From owner-freebsd-questions@freebsd.org Wed Dec 20 14:51:36 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A7C6E8DAA3 for ; Wed, 20 Dec 2017 14:51:36 +0000 (UTC) (envelope-from g.lister@nodeunit.ch) Received: from nodeunit.com (mx01.nodeunit.ca [192.186.89.182]) by mx1.freebsd.org (Postfix) with ESMTP id DE7C5721B5 for ; Wed, 20 Dec 2017 14:51:34 +0000 (UTC) (envelope-from g.lister@nodeunit.ch) Received: from xel (x140e.local.home [10.11.11.4]) by nodeunit.com (Postfix) with ESMTPS id CDC4E2857; Wed, 20 Dec 2017 14:43:19 +0000 (UTC) Date: Wed, 20 Dec 2017 09:43:21 -0500 From: George To: Olivier Mauras Cc: freebsd-questions@freebsd.org Subject: Re: pf NAT: Can't make anything else than ICMP work Message-ID: <20171220094321.3400bf74@xel> In-Reply-To: <20171220092515.e0a757a560781ddead2d92d1@mauras.ch> References: <20171220092515.e0a757a560781ddead2d92d1@mauras.ch> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.23; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2017 14:51:36 -0000 On Wed, 20 Dec 2017 09:25:15 +0100 Olivier Mauras wrote: > Hello, > > I can't seem to make this very simple setup work. I have a VM that > have 2 interfaces on two different subnets and want to route traffic > between them. > - 10.60.0.0/24 > - 192.168.0.0/24 > > The 10.60.x.x interface gives access to local services and internet. > 192.168.x.x is a dedicated local subnet using this VM as their > default gateway > > If that matters, 10.60.x.x interface is a lagg interface between two > physical interfaces using KVM PCI passthrough while 192.168.x.x is a > virtio interface. > > gateway_enable is indeed set and I've added this very simple pf rule: > #### > ext_if="lagg0" > nat log on $ext_if proto { tcp udp icmp } from !($ext_if) to any -> > ($ext_if) pass all > #### I would suggest to enable logging to see what is going on on the pflog0, plus I think your nat rule is a bit strange try the standard: nat on $ext_if from $local_net to any -> $ext_addr HTH, George > > This let machines on the 192.168.0.0 subnet using this VM as a > gateway ping any ressources on 10.60.0.0 or internet. Fine. Problem > is that any other protocol doesn't work. Seems like replies are never > received correctly by the issuing machine. > > This is the state table I get when issuing DNS connection from a > client (192.168.100.2) behind the GW to either 10.60.60.150 or > 8.8.8.8 DNS servers. 10.60.60.3 is my GW address on 10.60.0.0 subnet > on lagg0 interface. #### # pfctl -ss > all udp 10.60.60.150:53 <- 192.168.100.2:53372 NO_TRAFFIC:SINGLE > all udp 10.60.60.3:62261 (192.168.100.2:53372) -> > 10.60.60.150:53 SINGLE:NO_TRAFFIC all udp 10.60.60.150:53 <- > 192.168.100.2:28768 NO_TRAFFIC:SINGLE all udp 10.60.60.3:65271 > (192.168.100.2:28768) -> 10.60.60.150:53 SINGLE:NO_TRAFFIC all > udp 8.8.8.8:53 <- 192.168.100.2:43155 NO_TRAFFIC:SINGLE all udp > 10.60.60.3:50948 (192.168.100.2:43155) -> 8.8.8.8:53 > SINGLE:NO_TRAFFIC all udp 8.8.8.8:53 <- 192.168.100.2:47160 > NO_TRAFFIC:SINGLE all udp 10.60.60.3:62818 (192.168.100.2:47160) -> > 8.8.8.8:53 SINGLE:NO_TRAFFIC > > I believe that I'm missing a very simple obvious thing but cannot > point it out. > > Thanks, > -O. >