Morgan Reed wrote:
Not sure if this is the most appropriate place to ask, feel free to
redirect me if it isn't.
I've got an issue with a simple NAT with pf.
I've got two machines;
the first (I will call m1) has 2 ethernet interfaces (I will call them
m1.0 and m1.1)
the second (I will call m2) has 1 ethernet interface (I will call it m2.0)
m1.0 faces my LAN, m1.1 and m2.0 are on a separate, isolated segment.
what I need to be able to do is to access the "outside world" from m2
and be able to get to Ports 80, 443 and 3128 on m2 from my LAN by
connecting to ports 80, 443 and 3128 on m1 and having traffic
forwarded appropriately.
m1.0 - 192.168.0.X/24 (DHCP assigned)
m1.1 - 192.168.1.2/24
m2.0 - 192.168.1.30/24
/etc/pf.conf
=========================================================
ext_if="m1.0"
int_if="m1.1"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
I think traffic comming back is natted a second time ???
I prefer:
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr pass on $ext_if proto tcp to port 80 -> 192.168.1.30 port 80
rdr pass on $ext_if proto tcp to port 443 -> 192.168.1.30 port 443
rdr pass on $ext_if proto tcp to port 3128 -> 192.168.1.30 port 3128
I would also nat on int_if in this case -- except for m1.
no nat on $int_if proto tcp from $int_if to $int_if:network
nat on $int_if proto tcp from $int_if:network to 192.168.1.30 port {80
443 3128 } -> $int_if
Henri
pass in keep state
pass out keep state
=========================================================
The current status is as follows;
* I can ping m1.0 from m2
* I can't ping any of the other address on the 192.168.0.0/24 network
from m2
- tcpdump'ing m1.1
* Connecting to one of the forwarded ports on m1.0 I see nothing
* Connecting from m2 to a host on the LAN I see the connections going
out but, not coming back
Your assistance is greatly appreciated.
Morgan
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
