn+9Dx6Z2IeLP1PBrjf3p3tJL GQfA== X-Gm-Message-State: AFeK/H2WzKDw6iZhu3kmWJsupLZYqJD/WC+R6ZIabQq0R5JgTXtpl49gftJFfac0cKb5YaK6+eUxkrjZP/a3fw== X-Received: by 10.37.25.139 with SMTP id 133mr17531817ybz.15.1491392872061; Wed, 05 Apr 2017 04:47:52 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.37.5 with HTTP; Wed, 5 Apr 2017 04:47:51 -0700 (PDT) In-Reply-To: References: <47feb5d2-ff8b-3657-5d92-207ca341a6ab@als.nnov.ru> From: Paul Webster Date: Wed, 5 Apr 2017 12:47:51 +0100 Message-ID: Subject: Re: Complicated NAT setup To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 11:47:53 -0000 thought I would post for if someone ends up in a similar situation, I changed hte nat rules to be: # xBox redirection nat on $josh_if from $josh_xbox to any -> ($josh_if) # Nat the Xbox out via gre0 (outbound) rdr on $josh_if from any to ($josh_if) -> $josh_xbox # Redirect everything received on gre0 to the xbox (inbound) and working :) Thank you for the hand out max On 5 April 2017 at 11:10, Paul Webster wrote: > I just read over my first post, a note would be that it does work > perfectly outbound the only thing not working is ICMP and UDP inbound > > On 5 April 2017 at 10:34, Paul Webster > wrote: > >> Thank you for the fast reply mark, here is a list of interfaces with >> there relative ips: >> >> GW1(local lan gateway): >> lo0: 127.0.0.1 ::1 >> igb0: 86.5.192.180 (public_ip) >> igb1: 172.31.33.1/24 (private lan) >> msk0: unused/192.168.0.1 >> tun0: 172.19.20.2 >> gre0: 10.0.0.1 (via igb0) >> >> GW2(vps remote gateway): >> lo0: 127.0.0.1 ::1 >> vio0: 185.157.232.30 >> gre0: 10.0.0.2 (via vio0) >> >> Xbox1 ( GW1[igb1->gre0] -> GW2[gre0->vio0] ): >> lo0: 127.0.0.1 ::1 >> vtnet0: 172.31.33.254 >> >> NOTE: xbox1 in this case is really freebsd 12-current with the forced ip >> 172.31.33.254, because xbox really is to restrictive for debug purposes, >> all it requires is that I set the correct dhcp-host on GW1 to make the >> xbox1 172.31.33.254 though. >> >> Also the $localnet is really { 172.31.33.2-200 } so when the XBOX is 172.31.33.254 >> it is not going out via primary NAT rule it is instead getting caught by >> >> pass in quick on $int_if from $josh_xbox rtable 1 # Swap packets >> from the xbox to fib1 routing table >> >> and the corresponding NAT further up the ruleset, the 'default route' of >> 'fib 1' is 10.0.0.2 >> >> >> > From owner-freebsd-pf@freebsd.org Sat Apr 8 09:48:56 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D4EAED33A94 for ; Sat, 8 Apr 2017 09:48:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C4DAFD31 for ; Sat, 8 Apr 2017 09:48:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v389muvP035154 for ; Sat, 8 Apr 2017 09:48:56 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Sat, 08 Apr 2017 09:48:56 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Apr 2017 09:48:56 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #16 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Sat Apr 8 09:48:21 UTC 2017 New revision: 316640 URL: https://svnweb.freebsd.org/changeset/base/316640 Log: MFC r316355 pf: Fix leak of pf_state_keys If we hit the state limit we returned from pf_create_state() without clea= ning up. PR: 217997 Submitted by: Max Changes: _U stable/11/ stable/11/sys/netpfil/pf/pf.c --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-pf@freebsd.org Sat Apr 8 09:50:01 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6E911D33C74 for ; Sat, 8 Apr 2017 09:50:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5E7D8FE4 for ; Sat, 8 Apr 2017 09:50:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v389o1ob036791 for ; Sat, 8 Apr 2017 09:50:01 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 217997] [pf] orphaned entries in src-track Date: Sat, 08 Apr 2017 09:50:01 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Apr 2017 09:50:01 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217997 --- Comment #17 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Sat Apr 8 09:49:21 UTC 2017 New revision: 316641 URL: https://svnweb.freebsd.org/changeset/base/316641 Log: MFC r316355 pf: Fix leak of pf_state_keys If we hit the state limit we returned from pf_create_state() without clea= ning up. PR: 217997 Submitted by: Max Changes: _U stable/10/ stable/10/sys/netpfil/pf/pf.c --=20 You are receiving this mail because: You are the assignee for the bug.=