From owner-freebsd-pf@FreeBSD.ORG Tue Aug 23 05:10:49 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE2CE106566C for ; Tue, 23 Aug 2011 05:10:49 +0000 (UTC) (envelope-from s.khanchi@gmail.com) Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com [209.85.210.45]) by mx1.freebsd.org (Postfix) with ESMTP id 972E98FC16 for ; Tue, 23 Aug 2011 05:10:49 +0000 (UTC) Received: by pzk33 with SMTP id 33so18686887pzk.18 for ; Mon, 22 Aug 2011 22:10:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+fAag+y7BeEW6jTVde5Cl9m/RSvkGKYpRj6CR8RmSWI=; b=Lqp8ZGlVY0qC/HIGEo4AUoAYNtR1fEJ/U3kLRvIoXQQbLzJwuG2XEyzUmEj/60oGFM Rke+o3e150p3g6ib06Zat3GgSUSgEv3mydLOTwmSXGByuahwPppKcRPD/xuOlG4gOrH3 0K5T3xgey1fjYvPPuz3svowZ5JQh7RgrbGqKg= MIME-Version: 1.0 Received: by 10.142.135.21 with SMTP id i21mr757580wfd.425.1314076249015; Mon, 22 Aug 2011 22:10:49 -0700 (PDT) Received: by 10.143.26.30 with HTTP; Mon, 22 Aug 2011 22:10:48 -0700 (PDT) In-Reply-To: <4E510AF8.9090009@gmx.de> References: <4E510AF8.9090009@gmx.de> Date: Tue, 23 Aug 2011 09:40:48 +0430 Message-ID: From: Sara Khanchi To: olli hauer Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: problem with setting nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 05:10:49 -0000 On Sun, Aug 21, 2011 at 6:11 PM, olli hauer wrote: > On 2011-08-21 09:48, h bagade wrote: > > Hi all, > > > > I am trying to use pf nat rules with pool support on FreeBsd 8.0, working > > together with ipfw as the main firewall. According to the natting > concepts i > > faced in manuals and docs, nat concept is to map the source address to > the > > natted address when sending the packets from that source and then map the > > destination address of the related reply packets. > > > > but when I define pf nat rules with a pool of IP addresses not available > on > > the outside interface ip addresses, the outgoing traffic is natted to one > of > > the pool addresses but the response is not received via that interface so > > the pf can map the destination address to the real one. here is one of my > > configs i used during my tests: > > > > *configurations:* > > *pf.conf:* > > nat on eth1 from { 11.11.11.0/24} to any -> > > {172.16.10.1,172.16.10.2,172. > > > 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} > > > > main system configurations: > > eth0: 11.11.11.1 > > eth1: 172.16.10.64 > > > > system A: directly connected to eth0- 11.11.11.11 > > system B: directly connected to eth1- 172.16.10.65 > > > > in this configs the dafult route of system A and system B are the middle > > systems connected ip address. > > > > as mentioned, when systemA pings systemB, the ping requests are natted to > > 172.16.10.1 and received at systemB but systemB doesn't send icmp replies > > because it doesn't know to whom it should send the replies (no answer to > > system B 's ARP requests about who has the natted IP). > > > > now my question is, isn't it the pf nat responsibilty to manage this > > condition and send the ARP replies to SystemB? > > or, are my configs wrong? > > or i misunderstood the nat concepts? > > > > any ideas or helps are really appreciated as i have to set this nat on my > > main system, asap. > > Thanks in advance. > > > Nothing magic, > > Professional Firefall products do offer mostly to create an automatic > proxy arp or do this without your notice. > > The better way is to create a route on the upstream router, this way > you get all the traffic without silly arp broadcasts. > > The following route on the peer should solve your problem > route add -net 172.16.10.1 gw 172.16.10.65 netmask 255.255.255.192 > > > Defining route is not a proper way to handle this situation. I want to setup a nat router which every one works with it without need to adjust additional configurations on their system and works as the way cisco does. what should be done exactly to simulate cisco? Is there any way to proxy arp? Does ipfw support proxy arp?