From owner-freebsd-questions@freebsd.org Sun Apr 11 18:21:26 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E08D35D78D5 for ; Sun, 11 Apr 2021 18:21:26 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) by mx1.freebsd.org (Postfix) with ESMTP id 4FJKv96S9Fz4RWS for ; Sun, 11 Apr 2021 18:21:25 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Received: from [192.168.1.181] (host217-43-123-146.range217-43.btcentralplus.com [217.43.123.146]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id 13BILNYk010684 for ; Sun, 11 Apr 2021 19:21:23 +0100 (BST) (envelope-from freebsd-doc@fjl.co.uk) Subject: Re: pf or ipfw for NAT To: freebsd-questions@freebsd.org References: <50dcf18d-f9c3-71c2-abb0-eed8f1b5e192@fjl.co.uk> <20210402210356.637a3ed714957fb9c5fdfa3a@sohara.org> <1ff607ca-79cc-3072-831c-54659920e9dc@fjl.co.uk> <20210403092058.97c46ba70579026e9bd929a1@sohara.org> From: Frank Leonhardt Message-ID: <3c99a18b-a8c6-acb6-bf4c-03e4783cab88@fjl.co.uk> Date: Sun, 11 Apr 2021 19:21:21 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: <20210403092058.97c46ba70579026e9bd929a1@sohara.org> Content-Language: en-GB X-Rspamd-Queue-Id: 4FJKv96S9Fz4RWS X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd-doc@fjl.co.uk designates 84.45.41.196 as permitted sender) smtp.mailfrom=freebsd-doc@fjl.co.uk X-Spamd-Result: default: False [0.56 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.991]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:84.45.41.196]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[fjl.co.uk]; NEURAL_SPAM_SHORT(0.95)[0.950]; RCVD_IN_DNSWL_MED(-0.20)[84.45.41.196:from]; NEURAL_SPAM_LONG(1.00)[1.000]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:25577, ipnet:84.45.0.0/17, country:GB]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]; RECEIVED_SPAMHAUS_PBL(0.00)[217.43.123.146:received] Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 18:21:26 -0000 On 03/04/2021 09:20, Steve O'Hara-Smith wrote: >> Thanks Steve. Any idea whether I need to enable the gateway when using >> pf instead? >> >> e.g. sysctl net.inet.ip.forwarding=1 > >     I'm pretty sure you do - TBH I've never tried not setting it on > anything that routes. I think so too. I set it and it works perfectly. I'm really wondering why I've bothered with natd - just using pf works a treat. For the sake of anyone reading this thread in the future, this script starts the whole thing off (xxx is the external address): sysctl net.inet.ip.forwarding=1 ifconfig bge0 inet 192.168.1.210 netmask 0xffffffff alias ifconfig re0  inet xxx.xxx.xxx.xxx netmask 0xffffffff alias service dhcpd onestart service pf onestart ----------------------------------------------------- This is what I'd put in rc.conf to make it permanent (but not a cut/paste job so may be errors): gateway_enable=yes ifconfig_bge0=" inet 192.168.1.210 netmask 0xffffffff alias" ifconfig re0="inet xxx.xxx.xxx.xxx netmask 255.255.255.248" dhcpd_enable=yes pf_enable=yes ----------------------------------------------------- /usr/local/etc/dhcpd.conf (important part): subnet 192.168.1.0  netmask 255.255.255.0 {   range 192.168.1.128 192.168.1.192;    option routers 192.168.1.210;    authoritative; } ----------------------------------------------------- /etc/pf.conf scrub in all # NAT bit nat pass on re0 from 192.168.1.0/24 to any -> xxx.xxx.xxx.xxx # Pass port 25 to mail server on LAN rdr pass on re0 proto tcp from any to xxx.xxx.xxx.xxx port 25 -> 192.168.1.203