Date: Sat, 1 Jun 2013 10:37:30 +1000 From: Peter Jeremy <peter@rulingia.com> To: Joe Moog <joemoog@ebureau.com> Cc: freebsd-net@freebsd.org Subject: Re: Basic NAT server setup Message-ID: <20130601003730.GE79250@server.rulingia.com> In-Reply-To: <E27B916A-4825-4352-B92A-08072BDEFB70@ebureau.com> References: <E27B916A-4825-4352-B92A-08072BDEFB70@ebureau.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2013-May-30 17:54:53 -0500, Joe Moog <joemoog@ebureau.com> wrote:
>I'm building a server to handle outbound NAT to the internet using
>FreeBSD 9.1 and its built-in distribution of pf. What I want to be
>able to do is NAT three unique internal (private) VLANs to three
>unique public IPs.
>ext_if =3D "vlan11"
>ext_addr1 =3D "a.b.c.3"
>ext_addr2 =3D "a.b.c.4"
>ext_addr3 =3D "a.b.c.5"
>int_network1 =3D "10.0.1.0/24"
>int_network2 =3D "172.16.1.0/24"=20
>int_network3 =3D "192.168.1.0/24"
>nat on $ext_if from $int_network1 to any -> $ext_addr1
>nat on $ext_if from $int_network2 to any -> $ext_addr2
>nat on $ext_if from $int_network3 to any -> $ext_addr3
I don't see anything obviously wrong with what you've done. My initial
checks would be:
- Do you have the correct routes on the NAT box.
- Do you have a.b.c.{3,4,5} setup as aliases on vlan11 (or faked using
proxy ARP).
(My suspicion is the second point - packets are going out successfully
but the response is undeliverable because nothing is responding to the
switch's ARP requests for a.b.c.{3,4,5}).
Next would be to use tcpdump to do some snooping:
- Firstly, make sure the packets are are arriving on the NAT box with
appropriate src & dst IPs by tcpdump'ing the internal interface(s).
- Secondly, tcpdump the external interface and see what is going out
and returning (tcpdump will see the external addresses)
Finally, add some 'log' keywords and tcpdump pflog0. Unfortunately,
the stock FreeBSD tcpdump can't handle pflog packets. There are some
patches in bin/124825 but you will need to do some work to get them
to apply to the tcpdump in 9.1.
That will hopefully give you some pointers as to where to investigate.
--=20
Peter Jeremy
--azLHFNyN32YCQGCU
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (FreeBSD)
iEYEARECAAYFAlGpQkoACgkQ/opHv/APuIcUgwCgpuKQx9BgMj6/8pPyrhfO/F4r
syUAnAsU5BGd0QiABVekKCEkvnU/q2+1
=kGTt
-----END PGP SIGNATURE-----
--azLHFNyN32YCQGCU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130601003730.GE79250>