From owner-freebsd-net@FreeBSD.ORG Sun Aug 21 19:46:41 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 748AF106566C for ; Sun, 21 Aug 2011 19:46:41 +0000 (UTC) (envelope-from dave@dogwood.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 2AA8C8FC0C for ; Sun, 21 Aug 2011 19:46:40 +0000 (UTC) Received: by qyk4 with SMTP id 4so1177846qyk.13 for ; Sun, 21 Aug 2011 12:46:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dogwood.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+Q3xA32zkJk8zlD/+lFKcjC52AkIytd8m2Qv1AtqRzM=; b=lpWsd+mVF9mVDometDIWOo46Zn6kITgqHlXI4yR3bmGrbkKdShelv71tV2cZV0HSzW Jix/c9Y9n3IBTJEGgkMkC78L/JDbhFLteUyaMg0MHU6rKTyNFsd53E+MJv+5hVA/su1A My3XSDYK8W3zKzqESnUZgkN/qVwLtq30K2ivg= MIME-Version: 1.0 Received: by 10.229.13.130 with SMTP id c2mr834888qca.259.1313954667506; Sun, 21 Aug 2011 12:24:27 -0700 (PDT) Received: by 10.229.18.143 with HTTP; Sun, 21 Aug 2011 12:24:27 -0700 (PDT) In-Reply-To: References: Date: Sun, 21 Aug 2011 09:24:27 -1000 Message-ID: From: David Cornejo To: h bagade Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org Subject: Re: problem with setting nat using pf X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2011 19:46:41 -0000 On Sat, Aug 20, 2011 at 9:47 PM, h bagade wrote: > Hi all, > > I am trying to use pf nat rules with pool support on FreeBsd 8.0, working > together with ipfw as the main firewall. According to the natting concepts > i > faced in manuals and docs, nat concept is to map the source address to the > natted address when sending the packets from that source and then map the > destination address of the related reply packets. > > but when I define pf nat rules with a pool of IP addresses not available on > the outside interface ip addresses, the outgoing traffic is natted to one > of > the pool addresses but the response is not received via that interface so > the pf can map the destination address to the real one. here is one of my > configs i used during my tests: > > *configurations:* > *pf.conf:* > nat on eth1 from { 11.11.11.0/24} to any -> > {172.16.10.1,172.16.10.2,172. > > 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} > > main system configurations: > eth0: 11.11.11.1 > eth1: 172.16.10.64 > > system A: directly connected to eth0- 11.11.11.11 > system B: directly connected to eth1- 172.16.10.65 > > in this configs the dafult route of system A and system B are the middle > systems connected ip address. > > as mentioned, when systemA pings systemB, the ping requests are natted to > 172.16.10.1 and received at systemB but systemB doesn't send icmp replies > because it doesn't know to whom it should send the replies (no answer to > system B 's ARP requests about who has the natted IP). > > now my question is, isn't it the pf nat responsibilty to manage this > condition and send the ARP replies to SystemB? > or, are my configs wrong? > or i misunderstood the nat concepts? > > any ideas or helps are really appreciated as i have to set this nat on my > main system, asap. > Thanks in advance. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > ARP is not handled by pf. You need to get the interface to respond to that IP address by creating an alias for the address using ifconfig - if you need more help please post your rc.conf