From owner-freebsd-questions@freebsd.org Tue Nov 3 06:15:39 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 21671A25C7A for ; Tue, 3 Nov 2015 06:15:39 +0000 (UTC) (envelope-from sam.gh1986@gmail.com) Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7ED9B1F79; Tue, 3 Nov 2015 06:15:38 +0000 (UTC) (envelope-from sam.gh1986@gmail.com) Received: by lffz202 with SMTP id z202so6290493lff.3; Mon, 02 Nov 2015 22:15:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6fr1Moyh5ikKtT3wyTf9m0YGiURowAKUS2QoG/7AcZE=; b=OBtXfu/wocqWoA0C5pLe2M6Ujhv6jzgtcRlKFt7/x8e9QpWUkVr6TunNp8uYWfIBhE Eqm/6NWv0JYvMk6abgz2SV4qNVapaPdHUAH/37SUJnbSZUj5Ij0wT4ldF6myGTPWE0dt W3Zu0zZ2JQU5JJiWWWqIMChXyvWhpx9p/A3Iz/ePzHgG/QaXP8qrrNmgjCky52uKpv+i 7PImYpYFmjg4k5JAmB6S8PJM5PoX2QD654yuDBT665eqL4HZE0PJXAUDBmhXONPKd1lq nXiGwT+OXhcva7gMM2ivDsondxGLlFS9rlqHNQqFNN0cIIBcpLFu8W8lm9zd8pXwnx43 bc8g== MIME-Version: 1.0 X-Received: by 10.112.72.40 with SMTP id a8mr12081172lbv.55.1446531336619; Mon, 02 Nov 2015 22:15:36 -0800 (PST) Received: by 10.112.124.108 with HTTP; Mon, 2 Nov 2015 22:15:36 -0800 (PST) In-Reply-To: <5635FB7B.1070901@FreeBSD.org> References: <5635FB7B.1070901@FreeBSD.org> Date: Tue, 3 Nov 2015 09:45:36 +0330 Message-ID: Subject: Re: why pf nat two different ip address to one ip address with different port number? From: s m To: Matthew Seaman Cc: freebsd-questions Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 06:15:39 -0000 thank you Matt for your comprehensive answer. i have read man page for pf.conf but i think rdr nor binat don't solve my problem. this is my scenario: C1-----> switch-------->FreeBSD -------> C3 C2-----> c1 and c2 wants to ping c3. in freebsd system i have put these lines in pf.conf: table <1> { 20.3.3.10 } nat on 'gbeth2' from { 10.3.3.0/24} to any -> <1> round-robin sticky-address i have assigned just one ip address to my table so i expect that when c1 pings c3 it nat to 20.3.3.10. after that, when c2 pings c3, it drops since there is no free ip address in my table to assign c2 but c2 nat to 20.3.3.10 too with different port number. i said static nat but it is not static nat it was my mistake. direction for my nat is inside. i hope it clears my scenario and what i want to do:) i'm not familiar with pf so it's my appreciate if you help me to solve it. thanks in advance SAM On Sun, Nov 1, 2015 at 3:16 PM, Matthew Seaman wrote: > On 01/11/2015 06:26, s m wrote: > > hello everybody > > > > i wanna nat my local addresses with pf but i have a strange problem. this > > is my pf.conf file: > > > > table <1> { 20.3.3.10 } > > nat on 'gbeth2' from { 10.3.3.0/24} to any -> <1> round-robin > sticky-address > > > > > > i wanna have static nat with just one ip address(20.3.3.10). with these > > rules i expect the first system which send packet to my freebsd system, > nat > > to 20.3.3.10 and the second system do not nat since we have no free ip > > address. but what is happened is totally different! the second one nat to > > the same ip address but with different port number like this: > > > > all icmp* 20.3.3.10:48401 * (10.3.3.2:27943) -> > > 20.3.3.1:48401 0:0 > > all icmp *20.3.3.10:58435 * (10.3.3.1:3706) -> > > 20.3.3.1:58435 0:0 > > > > would you please tell me what is wrong with my pf.conf rules? how can i > > prevent this? i want to nat just the first system which request for it > and > > ignore the request from the second system. it should be possible, isn't > it?? > > > > any comments or hints are appreciated. > > It's not clear from your description exactly what you are trying to > achieve. > > Is the traffic you are trying to manage incoming or outgoing or both? > By which I mean in what direction is the initial connection made? -- > obviously its useless to only handle packets going one way without > dealing with the response packets that come back, but pf(4) deals with > traffic very differently depending on the direction of the initial > connection. > > NAT generally works with outgoing traffic -- from your lan with a > private address range out to the internet in general. It can hide a > whole internal network behind a single IP address, and to do this it may > use varying ephemeral port numbers on the NAT address to distinguish > different traffic streams. This behaviour appears to be not what you > are expecting. > > Now, you mention 'static NAT' -- that terminology usually refers to a > facility to allow connections across a NAT gateway in the reverse > direction. pf(4) certainly can do this, but uses a different keyword: > 'rdr' (from ReDiRect) -- where people can connect to your public NAT > address and have the traffic redirected to a server or servers inside > your private address space. Usually this is done for specific network > ports, and you can have several different rdr's at once (so eg. you can > send web traffic and e-mail to distinct internal servers.) > > (Then there's 'binat' (Bi-directional Network Address Translation) which > I mention only for completeness -- this is a symmetric form of NAT > between internal and external address blocks. It has the property of > never modifying port numbers (which NAT may do, and RDR always does.) > binat is relatively uncommon: if you want to handle both incoming and > outgoing traffic on a NAT gateway, it is more usual to have both 'nat' > and 'rdr' rules in your pf.conf) > > All of these are suitable for relatively simple mappings -- no failover, > no server healthchecks, no traffic weighting, no sticky sessions etc. > etc. If you need something more sophisticated, then look at the > net/relayd port. This can give pf(4) the capabilities of a fully > featured load balancer. > > Cheers, > > Matthew > > > >