ManagementIF = "vic0"
PFsyncIF = "vic1"
LocalIF = "lo0"
ManagementPorts = "{ 1022, 22 }"
UDPManagementPorts = "{ domain }"
ICMPTypes = "{ echorep, echoreq, unreach }"
set skip on { lo0 vic1 }
OutIF = "vic2"
InIF = "vic3"
pass quick on vic0 inet proto tcp from any to any port = 1022 flags
S/SA keep state label "PassMGMTSSH"
pass quick on vic0 inet proto tcp from any to any port = ssh flags
S/SA keep state label "PassMGMTSSH"
pass on vic0 proto udp from any to any port = domain keep state label
"PassMGMTDNS"
pass on vic0 inet proto icmp all icmp-type echorep keep state label
"PassMGMTICMP"
pass on vic0 inet proto icmp all icmp-type echoreq keep state label
"PassMGMTICMP"
pass on vic0 inet proto icmp all icmp-type unreach keep state label
"PassMGMTICMP"
pass quick on vic2 proto carp all keep state label "PassCarp"
pass quick on vic3 proto carp all keep state label "PassCarp"
pass quick inet proto icmp from any to 50.50.50.0/24 icmp-type echoreq
keep state label "PingOut"
pass quick inet proto icmp from any to 50.50.50.0/24 icmp-type echorep
keep state label "PingOut"
pass quick inet proto icmp from any to 50.50.50.0/24 icmp-type unreach
keep state label "PingOut"
pass quick inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type echoreq keep state label "PingIn"
pass quick inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type echorep keep state label "PingIn"
pass quick inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type unreach keep state label "PingIn"
match in on vic3 inet from 10.221.181.0/24 to any label "NATOut"
nat-to (vic2) round-robin
pass inet from 10.221.181.0/24 to any flags S/SA keep state
vic2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:50XXXXX
priority: 0
groups: egress
media: Ethernet autoselect
status: active
inet 50.50.50.59 netmask 0xffffff00 broadcast 50.50.50.255
inet6 fe80::250:56ff:fe8e:63%vic2 prefixlen 64 scopeid 0x3
vic3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:50:XXXXX
priority: 0
media: Ethernet autoselect
status: active
inet 10.221.181.10 netmask 0xffffff00 broadcast 10.221.181.255
inet6 fe80::250:56ff:fe8e:64%vic3 prefixlen 64 scopeid 0x4
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 50.50.50.1 UGS 0 80 - 8 vic2
10/8 10.220.100.1 UGS 2 2869 - 8 vic0
10.90.100/24 link#2 UC 1 0 - 4 vic1
10.90.100.10 XXXXX:00:62 UHLc 0 2 - 4 lo0
10.220.100/24 link#1 UC 3 0 - 4 vic0
10.220.100.1 XXXXX07:ac:00 UHLc 1 0 - 4 vic0
10.220.100.10 XXXXX:49:16 UHLc 0 489 - 4 vic0
10.220.100.209 XXXXX:26:05 UHLc 1 5010 - 4 vic0
10.221.181/24 link#4 UC 0 0 - 4 vic3
127/8 127.0.0.1 UGRS 0 0 33160 8 lo0
127.0.0.1 127.0.0.1 UH 1 0 33160 4 lo0
50.50.50/24 link#3 UC 3 0 - 4 vic2
50.50.50.1 XXXXXf:d4:20 UHLc 1 0 - 4 vic2
50.50.50.6 XXXXX81:86:b6 UHLc 0 0 - 4 vic2
50.50.50.7 XXXXXX:50:87:14 UHLc 0 0 - 4 vic2
224/4 127.0.0.1 URS 0 0 33160 8 lo0
Please note that I have removed public ip-address and other private details.
2011/10/10 Christiano F. Haesbaert <[email protected]>:
> On 10 October 2011 12:38, Stefan Midjich <[email protected]> wrote:
>> Simplest of things but I'm failing miserably.
>>
>> $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4
address
>> inet 50.50.50.59 255.255.255.0 50.50.50.255
>>
>> $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
>> machines on same network
>> inet 10.221.181.10 255.255.255.0 10.221.181.255
>>
>> For troubleshooting I have removed the block all rule, to confirm that
>> it is in fact my NAT related rules that don't work.
>>
>> These are my first and only NAT rules. The other rules work fine and
>> are just to allow SSH to my management interface and ICMP response
>> from the external IP and from the internal gateway IP. Besides I've
>> removed the block all so the other rules don't matter much now.
>>
>> match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2)
round-robin
>> pass inet from 10.221.181.0/24 to any flags S/SA keep state
>>
>> With tcpdump I can see packets going to vic3, but no further.
>>
>> With block all commented out I can fully test the network around and
>> everything is working just fine, I can nc -kl 50.50.50.59 65535 and
>> connect to that port from anywhere on the internet. I just can't
>> connect out from the private network through the gateway. The systems
>> in the private network have 10.221.181.10 as their default gateway.
>>
>> I even have the Book of PF 2nd edition here but it's of no use, the
>> rules are mostly from there. Just for troubleshooting I can also nc
>> -kl 10.221.181.10 65535 on the gateway and connect to that port from
>> the private network machines without issues.
>>
>> So please tell me, what am I missing in this nat-to rule?
>>
>
> Hi, can you paste your pf.conf ?
> The output of ifconfig would be good too.
>
--
Med vdnliga hdlsningar / With kind regards
Stefan Midjich
