Date: Thu, 12 Mar 2009 06:04:08 +0100 From: Gianni <gdoe6545@yahoo.it> To: freebsd-pf@freebsd.org Subject: Re: duplicate nat rules listed by pfctl Message-ID: <7B51D53B-224C-4887-A017-AF136264F4A9@yahoo.it> In-Reply-To: <20090311195007.GE3436@verio.net> References: <6BCCA4DE-FD38-494B-A947-4C1D63775A1A@yahoo.it> <20090311195007.GE3436@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/mar/09, at 20:50, David DeSimone wrote: > Gianni <gdoe6545@yahoo.it> wrote: >> >> With the following nat rules pfctl lists duplicate entries, can >> anyone >> explain why this is? >> >> ext_if = "tun0" >> nat on $ext_if from $localnet to any -> ($ext_if) >> no nat on $ext_if from $localnet to $vpn_nets > > What is the definition of $localnet? int_if = "vr0" localnet = $int_if:network From your question I now see the answer: vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC> inet 192.168.200.250 netmask 0xffffff00 broadcast 192.168.200.255 inet 192.168.200.249 netmask 0xffffff00 broadcast 192.168.200.255 I've got 2 ip addresses on the interface and the :network shortcut does not take into account that they are part of the same subnet. If I do localnet = "192.168.200.0/24" it's fine, I don't get duplicate entries. >> # pfctl -s nat >> nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin >> nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin >> no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24 >> no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24 > > Also, don't you think you should put the "no nat" rule before the > "nat" > rules? Yes probably! Because first matching nat rule wins right? Thanks -Gianni
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7B51D53B-224C-4887-A017-AF136264F4A9>