From owner-freebsd-pf@FreeBSD.ORG Mon Jul 9 11:58:08 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B8D7A16A400 for ; Mon, 9 Jul 2007 11:58:08 +0000 (UTC) (envelope-from linux@giboia.org) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.freebsd.org (Postfix) with ESMTP id 583D013C489 for ; Mon, 9 Jul 2007 11:58:08 +0000 (UTC) (envelope-from linux@giboia.org) Received: by nf-out-0910.google.com with SMTP id b2so64352nfb for ; Mon, 09 Jul 2007 04:58:07 -0700 (PDT) Received: by 10.82.126.5 with SMTP id y5mr8027475buc.1183982286735; Mon, 09 Jul 2007 04:58:06 -0700 (PDT) Received: by 10.82.134.16 with HTTP; Mon, 9 Jul 2007 04:58:06 -0700 (PDT) Message-ID: <6e6841490707090458y4a7cf8f5rddb0f9b46bc547d6@mail.gmail.com> Date: Mon, 9 Jul 2007 08:58:06 -0300 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: Simple NAT question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jul 2007 11:58:08 -0000 On 08/07/07, Morgan Reed wrote: > I've got an issue with a simple NAT with pf. > > I've got two machines; > the first (I will call m1) has 2 ethernet interfaces (I will call them > m1.0 and m1.1) > the second (I will call m2) has 1 ethernet interface (I will call it m2.0) > > m1.0 faces my LAN, m1.1 and m2.0 are on a separate, isolated segment. > > what I need to be able to do is to access the "outside world" from m2 > and be able to get to Ports 80, 443 and 3128 on m2 from my LAN by > connecting to ports 80, 443 and 3128 on m1 and having traffic > forwarded appropriately. > > m1.0 - 192.168.0.X/24 (DHCP assigned) > m1.1 - 192.168.1.2/24 > m2.0 - 192.168.1.30/24 > > /etc/pf.conf > ========================================================= > > ext_if="m1.0" > int_if="m1.1" > > nat on $ext_if from !($ext_if) -> ($ext_if:0) > > rdr pass on $ext_if proto tcp to port 80 -> 192.168.1.30 port 80 > rdr pass on $ext_if proto tcp to port 443 -> 192.168.1.30 port 443 > rdr pass on $ext_if proto tcp to port 3128 -> 192.168.1.30 port 3128 > > pass in keep state > pass out keep state > > ========================================================= > > The current status is as follows; > * I can ping m1.0 from m2 > * I can't ping any of the other address on the 192.168.0.0/24 network from m2 > > - tcpdump'ing m1.1 > * Connecting to one of the forwarded ports on m1.0 I see nothing > * Connecting from m2 to a host on the LAN I see the connections going > out but, not coming back > > Your assistance is greatly appreciated. > > Morgan > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi, Try use this: ext_if="m1.0" int_if="m1.1" rdr pass on $ext_if proto tcp to port 80 -> 192.168.1.30 port 80 rdr pass on $ext_if proto tcp to port 443 -> 192.168.1.30 port 443 rdr pass on $ext_if proto tcp to port 3128 -> 192.168.1.30 port 3128 nat on $ext_if from !($ext_if) to any -> ($ext_if:0) pass in keep state pass out keep state -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com