From owner-freebsd-pf@FreeBSD.ORG Wed Mar 30 10:15:59 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F07FD16A4CE for ; Wed, 30 Mar 2005 10:15:58 +0000 (GMT) Received: from plouf.absolight.net (plouf.absolight.net [193.30.224.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C99843D3F for ; Wed, 30 Mar 2005 10:15:58 +0000 (GMT) (envelope-from mat@FreeBSD.org) Received: from pouet.in.mat.cc (pouet.in.mat.cc [193.30.224.122]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by plouf.absolight.net (Postfix) with ESMTP id 8FA48A24043 for ; Wed, 30 Mar 2005 12:15:56 +0200 (CEST) Date: Wed, 30 Mar 2005 12:15:52 +0200 From: Mathieu Arnold To: pf@freebsd.org Message-ID: <6E8799443E93F542BABC3B82@[192.168.1.5]> X-Mailer: Mulberry/4.0.0a5 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: route-to and nat :-) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2005 10:15:59 -0000 Hello, I have my home network with 2 subnets : PRIV : 192.168.1.0/24 PUB : 193.30.224.120/29. I have a dsl router, and a freebsd gw. so, it could look like that : +-----+ | DSL +-- internet +-----+ | 192.168.1.1/24 | | +---------+ +---------------| freebsd | | dc0 +---------+ | 192.168.1.3/24, 193.30.224.121/29 | | other boxes, some in PRIV, some other in PUB. boxes in PRIV have 192.168.1.1 as their gateway, box in PUB have 193.30.224.121. I have a tun0 on the freebsd box which brings me back the trafic for PUB. my dsl router is nice enough to only nat the trafic from PRIV, and not for PUB, so, packets coming from PRIV and going out are natted, the other, no, it works because the packets come back through tun0. the default gw is on tun0. Now, I have that : int_if="dc0" int_gw="192.168.1.1" int_addr="192.168.1.3" ext_if="tun0" pub="193.30.224.120/29" priv="192.168.1.0/24" no nat on $int_if from any to { $pub, $priv } no nat on $int_if from { $priv } to any nat on $int_if from any to any -> $int_addr works nice, if I : route add xx.xx.xx.xx 192.168.1.1 the packets get out on dc0 and are natted nicely and it works. but, but, I wanted to do some finer grained routing, so I tried : pass in quick on $int_if route-to ($int_if $int_gw) proto tcp from $pub to any port 25 The packets are going out via dc0 like I want, but they don't seem to go through nat. I tried also : pass out quick on $ext_if route-to ($int_if $int_gw) proto tcp from $pub to any port 25 The paquets are taken out nicely to dc0, are natted, but something strange happens when they come back, and the originating box never sees the packets. here is what is seen on the remote smtp server : 12:06:00.738633 i01v-41-206.d4.club-internet.fr.61540 > plouf.absolight.net.smtp: S 1477496869:1477496869(0) win 64240 (DF) 12:06:00.738678 plouf.absolight.net.smtp > i01v-41-206.d4.club-internet.fr.61540: S 817947484:817947484(0) ack 1477496870 win 57344 (DF) 12:06:03.736622 plouf.absolight.net.smtp > i01v-41-206.d4.club-internet.fr.61540: S 817947484:817947484(0) ack 1477496870 win 57344 (DF) 12:06:09.736298 plouf.absolight.net.smtp > i01v-41-206.d4.club-internet.fr.61540: S 817947484:817947484(0) ack 1477496870 win 57344 (DF) 12:06:21.735650 plouf.absolight.net.smtp > i01v-41-206.d4.club-internet.fr.61540: S 817947484:817947484(0) ack 1477496870 win 57344 (DF) here is what's seen on my freebsd gw : 12:06:00.662626 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: S 1477496869:1477496869(0) win 64240 12:06:00.663018 IP 192.168.1.3.58512 > plouf.absolight.net.smtp: S 1477496869:1477496869(0) win 64240 12:06:00.693868 IP plouf.absolight.net.smtp > 192.168.1.3.58512: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:00.694097 IP plouf.absolight.net.smtp > pouet.in.mat.cc.4643: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:00.694274 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: . ack 1 win 64492 12:06:03.691499 IP plouf.absolight.net.smtp > 192.168.1.3.58512: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:03.691771 IP plouf.absolight.net.smtp > pouet.in.mat.cc.4643: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:03.694103 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: . ack 1 win 64492 12:06:09.718270 IP plouf.absolight.net.smtp > 192.168.1.3.58512: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:09.718987 IP plouf.absolight.net.smtp > pouet.in.mat.cc.4643: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:09.719179 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: . ack 1 win 64492 12:06:21.135016 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: F 1:1(0) ack 1 win 64492 12:06:21.690741 IP plouf.absolight.net.smtp > 192.168.1.3.58512: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:21.690955 IP plouf.absolight.net.smtp > pouet.in.mat.cc.4643: S 817947484:817947484(0) ack 1477496870 win 57344 12:06:21.691106 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: . ack 1 win 64492 If someone understand what this is all about, I'd be glad to know :-) -- Mathieu Arnold