From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 14:40:41 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A368FD51 for ; Fri, 16 Nov 2012 14:40:41 +0000 (UTC) (envelope-from peter@aoeu.ca) Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) by mx1.freebsd.org (Postfix) with ESMTP id 7470C8FC17 for ; Fri, 16 Nov 2012 14:40:41 +0000 (UTC) Received: from homiemail-a56.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by hapkido.dreamhost.com (Postfix) with ESMTP id 18DA6F93DA for ; Fri, 16 Nov 2012 06:40:35 -0800 (PST) Received: from homiemail-a56.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a56.g.dreamhost.com (Postfix) with ESMTP id 74B8FFE065 for ; Fri, 16 Nov 2012 06:40:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=aoeu.ca; h=mime-version :date:message-id:subject:from:to:content-type; s=aoeu.ca; bh=CvU jyS6iMxPl0jCYhiRDmniBHUQ=; b=NkGEfHdl59ehBH2fTFf4skb0AWLNAZxJaH0 0rfzzX1gpHdeNbIaJWkP/NK9RH+G7aB1FLPsJTuvO7EjK3YBDjrEmujLqgZhIdcO VbGq9aGDsnC68e5gOqUIQYN7kWkg81dH5dzYBKVvXLs8zA9cRXttYuOpxLN083PQ syca8q2Q= Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: peter@aoeu.ca) by homiemail-a56.g.dreamhost.com (Postfix) with ESMTPSA id 53DF5FE05B for ; Fri, 16 Nov 2012 06:40:13 -0800 (PST) Received: by mail-ob0-f182.google.com with SMTP id 16so3553318obc.13 for ; Fri, 16 Nov 2012 06:40:28 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.177.100 with SMTP id cp4mr4040462obc.71.1353076828209; Fri, 16 Nov 2012 06:40:28 -0800 (PST) Received: by 10.60.7.202 with HTTP; Fri, 16 Nov 2012 06:40:28 -0800 (PST) Date: Fri, 16 Nov 2012 09:40:28 -0500 Message-ID: Subject: Routing return NAT traffic based on interface From: Peter McAlpine To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2012 14:40:41 -0000 Hello, I am having trouble with routing via pf and would appreciate any help that can be provided. My router has a tunnel interface, and an external (internet) interface. I'd like to NAT any traffic that arrives on the tunnel out to the internet via the external interface. Any traffic that arrives on the external interface that is not specifically for the external interface's address should be sent down the tunnel. Here's my config: data_if = "tap3" ext_if = "em0" set skip on lo0 nat on $ext_if from !$ext_if:network to any -> ($ext_if) pass in on $ext_if route-to $data_if from any to !$ext_if:network My motivation is that I am completely unaware of the networks that exist beyond the tunnel and want to be able to add additional interfaces with RFC1918 addresses to my router without worrying about whether my IP is colliding with the IPs past the tunnel. Further, I want the traffic that arrives on the tunnel to remain in its original state until it leaves on the external interface. The issue I'm having is that the 'pass' rule is not being matched (or even evaluated?). My default gateway on the router is the ext_if and return traffic is being reverse-translated and then the routing table is sending it back out ext_if instead of down data_if where I want it to go. I have also tried rebuilding my kernel and using different routing tables but I can't get any pass rule to be evaluated for returning NAT traffic. Thanks in advance for any help you can provide. -Peter