Date: Mon, 3 Jun 2013 12:08:42 -0500 From: Joe Moog <joemoog@ebureau.com> To: Peter Jeremy <peter@rulingia.com> Cc: freebsd-net@freebsd.org Subject: Re: Basic NAT server setup Message-ID: <C7AA8B0B-092E-4A21-98F4-D6053FDA4B03@ebureau.com> In-Reply-To: <20130601003730.GE79250@server.rulingia.com> References: <E27B916A-4825-4352-B92A-08072BDEFB70@ebureau.com> <20130601003730.GE79250@server.rulingia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 31, 2013, at 7:37 PM, Peter Jeremy <peter@rulingia.com> wrote: > On 2013-May-30 17:54:53 -0500, Joe Moog <joemoog@ebureau.com> wrote: >> I'm building a server to handle outbound NAT to the internet using >> FreeBSD 9.1 and its built-in distribution of pf. What I want to be >> able to do is NAT three unique internal (private) VLANs to three >> unique public IPs. >=20 >> ext_if =3D "vlan11" >> ext_addr1 =3D "a.b.c.3" >> ext_addr2 =3D "a.b.c.4" >> ext_addr3 =3D "a.b.c.5" >> int_network1 =3D "10.0.1.0/24" >> int_network2 =3D "172.16.1.0/24"=20 >> int_network3 =3D "192.168.1.0/24" >> nat on $ext_if from $int_network1 to any -> $ext_addr1 >> nat on $ext_if from $int_network2 to any -> $ext_addr2 >> nat on $ext_if from $int_network3 to any -> $ext_addr3 >=20 > I don't see anything obviously wrong with what you've done. My = initial > checks would be: > - Do you have the correct routes on the NAT box. > - Do you have a.b.c.{3,4,5} setup as aliases on vlan11 (or faked using > proxy ARP). >=20 > (My suspicion is the second point - packets are going out successfully > but the response is undeliverable because nothing is responding to the > switch's ARP requests for a.b.c.{3,4,5}). >=20 > Next would be to use tcpdump to do some snooping: > - Firstly, make sure the packets are are arriving on the NAT box with > appropriate src & dst IPs by tcpdump'ing the internal interface(s). > - Secondly, tcpdump the external interface and see what is going out > and returning (tcpdump will see the external addresses) >=20 > Finally, add some 'log' keywords and tcpdump pflog0. Unfortunately, > the stock FreeBSD tcpdump can't handle pflog packets. There are some > patches in bin/124825 but you will need to do some work to get them > to apply to the tcpdump in 9.1. >=20 > That will hopefully give you some pointers as to where to investigate. >=20 > --=20 > Peter Jeremy Thanks for the response Peter.=20 Your assessment was spot-on. I added an alias to the vlan11 interface = and things seem to be functioning as expected now. I think I had = overlooked the interface alias requirement before because we had been = testing with the "bitmask" option which placed the entire a.b.c.0/24 = network on the external interface, but when we tried to scale it back to = basic single-IP NAT'ting I neglected to create the individual unique IP = aliases on the interface. Thank you! Joe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C7AA8B0B-092E-4A21-98F4-D6053FDA4B03>