Date: Mon, 3 Jun 2013 12:08:42 -0500 From: Joe Moog <joemoog@ebureau.com> To: Peter Jeremy <peter@rulingia.com> Cc: freebsd-net@freebsd.org Subject: Re: Basic NAT server setup Message-ID: <C7AA8B0B-092E-4A21-98F4-D6053FDA4B03@ebureau.com> In-Reply-To: <20130601003730.GE79250@server.rulingia.com> References: <E27B916A-4825-4352-B92A-08072BDEFB70@ebureau.com> <20130601003730.GE79250@server.rulingia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 31, 2013, at 7:37 PM, Peter Jeremy <peter@rulingia.com> wrote:
> On 2013-May-30 17:54:53 -0500, Joe Moog <joemoog@ebureau.com> wrote:
>> I'm building a server to handle outbound NAT to the internet using
>> FreeBSD 9.1 and its built-in distribution of pf. What I want to be
>> able to do is NAT three unique internal (private) VLANs to three
>> unique public IPs.
>=20
>> ext_if =3D "vlan11"
>> ext_addr1 =3D "a.b.c.3"
>> ext_addr2 =3D "a.b.c.4"
>> ext_addr3 =3D "a.b.c.5"
>> int_network1 =3D "10.0.1.0/24"
>> int_network2 =3D "172.16.1.0/24"=20
>> int_network3 =3D "192.168.1.0/24"
>> nat on $ext_if from $int_network1 to any -> $ext_addr1
>> nat on $ext_if from $int_network2 to any -> $ext_addr2
>> nat on $ext_if from $int_network3 to any -> $ext_addr3
>=20
> I don't see anything obviously wrong with what you've done. My =
initial
> checks would be:
> - Do you have the correct routes on the NAT box.
> - Do you have a.b.c.{3,4,5} setup as aliases on vlan11 (or faked using
> proxy ARP).
>=20
> (My suspicion is the second point - packets are going out successfully
> but the response is undeliverable because nothing is responding to the
> switch's ARP requests for a.b.c.{3,4,5}).
>=20
> Next would be to use tcpdump to do some snooping:
> - Firstly, make sure the packets are are arriving on the NAT box with
> appropriate src & dst IPs by tcpdump'ing the internal interface(s).
> - Secondly, tcpdump the external interface and see what is going out
> and returning (tcpdump will see the external addresses)
>=20
> Finally, add some 'log' keywords and tcpdump pflog0. Unfortunately,
> the stock FreeBSD tcpdump can't handle pflog packets. There are some
> patches in bin/124825 but you will need to do some work to get them
> to apply to the tcpdump in 9.1.
>=20
> That will hopefully give you some pointers as to where to investigate.
>=20
> --=20
> Peter Jeremy
Thanks for the response Peter.=20
Your assessment was spot-on. I added an alias to the vlan11 interface =
and things seem to be functioning as expected now. I think I had =
overlooked the interface alias requirement before because we had been =
testing with the "bitmask" option which placed the entire a.b.c.0/24 =
network on the external interface, but when we tried to scale it back to =
basic single-IP NAT'ting I neglected to create the individual unique IP =
aliases on the interface.
Thank you!
Joe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C7AA8B0B-092E-4A21-98F4-D6053FDA4B03>