Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 20 Dec 2017 16:02:20 +0100
From:      Olivier Mauras <olivier@mauras.ch>
To:        freebsd-questions@freebsd.org
Subject:   Re: pf NAT: Can't make anything else than ICMP work
Message-ID:  <20171220160220.d8d718563209a8506a8e29aa@mauras.ch>
In-Reply-To: <20171220094321.3400bf74@xel>
References:  <20171220092515.e0a757a560781ddead2d92d1@mauras.ch> <20171220094321.3400bf74@xel>
next in thread | previous in thread | raw e-mail | index | archive | help 
--Signature=_Wed__20_Dec_2017_16_02_20_+0100_pt=.yiD79Dp1oSre
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello George,

Thanks for your reply.

The nat rule gives the exact same behaviour.
Logging enabled gives me the same result as a standard tcpdump actually. I =
see packets going out but replies never come back.

Thanks,
-O.

On Wed, 20 Dec 2017 09:43:21 -0500
George <g.lister@nodeunit.ch> wrote:

> On Wed, 20 Dec 2017 09:25:15 +0100
> Olivier Mauras <olivier@mauras.ch> wrote:
>=20
> > Hello,
> >=20
> > I can't seem to make this very simple setup work. I have a VM that
> > have 2 interfaces on two different subnets and want to route traffic
> > between them.
> > - 10.60.0.0/24
> > - 192.168.0.0/24
> >=20
> > The 10.60.x.x interface gives access to local services and internet.
> > 192.168.x.x is a dedicated local subnet using this VM as their
> > default gateway
> >=20
> > If that matters, 10.60.x.x interface is a lagg interface between two
> > physical interfaces using KVM PCI passthrough while 192.168.x.x is a
> > virtio interface.
> >=20
> > gateway_enable is indeed set and I've added this very simple pf rule:
> > ####
> > ext_if=3D"lagg0"
> > nat log on $ext_if proto { tcp udp icmp } from !($ext_if) to any ->
> > ($ext_if) pass all=20
> > ####
>=20
> I would suggest to enable logging to see what is going on on the pflog0,
> plus I think your nat rule is a bit strange try the standard:
>=20
> nat on $ext_if from $local_net to any -> $ext_addr
>=20
> HTH,
> George
>=20
>=20
>=20
> >=20
> > This let machines on the 192.168.0.0 subnet using this VM as a
> > gateway ping any ressources on 10.60.0.0 or internet. Fine. Problem
> > is that any other protocol doesn't work. Seems like replies are never
> > received correctly by the issuing machine.
> >=20
> > This is the state table I get when issuing DNS connection from a
> > client (192.168.100.2) behind the GW to either 10.60.60.150 or
> > 8.8.8.8 DNS servers. 10.60.60.3 is my GW address on 10.60.0.0 subnet
> > on lagg0 interface. #### # pfctl -ss
> > all udp 10.60.60.150:53 <- 192.168.100.2:53372       NO_TRAFFIC:SINGLE
> > all udp 10.60.60.3:62261 (192.168.100.2:53372) ->
> > 10.60.60.150:53       SINGLE:NO_TRAFFIC all udp 10.60.60.150:53 <-
> > 192.168.100.2:28768       NO_TRAFFIC:SINGLE all udp 10.60.60.3:65271
> > (192.168.100.2:28768) -> 10.60.60.150:53       SINGLE:NO_TRAFFIC all
> > udp 8.8.8.8:53 <- 192.168.100.2:43155       NO_TRAFFIC:SINGLE all udp
> > 10.60.60.3:50948 (192.168.100.2:43155) -> 8.8.8.8:53
> > SINGLE:NO_TRAFFIC all udp 8.8.8.8:53 <- 192.168.100.2:47160
> > NO_TRAFFIC:SINGLE all udp 10.60.60.3:62818 (192.168.100.2:47160) ->
> > 8.8.8.8:53       SINGLE:NO_TRAFFIC
> >=20
> > I believe that I'm missing a very simple obvious thing but cannot
> > point it out.
> >=20
> > Thanks,
> > -O.
> >=20
>=20

--Signature=_Wed__20_Dec_2017_16_02_20_+0100_pt=.yiD79Dp1oSre
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEhdCcMcx2wDxNPQTeldDBUc+t03wFAlo6e3wACgkQldDBUc+t
03xQ3A//RDuG2Y1t2t96c49bWP2Iz/hMLnbaM00QRgp6Tj4qhIT4WN16Lb/z1LLw
5KN5T/3e++NIbCn0LzfqWzqGalRL9jwSiho+r5uWdM1M5TJ/fRMPrpNW+iTcIiHh
iTJIZIEXHpfEP1L2A2VIhsH8r6pwO701P3GFPY5KryMaWMMaxfbujBYPxVGjHpUn
1mxq5zF+6LxxRg+3wR/34K03OpFj8H2qCzEpTp0+8W4ZZGNwgoxu1E8Pn36UmaXP
h3bfNPFza64aDjvhMgR5UDrBnAM7TrADHp9f63sOYEsUnrMbPOlNUPtJPvafEOB7
HdTl95v+do+QPY0Gl+94k0FlndvfjkKPSA4YNEGSrFYtnpYrmZNtWqic3hRY8Wdh
KNfbi4xse1PYYHqpWLTrKtNVAkVInygSJmrstf3nntUoUYsKzzhQa4E8DZlTkaAP
p1g0L/agdO6oj9zhwLcDuIo7ENloqkDvns3fSu11IymAi9NoV1o1ejqhTY+Qoihd
3pAZoGBsI+7BvDlpBadoZjmdwX57HUGX3KUFMfaA6l+jZklMEETVncvzAV5Buu2l
rA9rHAaiuFZxlVJ/0Z0PM32bhqWLUQZbjdFO4iH/qBYofn2HcGCqT9sKaVEYos1U
rKcRyRXkdOj6dfvY5o3PzAPN9uQOBY9fYUW6m4za7aYuu1+xxwQ=
=wO02
-----END PGP SIGNATURE-----

--Signature=_Wed__20_Dec_2017_16_02_20_+0100_pt=.yiD79Dp1oSre--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171220160220.d8d718563209a8506a8e29aa>