From owner-freebsd-net@FreeBSD.ORG Sat Jun 1 00:49:06 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BC2AABD2 for ; Sat, 1 Jun 2013 00:49:06 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (host-122-100-2-194.octopus.com.au [122.100.2.194]) by mx1.freebsd.org (Postfix) with ESMTP id 4170338E for ; Sat, 1 Jun 2013 00:49:05 +0000 (UTC) Received: from server.rulingia.com (c220-239-237-213.belrs5.nsw.optusnet.com.au [220.239.237.213]) by vps.rulingia.com (8.14.5/8.14.5) with ESMTP id r510bc91066897 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 1 Jun 2013 10:37:40 +1000 (EST) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.14.5/8.14.5) with ESMTP id r510bVkb042857 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 1 Jun 2013 10:37:31 +1000 (EST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.14.5/8.14.5/Submit) id r510bUmZ042856; Sat, 1 Jun 2013 10:37:30 +1000 (EST) (envelope-from peter) Date: Sat, 1 Jun 2013 10:37:30 +1000 From: Peter Jeremy To: Joe Moog Subject: Re: Basic NAT server setup Message-ID: <20130601003730.GE79250@server.rulingia.com> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Jun 2013 00:49:06 -0000 --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2013-May-30 17:54:53 -0500, Joe Moog wrote: >I'm building a server to handle outbound NAT to the internet using >FreeBSD 9.1 and its built-in distribution of pf. What I want to be >able to do is NAT three unique internal (private) VLANs to three >unique public IPs. >ext_if =3D "vlan11" >ext_addr1 =3D "a.b.c.3" >ext_addr2 =3D "a.b.c.4" >ext_addr3 =3D "a.b.c.5" >int_network1 =3D "10.0.1.0/24" >int_network2 =3D "172.16.1.0/24"=20 >int_network3 =3D "192.168.1.0/24" >nat on $ext_if from $int_network1 to any -> $ext_addr1 >nat on $ext_if from $int_network2 to any -> $ext_addr2 >nat on $ext_if from $int_network3 to any -> $ext_addr3 I don't see anything obviously wrong with what you've done. My initial checks would be: - Do you have the correct routes on the NAT box. - Do you have a.b.c.{3,4,5} setup as aliases on vlan11 (or faked using proxy ARP). (My suspicion is the second point - packets are going out successfully but the response is undeliverable because nothing is responding to the switch's ARP requests for a.b.c.{3,4,5}). Next would be to use tcpdump to do some snooping: - Firstly, make sure the packets are are arriving on the NAT box with appropriate src & dst IPs by tcpdump'ing the internal interface(s). - Secondly, tcpdump the external interface and see what is going out and returning (tcpdump will see the external addresses) Finally, add some 'log' keywords and tcpdump pflog0. Unfortunately, the stock FreeBSD tcpdump can't handle pflog packets. There are some patches in bin/124825 but you will need to do some work to get them to apply to the tcpdump in 9.1. That will hopefully give you some pointers as to where to investigate. --=20 Peter Jeremy --azLHFNyN32YCQGCU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlGpQkoACgkQ/opHv/APuIcUgwCgpuKQx9BgMj6/8pPyrhfO/F4r syUAnAsU5BGd0QiABVekKCEkvnU/q2+1 =kGTt -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU--