From owner-freebsd-questions@FreeBSD.ORG  Mon Dec 10 17:11:10 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2EBE416A417
	for <questions@freebsd.org>; Mon, 10 Dec 2007 17:11:10 +0000 (UTC)
	(envelope-from mksmith@adhost.com)
Received: from mail-in02.adhost.com (mailstandby.adhost.com [216.211.128.129])
	by mx1.freebsd.org (Postfix) with ESMTP id 118C413C447
	for <questions@freebsd.org>; Mon, 10 Dec 2007 17:11:09 +0000 (UTC)
	(envelope-from mksmith@adhost.com)
Received: from ad-exh01.adhost.lan (unknown [216.211.143.69])
	by mail-in02.adhost.com (Postfix) with ESMTP id 201C41EE855;
	Mon, 10 Dec 2007 09:11:09 -0800 (PST)
	(envelope-from mksmith@adhost.com)
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
x-pgp-encoding-format: MIME
Content-Type: multipart/signed;
	boundary="PGP_Universal_058A492C_6DE448A3_44BFDD03_80A31AF0";
	micalg=pgp-sha1; protocol="application/pgp-signature"
x-pgp-encoding-version: 2.0.2
x-pgp-mapi-encoding-version: 2.5.0
Content-class: urn:content-classes:message
Date: Mon, 10 Dec 2007 09:11:08 -0800
Message-ID: <17838240D9A5544AAA5FF95F8D52031603067F88@ad-exh01.adhost.lan>
In-Reply-To: <979954.82929.qm@web44810.mail.sp1.yahoo.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Problem with NAT/RDR in PF
Thread-Index: Acg7Fus8RKlRGs+KQNC6dmXZW35FSwAOEolg
References: <2C799BA1-729E-4990-A80F-1C840AD53D9B@adhost.com>
	<979954.82929.qm@web44810.mail.sp1.yahoo.com>
From: "Michael K. Smith - Adhost" <mksmith@adhost.com>
To: "shinny knight" <sh1nny_kn1ght@yahoo.com>,
	"Erik Norgaard" <norgaard@locolomo.org>
Cc: questions@freebsd.org
Subject: RE: Problem with NAT/RDR in PF
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2007 17:11:10 -0000


--PGP_Universal_058A492C_6DE448A3_44BFDD03_80A31AF0
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: QUOTED-PRINTABLE

Hello Catalin:

<snip>

>=20
> Michael Smith <mksmith@adhost.com> wrote:
>=20
>=20
> 	On Dec 9, 2007, at 3:34 PM, Erik Norgaard wrote:
>=20
> 	> Michael Smith wrote:
> 	>> Hello All:
> 	>> I am trying to configure a round-robin group of Name Servers
> that
> 	>> respond on to and from a single address.
> 	>> I want the following to occur:
> 	>> 1) DNS query from 10.211.128.1 to 10.212.1.1 is redirected to
> a
> 	>> pool of name servers
> 	>> 2) One of the name servers responds to the query
> 	>> 3) The response shows a source address of 10.212.1.1, not the
> 	>> actual name server
> 	>
<snip>
>=20
>=20
> Hello Mike,
>=20
>=20
> If I understand correctly your environment I think you should change
> the NAT rule from:
>=20
> nat on $vlan821_if from $nr_net to $mail_net -> 10.212.1.1
>=20
> to:
>=20
> nat on $vlan6_if from $nr_net to $mail_net -> 10.212.1.1
>=20
> Let us know if this is solving the issue.
>=20

I'm still seeing the same issue.  Here's the output from pfctl -sa | grep 1=
0.212.1.1

nat on vlan6 inet from 10.212.1.0/24 to 10.211.0.0/16 -> 10.212.1.1
rdr on vlan6 inet proto udp from any to 10.212.1.1 port =3D domain -> <nr_r=
oundrobin> round-robin
rdr on vlan6 inet proto tcp from any to 10.212.1.1 port =3D domain -> <nr_r=
oundrobin> round-robin
vlan6 udp 10.212.1.11:53 <- 10.212.1.1:53 <- 10.211.128.146:54108       NO_=
TRAFFIC:SINGLE

It looks like the redirect is happening correctly, but the NAT isn't workin=
g in reverse.  The 10.212.1.1 address is in the subnet on $vlan821.  Will t=
his break NAT?  That is, does NAT have to have an address on $vlan6?

Regards,

Mike

--PGP_Universal_058A492C_6DE448A3_44BFDD03_80A31AF0
Content-Type: application/pgp-signature;
	name="PGP.sig"
Content-Transfer-Encoding: 7BIT
Content-Disposition: attachment;
	filename="PGP.sig"

-----BEGIN PGP SIGNATURE-----
Version: 9.7.0 (Build 867)

iQEVAwUBR11zK/TXQhZ+XcVAAQgT+ggArxVYtfu6E2euMnFKZHUtvWbeu3ZHKh42
g6XvkrYNqCa0hrfIrM4S2UeDms4yo+C2zmuM5gOtZgCKuSB+R67upAdMTLBgr5Mz
lVtUFSlevUZtNkQhP2krLKDtf9asfKfqDKmfVMlK3CZM9vijbJRGlq+FzuYxQ5Y5
F5C2I/O5GpGEladnh1DKN9jpYKt7WhCS1ZuCxNGPLUADFc4CltkjnHvdcfbDVi7h
8V/YNTwQsI4cTktu1IODH6k/jev4IH/mPaMS8VrzNmRLo8lr7O3FSofn/e0UFgus
lpNN9FDNsTLpG0OMm/C2n3Qsak06NPqqu6Rtqe6Fvpqy/9zTieylQw==
=rEd8
-----END PGP SIGNATURE-----

--PGP_Universal_058A492C_6DE448A3_44BFDD03_80A31AF0--