From owner-freebsd-questions@freebsd.org  Wed Dec 20 19:46:50 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF5D1EA0002
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Wed, 20 Dec 2017 19:46:50 +0000 (UTC)
 (envelope-from g.lister@nodeunit.ch)
Received: from nodeunit.com (mx01.nodeunit.com [192.186.89.182])
 by mx1.freebsd.org (Postfix) with ESMTP id 6EF9E7EAD2
 for <freebsd-questions@freebsd.org>; Wed, 20 Dec 2017 19:46:49 +0000 (UTC)
 (envelope-from g.lister@nodeunit.ch)
Received: from xel (x140e.local.home [10.11.11.4])
 by nodeunit.com (Postfix) with ESMTPS id B2D822897;
 Wed, 20 Dec 2017 19:46:45 +0000 (UTC)
Date: Wed, 20 Dec 2017 14:46:47 -0500
From: George <g.lister@nodeunit.ch>
To: Olivier Mauras <olivier@mauras.ch>
Cc: freebsd-questions@freebsd.org
Subject: Re: pf NAT: Can't make anything else than ICMP work
Message-ID: <20171220144647.0b547dd9@xel>
In-Reply-To: <20171220160220.d8d718563209a8506a8e29aa@mauras.ch>
References: <20171220092515.e0a757a560781ddead2d92d1@mauras.ch>
 <20171220094321.3400bf74@xel>
 <20171220160220.d8d718563209a8506a8e29aa@mauras.ch>
X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.23; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Dec 2017 19:46:50 -0000

On Wed, 20 Dec 2017 16:02:20 +0100
Olivier Mauras <olivier@mauras.ch> wrote:

> Hello George,
> 
> Thanks for your reply.
> 
> The nat rule gives the exact same behaviour.
> Logging enabled gives me the same result as a standard tcpdump
> actually. I see packets going out but replies never come back.
> 
> Thanks,
> -O.

Yeah, it was a long shot ... I am not sure what to suggest from this
point on except take things piece by piece. You are saying that packets
are going out, on lagg0 I assume, but nothing is coming back. I would
check the receiving end of those packets or your configuration for the
interface and make sure that works without the NAT etc. before looking
further into the NAT. I mean if traffic is going out and is being
received then traffic should be coming back check that end and make
sure it is taking the right route and the other end is seeing your data
stream and responding before digging into NAT as it sounds that the
problem maybe else where. It is always best to break things down to
their simplest form and then start building up if it even works there.

HTH,
George

> 
> On Wed, 20 Dec 2017 09:43:21 -0500
> George <g.lister@nodeunit.ch> wrote:
> 
> > On Wed, 20 Dec 2017 09:25:15 +0100
> > Olivier Mauras <olivier@mauras.ch> wrote:
> > 
> > > Hello,
> > > 
> > > I can't seem to make this very simple setup work. I have a VM that
> > > have 2 interfaces on two different subnets and want to route
> > > traffic between them.
> > > - 10.60.0.0/24
> > > - 192.168.0.0/24
> > > 
> > > The 10.60.x.x interface gives access to local services and
> > > internet. 192.168.x.x is a dedicated local subnet using this VM
> > > as their default gateway
> > > 
> > > If that matters, 10.60.x.x interface is a lagg interface between
> > > two physical interfaces using KVM PCI passthrough while
> > > 192.168.x.x is a virtio interface.
> > > 
> > > gateway_enable is indeed set and I've added this very simple pf
> > > rule: ####
> > > ext_if="lagg0"
> > > nat log on $ext_if proto { tcp udp icmp } from !($ext_if) to any
> > > -> ($ext_if) pass all 
> > > ####
> > 
> > I would suggest to enable logging to see what is going on on the
> > pflog0, plus I think your nat rule is a bit strange try the
> > standard:
> > 
> > nat on $ext_if from $local_net to any -> $ext_addr
> > 
> > HTH,
> > George
> > 
> > 
> > 
> > > 
> > > This let machines on the 192.168.0.0 subnet using this VM as a
> > > gateway ping any ressources on 10.60.0.0 or internet. Fine.
> > > Problem is that any other protocol doesn't work. Seems like
> > > replies are never received correctly by the issuing machine.
> > > 
> > > This is the state table I get when issuing DNS connection from a
> > > client (192.168.100.2) behind the GW to either 10.60.60.150 or
> > > 8.8.8.8 DNS servers. 10.60.60.3 is my GW address on 10.60.0.0
> > > subnet on lagg0 interface. #### # pfctl -ss
> > > all udp 10.60.60.150:53 <- 192.168.100.2:53372
> > > NO_TRAFFIC:SINGLE all udp 10.60.60.3:62261 (192.168.100.2:53372)
> > > -> 10.60.60.150:53       SINGLE:NO_TRAFFIC all udp
> > > 10.60.60.150:53 <- 192.168.100.2:28768       NO_TRAFFIC:SINGLE
> > > all udp 10.60.60.3:65271 (192.168.100.2:28768) ->
> > > 10.60.60.150:53       SINGLE:NO_TRAFFIC all udp 8.8.8.8:53 <-
> > > 192.168.100.2:43155       NO_TRAFFIC:SINGLE all udp
> > > 10.60.60.3:50948 (192.168.100.2:43155) -> 8.8.8.8:53
> > > SINGLE:NO_TRAFFIC all udp 8.8.8.8:53 <- 192.168.100.2:47160
> > > NO_TRAFFIC:SINGLE all udp 10.60.60.3:62818 (192.168.100.2:47160)
> > > -> 8.8.8.8:53       SINGLE:NO_TRAFFIC
> > > 
> > > I believe that I'm missing a very simple obvious thing but cannot
> > > point it out.
> > > 
> > > Thanks,
> > > -O.
> > > 
> >