From owner-freebsd-net@FreeBSD.ORG  Tue Aug 23 05:45:16 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1E007106564A
	for <freebsd-net@freebsd.org>; Tue, 23 Aug 2011 05:45:16 +0000 (UTC)
	(envelope-from s.khanchi@gmail.com)
Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com
	[209.85.210.45])
	by mx1.freebsd.org (Postfix) with ESMTP id C25978FC0A
	for <freebsd-net@freebsd.org>; Tue, 23 Aug 2011 05:45:15 +0000 (UTC)
Received: by pzk33 with SMTP id 33so18788484pzk.18
	for <freebsd-net@freebsd.org>; Mon, 22 Aug 2011 22:45:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:sender:in-reply-to:references:from:date
	:x-google-sender-auth:message-id:subject:to:cc:content-type;
	bh=rFq72BLsvM/3TPWnq0Cqp8SZhQw5naj3D7eAwPCA3Qs=;
	b=TJ97sFdB64rNFCP8SJE7jdz7ScRsRM8wrFqFlFF5UZFflza78P3RNC+YNwQ5PW5qXM
	92u6obWTZMXTZ7L+dytFXn+rLQbRtl6QONJUsSHOHBgpuSA12RyoRvEFYjUlz7xS7gRe
	bo84Qy4nwvg3LtFEuWptIYu5//++98zoY1oTg=
Received: by 10.143.59.10 with SMTP id m10mr2056910wfk.418.1314078315102; Mon,
	22 Aug 2011 22:45:15 -0700 (PDT)
MIME-Version: 1.0
Sender: s.khanchi@gmail.com
Received: by 10.143.26.30 with HTTP; Mon, 22 Aug 2011 22:44:55 -0700 (PDT)
In-Reply-To: <CAFnjQbsVHwd+514ATB+hg72S9QWcpE5s+9zax6UP79T5nzMuNA@mail.gmail.com>
References: <CAARSjE0-6zedkOtC2+1TRk3qN7Tf3O7vTgy6bsODm4T8KwaSeg@mail.gmail.com>
	<CAFnjQbsVHwd+514ATB+hg72S9QWcpE5s+9zax6UP79T5nzMuNA@mail.gmail.com>
From: h bagade <bagadeh@gmail.com>
Date: Tue, 23 Aug 2011 10:14:55 +0430
X-Google-Sender-Auth: 3-8yq6SWMGTjkZRvjlMacv6WMAA
Message-ID: <CAARSjE2tCC5Gx+co69QHMZwPZa00rJEH4okLBCy5fEv_SuOpCg@mail.gmail.com>
To: David Cornejo <dave@dogwood.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-net@freebsd.org
Subject: Re: problem with setting nat using pf
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Aug 2011 05:45:16 -0000

 thanks for your reply. defining an alias on interfaces has its drawbacks.
Only natted addresses should be accessible via interface, not the remaining
addresses in pool which still no session is natted to them. Is there a way
to make pf do the task? or get helps of other utilities which accept the
responsibility of pool address arp requests?

On Sun, Aug 21, 2011 at 11:54 PM, David Cornejo <dave@dogwood.com> wrote:

>
>
> On Sat, Aug 20, 2011 at 9:47 PM, h bagade <bagadeh@gmail.com> wrote:
>
>> Hi all,
>>
>> I am trying to use pf nat rules with pool support on FreeBsd 8.0, working
>> together with ipfw as the main firewall. According to the natting concepts
>> i
>> faced in manuals and docs, nat concept is to map the source address to the
>> natted address when sending the packets from that source and then map the
>> destination address of the related reply packets.
>>
>> but when I define pf nat rules with a pool of IP addresses not available
>> on
>> the outside interface ip addresses, the outgoing traffic is natted to one
>> of
>> the pool addresses but the response is not received via that interface so
>> the pf can map the destination address to the real one. here is one of my
>> configs i used during my tests:
>>
>> *configurations:*
>> *pf.conf:*
>> nat on eth1 from { 11.11.11.0/24} to any ->
>> {172.16.10.1,172.16.10.2,172.
>>
>> 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10}
>>
>> main system configurations:
>> eth0: 11.11.11.1
>> eth1: 172.16.10.64
>>
>> system A: directly connected to eth0- 11.11.11.11
>> system B: directly connected to eth1- 172.16.10.65
>>
>> in this configs the dafult route of system A and system B are the middle
>> systems connected ip address.
>>
>> as mentioned, when systemA pings systemB, the ping requests are natted to
>> 172.16.10.1 and received at systemB but systemB doesn't send icmp replies
>> because it doesn't know to whom it should send the replies (no answer to
>> system B 's ARP requests about who has the natted IP).
>>
>> now my question is, isn't it the pf nat responsibilty to manage this
>> condition and send the ARP replies to SystemB?
>> or, are my configs wrong?
>> or i misunderstood the nat concepts?
>>
>> any ideas or helps are really appreciated as i have to set this nat on my
>> main system, asap.
>> Thanks in advance.
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>>
>
> ARP is not handled by pf.  You need to get the interface to respond to that
> IP address by creating an alias for the address using ifconfig - if you need
> more help please post your rc.conf
>
>
>
>
>