Date: Tue, 13 Jun 2006 23:23:07 -0700 From: Jaye Mathisen <mrcpu@mathisen.org> To: freebsd-pf@freebsd.org Subject: Couple minor sniglets with pf... Message-ID: <20060614062307.GB92024@main.mathisen.org>
next in thread | raw e-mail | index | archive | help
I have a soekris, running a fairly release of 6.x with PF support.
Until now, it had been purely used for binat, which worked just fine, but
didn't use any other features.
Finally decided to rid of my other gear, and just "drop down" to the basics,
so wanted to start using PF for NAT.
And it works fine, except for one problem I'm having, which I think is
related to binat and nat.
There are 3 interfaces. sis0, which is my private network. sis1 which
connects to the internet, and sis2 which connects to a separate "privatish"
network, that is where the end hosts for the binat stuff reside.
So, my home PC, on sis0, goes through NAT out to the world, that all
works fine, with 2 exceptions. (which I'll get to in a moment.).
The problem is if I need to get from a device on my home network, 192.168.0.x
to a server that is one of th ebinat'd ones, that get xlat'd from public
IP's to 192.168.2.x...
If I connect to the 192.168.2.x IP directly, it works fine, so it's not
route problems, I think just something wiht the combination of NAT and binat
is not working.
The 2nd issue is that I cannot get any AIM clients to login. The worked fine
before pf, and now they don't. They get partway through the login process,
and then always error out with "A connect error occured".
Just to make sure I'm not smoking dope, I replaced the soekris with
my old linksys router I was using, and it works fine, logins in instantly.
I have not tested regular natd to see.
The symptoms of the public IP connection issue is that for example,
if I login to 70.68.179.172 which is binat'd to 192.168.2.100 via ssh,
I *get* a login prompt and password. But when I enter it, I'm logged in to
the soekris router, *not* the .100 box.
I include my minimal pf config cobbled from an example...:
rtr# cat /etc/pf.conf.local | grep -v '^#' | cat -s
ext_if="sis1" # replace with actual external interface name i.e., dc0
int_if="sis0" # replace with actual internal interface name i.e., dc1
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
set loginterface $int_if
scrub in all
nat on $ext_if from $int_if:network to any -> ($ext_if)
binat on sis1 from 192.168.2.100 to any -> 70.58.179.172
binat on sis1 from 192.168.2.103 to any -> 70.58.179.171
binat on sis1 from 192.168.2.104 to any -> 70.58.179.170
pass in all
pass out all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Thanks for any help.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060614062307.GB92024>