Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Apr 2008 00:59:14 +0100
From:      "Jay L. T. Cornwall" <jay@jcornwall.me.uk>
To:        freebsd-pf@freebsd.org
Subject:   PF + if_bridge + NAT anomaly
Message-ID:  <4807E452.4090304@jcornwall.me.uk>

next in thread | raw e-mail | index | archive | help
Hi,

I have a bridging FreeBSD machine configured as follows:

LAN <---> vr0 ---bridge0--- vr1 <--> WAN

With the following PF ruleset:

int_if = "vr0"
ext_if = "vr1"
bridge_if = "bridge0"
nat_from_ips = "192.168.1.0/24"
nat_to_ip = "<private>"

set skip on lo0
scrub in all
nat on $ext_if from $nat_from_ips to any -> $nat_to_ip
block in all
#block out all *commented out*
antispoof quick for { lo0 }

pass in quick on $int_if
pass out quick on $int_if
pass in quick on $bridge_if
#pass out quick on $bridge_if *commented out*
pass out quick on $ext_if

This configuration works correctly. Machines on the LAN with private IPs
are NAT'd to a public IP and others with their own public IPs are routed
correctly.

However, note that I have commented out the 'block out all' rule.
Commenting this and the later 'pass out quick on $ext_if' back in works
correctly for LAN machines with public IPs. However, doing this disables
NAT.

Even without 'block out all', the simple presence of:
  pass out quick on $bridge_if

Causes NAT to stop. tcpdump on vr1 shows that packets with private IPs
are passing to the WAN (and being filtered upstream). What is causing
NAT to stop functioning by the presence of a loose rule? Does the
default 'pass all' have additional flags necessary for NAT to function
correctly?

Thanks,

-- 
Jay L. T. Cornwall
http://www.jcornwall.me.uk/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4807E452.4090304>