From owner-freebsd-questions@freebsd.org Wed Dec 20 08:48:59 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D881AE9FFB8 for ; Wed, 20 Dec 2017 08:48:59 +0000 (UTC) (envelope-from olivier@mauras.ch) Received: from smtp.mauras.ch (smtp.mauras.ch [163.172.199.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9E9BB634BF for ; Wed, 20 Dec 2017 08:48:59 +0000 (UTC) (envelope-from olivier@mauras.ch) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mauras.ch; s=20160502; h=Content-Type:Mime-Version:Message-Id:Subject:To:From:Date: Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=4fhx5woEwPOd+vuBlhDzryeLLk6FAG8P6T9VZd82sgY=; b=SCBbraZaHza01ZuatrhrHqdAR8 JLrZ9lQrYvKrQzDdN+x0w6uTrY9rIs6ulA13lCOCGGkkKnEqGD+LwA+hrvp+SxZXwWiZyFC4s9i0z BPc4HALgXlemCP2QSJ6gftDN9ue4b7w8LXc4OV/0l4aycpNfXvOXaEtNhnkA8NOVNzn8=; Received: from 109-203-40-206.static.voenergies.net ([109.203.40.206] helo=tiptop) by smtp.mauras.ch with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from ) id 1eRZgn-0006lo-Ub for freebsd-questions@freebsd.org; Wed, 20 Dec 2017 09:25:22 +0100 Date: Wed, 20 Dec 2017 09:25:15 +0100 From: Olivier Mauras To: freebsd-questions@freebsd.org Subject: pf NAT: Can't make anything else than ICMP work Message-Id: <20171220092515.e0a757a560781ddead2d92d1@mauras.ch> X-Mailer: Sylpheed 3.6.0 (GTK+ 2.24.31; x86_64-unknown-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA256"; boundary="Signature=_Wed__20_Dec_2017_09_25_15_+0100_7SRJvO0azut/kxLG" X-Authenticated-Sender: olivier@mauras.ch X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2017 08:48:59 -0000 --Signature=_Wed__20_Dec_2017_09_25_15_+0100_7SRJvO0azut/kxLG Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, I can't seem to make this very simple setup work. I have a VM that have 2 i= nterfaces on two different subnets and want to route traffic between them. - 10.60.0.0/24 - 192.168.0.0/24 The 10.60.x.x interface gives access to local services and internet. 192.168.x.x is a dedicated local subnet using this VM as their default gate= way If that matters, 10.60.x.x interface is a lagg interface between two physic= al interfaces using KVM PCI passthrough while 192.168.x.x is a virtio inter= face. gateway_enable is indeed set and I've added this very simple pf rule: #### ext_if=3D"lagg0" nat log on $ext_if proto { tcp udp icmp } from !($ext_if) to any -> ($ext_i= f) pass all=20 #### This let machines on the 192.168.0.0 subnet using this VM as a gateway ping= any ressources on 10.60.0.0 or internet. Fine. Problem is that any other protocol doesn't work. Seems like replies are nev= er received correctly by the issuing machine. This is the state table I get when issuing DNS connection from a client (19= 2.168.100.2) behind the GW to either 10.60.60.150 or 8.8.8.8 DNS servers. 10.60.60.3 is my GW address on 10.60.0.0 subnet on lagg0 interface. #### # pfctl -ss all udp 10.60.60.150:53 <- 192.168.100.2:53372 NO_TRAFFIC:SINGLE all udp 10.60.60.3:62261 (192.168.100.2:53372) -> 10.60.60.150:53 SIN= GLE:NO_TRAFFIC all udp 10.60.60.150:53 <- 192.168.100.2:28768 NO_TRAFFIC:SINGLE all udp 10.60.60.3:65271 (192.168.100.2:28768) -> 10.60.60.150:53 SIN= GLE:NO_TRAFFIC all udp 8.8.8.8:53 <- 192.168.100.2:43155 NO_TRAFFIC:SINGLE all udp 10.60.60.3:50948 (192.168.100.2:43155) -> 8.8.8.8:53 SINGLE:N= O_TRAFFIC all udp 8.8.8.8:53 <- 192.168.100.2:47160 NO_TRAFFIC:SINGLE all udp 10.60.60.3:62818 (192.168.100.2:47160) -> 8.8.8.8:53 SINGLE:N= O_TRAFFIC I believe that I'm missing a very simple obvious thing but cannot point it = out. Thanks, -O. --Signature=_Wed__20_Dec_2017_09_25_15_+0100_7SRJvO0azut/kxLG Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIyBAEBCAAdFiEEhdCcMcx2wDxNPQTeldDBUc+t03wFAlo6HmsACgkQldDBUc+t 03xZ1w/45RJSxFasJHYPMSEOGLFC4sKdQH5/IfIaE8OBvBfk45JYC3tEwPhb5+jP /8Y2+Ch48GRNZgL5ygLPutiKXe3H7gK3LL8IEIW40fdc2OpsoW64TWK0jBdzLs2D FzqWtNPuE6SWFtxHYNqds9Kzkx3HT1KvEoh6dFB1FSax/XM7gmKHF2g+NNm2/8sQ 2vwQD5bLn7ioYOcKOnYV8Xr9WX06pf5mHEzzMGiM6SXgLmMZzO4vBDLDnwIWWYDH 03UnERUEtn0FNIlMOTwXYF+k111XnOn310nl9bSgZaEk55BfeaSSctmHjKL4fYHQ S207nPT8IENF1GN5iGyiZ12TfPNA35l4uO6CZJfAUZBPoLJIj2Sf5SfeLu0oYrii SGaEZZkHSxxuE6YEEMaHrkcLy4aE1m2C6OJseoSvSGByQqGGHHNkKkXIrO52dfKv xkBasj8m1/Sr02N0fFYZHJPYpHBPPLEamQZ1HFGFq1qoG7npdUrDj5OrH9JduoX8 v6FAnDXovmsn3E6ovPWdJCxoVTJPtnr6BS8dYaVvdQImj9+W1yswhjJoQ/58XxgN HjGU+9t1fdQO0xlyFqbIoah4QM7HD6O2kduBJFZ6aY4e0sp8sOqoftZkA74mgY39 JRuSf7AGvyd+cHJJQzQbHWalekVvKIU6ywZJxRGDZsXhgnkPHQ== =zm1d -----END PGP SIGNATURE----- --Signature=_Wed__20_Dec_2017_09_25_15_+0100_7SRJvO0azut/kxLG--