Site Navigation

Date:      Mon, 12 Mar 2018 23:50:49 +0100
From:      Rick van der Zwet <info@rickvanderzwet.nl>
To:        Ultima <ultima1252@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: NAT possible with single interface box?
Message-ID:  <03f0b2ceb5197171f20500982ad18a40@rickvanderzwet.nl>
In-Reply-To: <CANJ8om4kYPUQVDZw9PndyHf7Skhz=wdPfL%2BybyNujmZKD5A_FQ@mail.gmail.com>
References:  <f6c9dffed567fdf0218ae34fc3097062@rickvanderzwet.nl> <CANJ8om4kYPUQVDZw9PndyHf7Skhz=wdPfL%2BybyNujmZKD5A_FQ@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On 2018-03-12 15:32, Ultima wrote:
> Please provide netstat -nr. If you have more in pf.conf, please provide 
> this too.

Thanks for the suggestion, it made me thing again.

I recreated the setup with different network settings for more easy 
testing:
  - em0 instead of sis0
  - 192.168.178.181/24 instead of 192.168.1.10/24
  - gateway 192.168.178.1 instead of 192.168.1.1


root@vbsd11:~ # uname -a
FreeBSD vbsd11.vanderzwet.net 11.0-RELEASE-p9 FreeBSD 11.0-RELEASE-p9 
#0: Tue Apr 11 08:42:58 UTC 2017     
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386


root@vbsd11:~ # netstat -nr -f inet
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.178.1      UGS         em0
127.0.0.1          link#2             UH          lo0
172.16.0.0/24      link#1             U           em0
172.16.0.1         link#1             UHS         lo0
192.168.178.0/24   link#1             U           em0
192.168.178.181    link#1             UHS         lo0


root@vbsd11:~ # cat /etc/pf.conf
nat on em0 inet from 172.16.0.0/24 to !172.16.0.0/24 -> 192.168.178.181


root@vbsd11:~ # cat /etc/rc.conf
hostname="vbsd11.vanderzwet.net"
sshd_enable="YES"
ntpd_enable="YES"

ifconfig_em0="192.168.178.181/24"
ifconfig_em0_alias0="172.16.0.1/24"

defaultrouter="192.168.178.1"
gateway_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"


Looking at tcpdump of the router I now see packages been translated:
root@vbsd11:~ # tcpdump -ni em0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol 
decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:11:25.758323 IP 172.16.0.10 > 192.168.178.1: ICMP echo request, id 
6976, seq 96, length 64
00:11:25.758435 IP 192.168.178.181 > 192.168.178.1: ICMP echo request, 
id 57418, seq 96, length 64
00:11:25.758880 IP 192.168.178.1 > 192.168.178.181: ICMP echo reply, id 
57418, seq 96, length 64
00:11:25.758950 IP 192.168.178.1 > 172.16.0.10: ICMP echo reply, id 
6976, seq 96, length 64


Looking in hindsight the simplified example was instead working, the 
problem was caused by blocking firewall rules further down the script.

Best regards,
-Rick

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03f0b2ceb5197171f20500982ad18a40>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact