From owner-freebsd-net@FreeBSD.ORG Mon Jun 3 17:08:53 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id DEB6C80C for ; Mon, 3 Jun 2013 17:08:53 +0000 (UTC) (envelope-from joemoog@ebureau.com) Received: from internet02.ebureau.com (internet02.tru-signal.biz [65.127.24.21]) by mx1.freebsd.org (Postfix) with ESMTP id ACC8D1AFE for ; Mon, 3 Jun 2013 17:08:53 +0000 (UTC) Received: from internet06.ebureau.com (internet06.ebureau.com [65.127.24.25]) by internet02.ebureau.com (Postfix) with ESMTP id 0B198EA6C9C; Mon, 3 Jun 2013 11:55:20 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by internet06.ebureau.com (Postfix) with ESMTP id B2ECA2E5EE01; Mon, 3 Jun 2013 12:08:45 -0500 (CDT) X-Virus-Scanned: amavisd-new at ebureau.com Received: from internet06.ebureau.com ([127.0.0.1]) by localhost (internet06.ebureau.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0jojrXyz14J5; Mon, 3 Jun 2013 12:08:44 -0500 (CDT) Received: from nail.office.ebureau.com (nail.office.ebureau.com [10.10.20.23]) by internet06.ebureau.com (Postfix) with ESMTPSA id 206AF2E5EDF0; Mon, 3 Jun 2013 12:08:44 -0500 (CDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) Subject: Re: Basic NAT server setup From: Joe Moog In-Reply-To: <20130601003730.GE79250@server.rulingia.com> Date: Mon, 3 Jun 2013 12:08:42 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20130601003730.GE79250@server.rulingia.com> To: Peter Jeremy X-Mailer: Apple Mail (2.1503) Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jun 2013 17:08:53 -0000 On May 31, 2013, at 7:37 PM, Peter Jeremy wrote: > On 2013-May-30 17:54:53 -0500, Joe Moog wrote: >> I'm building a server to handle outbound NAT to the internet using >> FreeBSD 9.1 and its built-in distribution of pf. What I want to be >> able to do is NAT three unique internal (private) VLANs to three >> unique public IPs. >=20 >> ext_if =3D "vlan11" >> ext_addr1 =3D "a.b.c.3" >> ext_addr2 =3D "a.b.c.4" >> ext_addr3 =3D "a.b.c.5" >> int_network1 =3D "10.0.1.0/24" >> int_network2 =3D "172.16.1.0/24"=20 >> int_network3 =3D "192.168.1.0/24" >> nat on $ext_if from $int_network1 to any -> $ext_addr1 >> nat on $ext_if from $int_network2 to any -> $ext_addr2 >> nat on $ext_if from $int_network3 to any -> $ext_addr3 >=20 > I don't see anything obviously wrong with what you've done. My = initial > checks would be: > - Do you have the correct routes on the NAT box. > - Do you have a.b.c.{3,4,5} setup as aliases on vlan11 (or faked using > proxy ARP). >=20 > (My suspicion is the second point - packets are going out successfully > but the response is undeliverable because nothing is responding to the > switch's ARP requests for a.b.c.{3,4,5}). >=20 > Next would be to use tcpdump to do some snooping: > - Firstly, make sure the packets are are arriving on the NAT box with > appropriate src & dst IPs by tcpdump'ing the internal interface(s). > - Secondly, tcpdump the external interface and see what is going out > and returning (tcpdump will see the external addresses) >=20 > Finally, add some 'log' keywords and tcpdump pflog0. Unfortunately, > the stock FreeBSD tcpdump can't handle pflog packets. There are some > patches in bin/124825 but you will need to do some work to get them > to apply to the tcpdump in 9.1. >=20 > That will hopefully give you some pointers as to where to investigate. >=20 > --=20 > Peter Jeremy Thanks for the response Peter.=20 Your assessment was spot-on. I added an alias to the vlan11 interface = and things seem to be functioning as expected now. I think I had = overlooked the interface alias requirement before because we had been = testing with the "bitmask" option which placed the entire a.b.c.0/24 = network on the external interface, but when we tried to scale it back to = basic single-IP NAT'ting I neglected to create the individual unique IP = aliases on the interface. Thank you! Joe