Re: NAT possible with single interface box?

Mon, 12 Mar 2018 15:51:35 -0700 

On 2018-03-12 15:32, Ultima wrote:
Please provide netstat -nr. If you have more in pf.conf, please provide this too. 

Thanks for the suggestion, it made me thing again.


I recreated the setup with different network settings for more easy 
testing:

 - em0 instead of sis0
 - 192.168.178.181/24 instead of 192.168.1.10/24
 - gateway 192.168.178.1 instead of 192.168.1.1


root@vbsd11:~ # uname -a

FreeBSD vbsd11.vanderzwet.net 11.0-RELEASE-p9 FreeBSD 11.0-RELEASE-p9 
#0: Tue Apr 11 08:42:58 UTC 2017     
r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386



root@vbsd11:~ # netstat -nr -f inet
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.178.1      UGS         em0
127.0.0.1          link#2             UH          lo0
172.16.0.0/24      link#1             U           em0
172.16.0.1         link#1             UHS         lo0
192.168.178.0/24   link#1             U           em0
192.168.178.181    link#1             UHS         lo0


root@vbsd11:~ # cat /etc/pf.conf
nat on em0 inet from 172.16.0.0/24 to !172.16.0.0/24 -> 192.168.178.181


root@vbsd11:~ # cat /etc/rc.conf
hostname="vbsd11.vanderzwet.net"
sshd_enable="YES"
ntpd_enable="YES"

ifconfig_em0="192.168.178.181/24"
ifconfig_em0_alias0="172.16.0.1/24"

defaultrouter="192.168.178.1"
gateway_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"


Looking at tcpdump of the router I now see packages been translated:
root@vbsd11:~ # tcpdump -ni em0 icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol 
decode

listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes

00:11:25.758323 IP 172.16.0.10 > 192.168.178.1: ICMP echo request, id 
6976, seq 96, length 64
00:11:25.758435 IP 192.168.178.181 > 192.168.178.1: ICMP echo request, 
id 57418, seq 96, length 64
00:11:25.758880 IP 192.168.178.1 > 192.168.178.181: ICMP echo reply, id 
57418, seq 96, length 64
00:11:25.758950 IP 192.168.178.1 > 172.16.0.10: ICMP echo reply, id 
6976, seq 96, length 64




Looking in hindsight the simplified example was instead working, the 
problem was caused by blocking firewall rules further down the script.


Best regards,
-Rick
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"






















					Reply via email to