From owner-freebsd-questions@freebsd.org Wed Dec 20 15:05:08 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AAA9EE8E5D7 for ; Wed, 20 Dec 2017 15:05:08 +0000 (UTC) (envelope-from olivier@mauras.ch) Received: from smtp.mauras.ch (smtp.mauras.ch [163.172.199.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6EF55728B1 for ; Wed, 20 Dec 2017 15:05:07 +0000 (UTC) (envelope-from olivier@mauras.ch) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mauras.ch; s=20160502; h=Content-Type:Mime-Version:References:In-Reply-To:Message-Id: Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+/tiJLwJ5Z7Plcty0mWwn/nbvzAxa9Ng+esxTeT48WY=; b=eHtOit2Ql6/e3JuSo/ghdgwUYE BdobYniLUb0VnG6sWolJDNKXdQNuBvutwidOWfPDpQlq8W6pKfKQIHitj3kJFDWofQJ9nWHm9kkMo 1rmnlHnGowBluNP3OxHyn3+sM+vvTUWbj2CvaTz3hsQQFJ41FppE8hcwILLi4w6PrQRc=; Received: from 109-203-40-206.static.voenergies.net ([109.203.40.206] helo=tiptop) by smtp.mauras.ch with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from ) id 1eRftQ-0000AP-CJ for freebsd-questions@freebsd.org; Wed, 20 Dec 2017 16:02:48 +0100 Date: Wed, 20 Dec 2017 16:02:20 +0100 From: Olivier Mauras To: freebsd-questions@freebsd.org Subject: Re: pf NAT: Can't make anything else than ICMP work Message-Id: <20171220160220.d8d718563209a8506a8e29aa@mauras.ch> In-Reply-To: <20171220094321.3400bf74@xel> References: <20171220092515.e0a757a560781ddead2d92d1@mauras.ch> <20171220094321.3400bf74@xel> X-Mailer: Sylpheed 3.6.0 (GTK+ 2.24.31; x86_64-unknown-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA256"; boundary="Signature=_Wed__20_Dec_2017_16_02_20_+0100_pt=.yiD79Dp1oSre" X-Authenticated-Sender: olivier@mauras.ch X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2017 15:05:08 -0000 --Signature=_Wed__20_Dec_2017_16_02_20_+0100_pt=.yiD79Dp1oSre Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello George, Thanks for your reply. The nat rule gives the exact same behaviour. Logging enabled gives me the same result as a standard tcpdump actually. I = see packets going out but replies never come back. Thanks, -O. On Wed, 20 Dec 2017 09:43:21 -0500 George wrote: > On Wed, 20 Dec 2017 09:25:15 +0100 > Olivier Mauras wrote: >=20 > > Hello, > >=20 > > I can't seem to make this very simple setup work. I have a VM that > > have 2 interfaces on two different subnets and want to route traffic > > between them. > > - 10.60.0.0/24 > > - 192.168.0.0/24 > >=20 > > The 10.60.x.x interface gives access to local services and internet. > > 192.168.x.x is a dedicated local subnet using this VM as their > > default gateway > >=20 > > If that matters, 10.60.x.x interface is a lagg interface between two > > physical interfaces using KVM PCI passthrough while 192.168.x.x is a > > virtio interface. > >=20 > > gateway_enable is indeed set and I've added this very simple pf rule: > > #### > > ext_if=3D"lagg0" > > nat log on $ext_if proto { tcp udp icmp } from !($ext_if) to any -> > > ($ext_if) pass all=20 > > #### >=20 > I would suggest to enable logging to see what is going on on the pflog0, > plus I think your nat rule is a bit strange try the standard: >=20 > nat on $ext_if from $local_net to any -> $ext_addr >=20 > HTH, > George >=20 >=20 >=20 > >=20 > > This let machines on the 192.168.0.0 subnet using this VM as a > > gateway ping any ressources on 10.60.0.0 or internet. Fine. Problem > > is that any other protocol doesn't work. Seems like replies are never > > received correctly by the issuing machine. > >=20 > > This is the state table I get when issuing DNS connection from a > > client (192.168.100.2) behind the GW to either 10.60.60.150 or > > 8.8.8.8 DNS servers. 10.60.60.3 is my GW address on 10.60.0.0 subnet > > on lagg0 interface. #### # pfctl -ss > > all udp 10.60.60.150:53 <- 192.168.100.2:53372 NO_TRAFFIC:SINGLE > > all udp 10.60.60.3:62261 (192.168.100.2:53372) -> > > 10.60.60.150:53 SINGLE:NO_TRAFFIC all udp 10.60.60.150:53 <- > > 192.168.100.2:28768 NO_TRAFFIC:SINGLE all udp 10.60.60.3:65271 > > (192.168.100.2:28768) -> 10.60.60.150:53 SINGLE:NO_TRAFFIC all > > udp 8.8.8.8:53 <- 192.168.100.2:43155 NO_TRAFFIC:SINGLE all udp > > 10.60.60.3:50948 (192.168.100.2:43155) -> 8.8.8.8:53 > > SINGLE:NO_TRAFFIC all udp 8.8.8.8:53 <- 192.168.100.2:47160 > > NO_TRAFFIC:SINGLE all udp 10.60.60.3:62818 (192.168.100.2:47160) -> > > 8.8.8.8:53 SINGLE:NO_TRAFFIC > >=20 > > I believe that I'm missing a very simple obvious thing but cannot > > point it out. > >=20 > > Thanks, > > -O. > >=20 >=20 --Signature=_Wed__20_Dec_2017_16_02_20_+0100_pt=.yiD79Dp1oSre Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEhdCcMcx2wDxNPQTeldDBUc+t03wFAlo6e3wACgkQldDBUc+t 03xQ3A//RDuG2Y1t2t96c49bWP2Iz/hMLnbaM00QRgp6Tj4qhIT4WN16Lb/z1LLw 5KN5T/3e++NIbCn0LzfqWzqGalRL9jwSiho+r5uWdM1M5TJ/fRMPrpNW+iTcIiHh iTJIZIEXHpfEP1L2A2VIhsH8r6pwO701P3GFPY5KryMaWMMaxfbujBYPxVGjHpUn 1mxq5zF+6LxxRg+3wR/34K03OpFj8H2qCzEpTp0+8W4ZZGNwgoxu1E8Pn36UmaXP h3bfNPFza64aDjvhMgR5UDrBnAM7TrADHp9f63sOYEsUnrMbPOlNUPtJPvafEOB7 HdTl95v+do+QPY0Gl+94k0FlndvfjkKPSA4YNEGSrFYtnpYrmZNtWqic3hRY8Wdh KNfbi4xse1PYYHqpWLTrKtNVAkVInygSJmrstf3nntUoUYsKzzhQa4E8DZlTkaAP p1g0L/agdO6oj9zhwLcDuIo7ENloqkDvns3fSu11IymAi9NoV1o1ejqhTY+Qoihd 3pAZoGBsI+7BvDlpBadoZjmdwX57HUGX3KUFMfaA6l+jZklMEETVncvzAV5Buu2l rA9rHAaiuFZxlVJ/0Z0PM32bhqWLUQZbjdFO4iH/qBYofn2HcGCqT9sKaVEYos1U rKcRyRXkdOj6dfvY5o3PzAPN9uQOBY9fYUW6m4za7aYuu1+xxwQ= =wO02 -----END PGP SIGNATURE----- --Signature=_Wed__20_Dec_2017_16_02_20_+0100_pt=.yiD79Dp1oSre--