Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 21 Aug 2011 11:09:12 +0200
From:      "Bartek W. aka Mastier" <mistrzipan@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   Re: problem with setting nat
Message-ID:  <4E50CB38.1050204@gmail.com>
In-Reply-To: <CAARSjE09vm3yvevBhhdK_6XrRpnKD5cwgnZJPVjVTsH=03JCsg@mail.gmail.com>
References:  <CAARSjE09vm3yvevBhhdK_6XrRpnKD5cwgnZJPVjVTsH=03JCsg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
W dniu 21.08.2011 09:48, h bagade pisze:
> Hi all,
>
> I am trying to use pf nat rules with pool support on FreeBsd 8.0, working
> together with ipfw as the main firewall. According to the natting concepts i
> faced in manuals and docs, nat concept is to map the source address to the
> natted address when sending the packets from that source and then map the
> destination address of the related reply packets.
>
> but when I define pf nat rules with a pool of IP addresses not available on
> the outside interface ip addresses, the outgoing traffic is natted to one of
> the pool addresses but the response is not received via that interface so
> the pf can map the destination address to the real one. here is one of my
> configs i used during my tests:
>
> *configurations:*
> *pf.conf:*
> nat on eth1 from { 11.11.11.0/24} to any ->
> {172.16.10.1,172.16.10.2,172.
> 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10}
>
> main system configurations:
> eth0: 11.11.11.1
> eth1: 172.16.10.64
>
> system A: directly connected to eth0- 11.11.11.11
> system B: directly connected to eth1- 172.16.10.65
>
> in this configs the dafult route of system A and system B are the middle
> systems connected ip address.
>
> as mentioned, when systemA pings systemB, the ping requests are natted to
> 172.16.10.1 and received at systemB but systemB doesn't send icmp replies
> because it doesn't know to whom it should send the replies (no answer to
> system B 's ARP requests about who has the natted IP).

Man, ok, let's start from the beginning: these are your nat adresses

{172.16.10.1,172.16.10.2,172.
16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10}

But none of them is set on your routing/natting system interface, come 
on :-D How can it receive response over link layer (L2) if doesn't have 
IP which is substited to make packets get back to. If you are doing nat 
to 172.16.10.1, you should have 172.16.10.1 on your auxiliary interface 
, not 172.16.10.64. Or propably you could make nat like i.e.  .... -> 
{172.16.10.0/24, ... } , but I have never tried it like that.
>
> now my question is, isn't it the pf nat responsibilty to manage this
> condition and send the ARP replies to SystemB?

Hell no, ARP replies ? man this is link layer, ARP is from link layer. 
To have ARP response (NOT PING, ping is layer 3, IP layer) both side 
must share the same network, natting can see the ARP from both sides , 
but systemA and SystemB between each other can't.

> or, are my configs wrong?
> or i misunderstood the nat concepts?

You should have some reading, there are more than one, so called NAT 
techniques. In PF , in your situation, when packet is going out from 
systemA to systemB, the source address in switched to NAT machine's and 
, in case of port-enabled protocol, like TCP and UDP the random port is 
choosen and waiting for response on that port. When it comes from system 
B is rightaway redirected to systemA. I don't know how it works in ICMP 
(i.e. ping), it's in some way "remembered", who is waiting for response.

> any ideas or helps are really appreciated as i have to set this nat on my
> main system, asap.
> Thanks in advance.
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E50CB38.1050204>