From owner-freebsd-pf@FreeBSD.ORG Sun Aug 21 14:07:47 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F11D91065670 for ; Sun, 21 Aug 2011 14:07:47 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by mx1.freebsd.org (Postfix) with SMTP id 65AF18FC13 for ; Sun, 21 Aug 2011 14:07:47 +0000 (UTC) Received: (qmail invoked by alias); 21 Aug 2011 13:41:05 -0000 Received: from p578be941.dip0.t-ipconnect.de (EHLO [192.168.0.100]) [87.139.233.65] by mail.gmx.net (mp025) with SMTP; 21 Aug 2011 15:41:05 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX18GwtgTROAGYlxhyTxwMjlBz/AypkYcZexZxVfn09 fua1fvtht1XI/l Message-ID: <4E510AF8.9090009@gmx.de> Date: Sun, 21 Aug 2011 15:41:12 +0200 From: olli hauer User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: h bagade References: In-Reply-To: X-Enigmail-Version: 1.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-pf@freebsd.org Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Aug 2011 14:07:48 -0000 On 2011-08-21 09:48, h bagade wrote: > Hi all, > > I am trying to use pf nat rules with pool support on FreeBsd 8.0, working > together with ipfw as the main firewall. According to the natting concepts i > faced in manuals and docs, nat concept is to map the source address to the > natted address when sending the packets from that source and then map the > destination address of the related reply packets. > > but when I define pf nat rules with a pool of IP addresses not available on > the outside interface ip addresses, the outgoing traffic is natted to one of > the pool addresses but the response is not received via that interface so > the pf can map the destination address to the real one. here is one of my > configs i used during my tests: > > *configurations:* > *pf.conf:* > nat on eth1 from { 11.11.11.0/24} to any -> > {172.16.10.1,172.16.10.2,172. > 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} > > main system configurations: > eth0: 11.11.11.1 > eth1: 172.16.10.64 > > system A: directly connected to eth0- 11.11.11.11 > system B: directly connected to eth1- 172.16.10.65 > > in this configs the dafult route of system A and system B are the middle > systems connected ip address. > > as mentioned, when systemA pings systemB, the ping requests are natted to > 172.16.10.1 and received at systemB but systemB doesn't send icmp replies > because it doesn't know to whom it should send the replies (no answer to > system B 's ARP requests about who has the natted IP). > > now my question is, isn't it the pf nat responsibilty to manage this > condition and send the ARP replies to SystemB? > or, are my configs wrong? > or i misunderstood the nat concepts? > > any ideas or helps are really appreciated as i have to set this nat on my > main system, asap. > Thanks in advance. Nothing magic, Professional Firefall products do offer mostly to create an automatic proxy arp or do this without your notice. The better way is to create a route on the upstream router, this way you get all the traffic without silly arp broadcasts. The following route on the peer should solve your problem route add -net 172.16.10.1 gw 172.16.10.65 netmask 255.255.255.192