Re: Help setting up a PF NAT gateway

Mon, 10 Oct 2011 11:13:18 -0700 

That was from the output of pfctl -vf /etc/pf.conf so it expands the
rules and adds all that is implied, like keep state for example.

2011/10/10 pavel pocheptsov <[email protected]>:
> match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2)
round-robin
> in what reason you paste "round-robin"?
> also you need
> pass in on $local_if from $localnet to any
> pass out on $ext_if from $localnet to any
>
>
> 10 P>P:QQP1QQ 2011, 19:42 P>Q Stefan Midjich <[email protected]>:
>
> Simplest of things but I'm failing miserably.
>
> $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4
address
> inet 50.50.50.59 255.255.255.0 50.50.50.255
>
> $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
> machines on same network
> inet 10.221.181.10 255.255.255.0 10.221.181.255
>
> For troubleshooting I have removed the block all rule, to confirm that
> it is in fact my NAT related rules that don't work.
>
> These are my first and only NAT rules. The other rules work fine and
> are just to allow SSH to my management interface and ICMP response
> from the external IP and from the internal gateway IP. Besides I've
> removed the block all so the other rules don't matter much now.
>
> match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2)
round-robin
> pass inet from 10.221.181.0/24 to any flags S/SA keep state
>
> With tcpdump I can see packets going to vic3, but no further.
>
> With block all commented out I can fully test the network around and
> everything is working just fine, I can nc -kl 50.50.50.59 65535 and
> connect to that port from anywhere on the internet. I just can't
> connect out from the private network through the gateway. The systems
> in the private network have 10.221.181.10 as their default gateway.
>
> I even have the Book of PF 2nd edition here but it's of no use, the
> rules are mostly from there. Just for troubleshooting I can also nc
> -kl 10.221.181.10 65535 on the gateway and connect to that port from
> the private network machines without issues.
>
> So please tell me, what am I missing in this nat-to rule?
>
> --
>
>
> Med vdnliga hdlsningar / With kind regards
>
> Stefan Midjich
>
>



--


Med vC$nliga hC$lsningar / With kind regards

Stefan Midjich

Reply via email to