Date: Thu, 30 May 2013 17:54:53 -0500 From: Joe Moog <joemoog@ebureau.com> To: freebsd-net@freebsd.org Subject: Basic NAT server setup Message-ID: <E27B916A-4825-4352-B92A-08072BDEFB70@ebureau.com>
next in thread | raw e-mail | index | archive | help
I'm building a server to handle outbound NAT to the internet using = FreeBSD 9.1 and its built-in distribution of pf. What I want to be able = to do is NAT three unique internal (private) VLANs to three unique = public IPs. Our current setup utilizes a single external IP address for = all three internal networks and seems to work well when our internal = hosts use the BSD box as their gateway. pf.conf is as follows: ext_if =3D "vlan11" ext_addr =3D "a.b.c.2" int_network1 =3D "10.0.1.0/24" int_network2 =3D "172.16.1.0/24"=20 int_network3 =3D "192.168.1.0/24" nat on $ext_if from $int_network1 to any -> $ext_addr nat on $ext_if from $int_network2 to any -> $ext_addr nat on $ext_if from $int_network3 to any -> $ext_addr However, when we introduce two additional external IPs the system fails = to establish external connections. pf.conf again: ext_if =3D "vlan11" ext_addr1 =3D "a.b.c.3" ext_addr2 =3D "a.b.c.4" ext_addr3 =3D "a.b.c.5" int_network1 =3D "10.0.1.0/24" int_network2 =3D "172.16.1.0/24"=20 int_network3 =3D "192.168.1.0/24" nat on $ext_if from $int_network1 to any -> $ext_addr1 nat on $ext_if from $int_network2 to any -> $ext_addr2 nat on $ext_if from $int_network3 to any -> $ext_addr3 On our border router we have a route to send all traffic belonging to = the a.b.c.0/24 network to the public side of the NAT host, and as = mentioned before, single-IP NAT works fine. "pfctl -s nat" indicates = that the host knows how to translate the connections, but the = connections somehow do not succeed. We are not leveraging the packet = filtering capabilities of pf at this time -- all we need the host to do = right now is NAT. I might also note that on the host we have a dot1q trunk carrying our = three internal VLANs to the host, and we are routing all private traffic = through another dedicated private VLAN. Default gateway on the NAT host = is the router address for its public-facing IP. I realize some of this = may be more specific to pf, but since there are (obviously) many moving = parts here I thought it best to start with the freebsd-net list and see = if I can get some direction. Thank you Joe=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E27B916A-4825-4352-B92A-08072BDEFB70>