Date: Fri, 18 Apr 2008 00:59:14 +0100 From: "Jay L. T. Cornwall" <jay@jcornwall.me.uk> To: freebsd-pf@freebsd.org Subject: PF + if_bridge + NAT anomaly Message-ID: <4807E452.4090304@jcornwall.me.uk>
next in thread | raw e-mail | index | archive | help
Hi, I have a bridging FreeBSD machine configured as follows: LAN <---> vr0 ---bridge0--- vr1 <--> WAN With the following PF ruleset: int_if = "vr0" ext_if = "vr1" bridge_if = "bridge0" nat_from_ips = "192.168.1.0/24" nat_to_ip = "<private>" set skip on lo0 scrub in all nat on $ext_if from $nat_from_ips to any -> $nat_to_ip block in all #block out all *commented out* antispoof quick for { lo0 } pass in quick on $int_if pass out quick on $int_if pass in quick on $bridge_if #pass out quick on $bridge_if *commented out* pass out quick on $ext_if This configuration works correctly. Machines on the LAN with private IPs are NAT'd to a public IP and others with their own public IPs are routed correctly. However, note that I have commented out the 'block out all' rule. Commenting this and the later 'pass out quick on $ext_if' back in works correctly for LAN machines with public IPs. However, doing this disables NAT. Even without 'block out all', the simple presence of: pass out quick on $bridge_if Causes NAT to stop. tcpdump on vr1 shows that packets with private IPs are passing to the WAN (and being filtered upstream). What is causing NAT to stop functioning by the presence of a loose rule? Does the default 'pass all' have additional flags necessary for NAT to function correctly? Thanks, -- Jay L. T. Cornwall http://www.jcornwall.me.uk/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4807E452.4090304>