From owner-freebsd-net@FreeBSD.ORG Thu May 30 23:00:12 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 8888B91A for ; Thu, 30 May 2013 23:00:12 +0000 (UTC) (envelope-from joemoog@ebureau.com) Received: from internet02.ebureau.com (internet02.tru-signal.biz [65.127.24.21]) by mx1.freebsd.org (Postfix) with ESMTP id 5763AE7 for ; Thu, 30 May 2013 23:00:11 +0000 (UTC) Received: from internet06.ebureau.com (internet06.ebureau.com [65.127.24.25]) by internet02.ebureau.com (Postfix) with ESMTP id 6D23BEA46D7 for ; Thu, 30 May 2013 17:41:46 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by internet06.ebureau.com (Postfix) with ESMTP id 952982DE3B4E for ; Thu, 30 May 2013 17:54:54 -0500 (CDT) X-Virus-Scanned: amavisd-new at ebureau.com Received: from internet06.ebureau.com ([127.0.0.1]) by localhost (internet06.ebureau.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DZt43_C7jmUw for ; Thu, 30 May 2013 17:54:54 -0500 (CDT) Received: from nail.office.ebureau.com (nail.office.ebureau.com [10.10.20.23]) by internet06.ebureau.com (Postfix) with ESMTPSA id 36CC42DE3B41 for ; Thu, 30 May 2013 17:54:54 -0500 (CDT) From: Joe Moog Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Basic NAT server setup Message-Id: Date: Thu, 30 May 2013 17:54:53 -0500 To: freebsd-net@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) X-Mailer: Apple Mail (2.1503) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2013 23:00:12 -0000 I'm building a server to handle outbound NAT to the internet using = FreeBSD 9.1 and its built-in distribution of pf. What I want to be able = to do is NAT three unique internal (private) VLANs to three unique = public IPs. Our current setup utilizes a single external IP address for = all three internal networks and seems to work well when our internal = hosts use the BSD box as their gateway. pf.conf is as follows: ext_if =3D "vlan11" ext_addr =3D "a.b.c.2" int_network1 =3D "10.0.1.0/24" int_network2 =3D "172.16.1.0/24"=20 int_network3 =3D "192.168.1.0/24" nat on $ext_if from $int_network1 to any -> $ext_addr nat on $ext_if from $int_network2 to any -> $ext_addr nat on $ext_if from $int_network3 to any -> $ext_addr However, when we introduce two additional external IPs the system fails = to establish external connections. pf.conf again: ext_if =3D "vlan11" ext_addr1 =3D "a.b.c.3" ext_addr2 =3D "a.b.c.4" ext_addr3 =3D "a.b.c.5" int_network1 =3D "10.0.1.0/24" int_network2 =3D "172.16.1.0/24"=20 int_network3 =3D "192.168.1.0/24" nat on $ext_if from $int_network1 to any -> $ext_addr1 nat on $ext_if from $int_network2 to any -> $ext_addr2 nat on $ext_if from $int_network3 to any -> $ext_addr3 On our border router we have a route to send all traffic belonging to = the a.b.c.0/24 network to the public side of the NAT host, and as = mentioned before, single-IP NAT works fine. "pfctl -s nat" indicates = that the host knows how to translate the connections, but the = connections somehow do not succeed. We are not leveraging the packet = filtering capabilities of pf at this time -- all we need the host to do = right now is NAT. I might also note that on the host we have a dot1q trunk carrying our = three internal VLANs to the host, and we are routing all private traffic = through another dedicated private VLAN. Default gateway on the NAT host = is the router address for its public-facing IP. I realize some of this = may be more specific to pf, but since there are (obviously) many moving = parts here I thought it best to start with the freebsd-net list and see = if I can get some direction. Thank you Joe=