Re: BiNAT rules not working? Missing information?

Thu, 11 Nov 2021 09:18:59 -0800 

W dniu 10.11.2021 o 22:39, Thomas Schweikle pisze:

Hi!
I have to set up a BiNAT address translation for some stuppid hardware not able to change ip addresses. I've tried with: 

Two interfaces:
bge0: 192.168.111.2/24
bge1: 10.160.15.2/24

The default gateway is at 10.160.15.254.

The stupid device with fixed not configurable ip addresses is at
- 192.168.111.{221..225}

The addresses I'd like to map it to 10.160.15.{11..25}

I've set up rules:
set skip on lo
block return
pass
#
tcp_services = "{ ssh }"
sdv_if = bge0
myn_if = bge1
#
sdv_a = 192.168.111.221
sdv_b = 192.168.111.222
sdv_c = 192.168.111.223
sdv_d = 192.168.111.224
sdv_e = 192.168.111.225
#
myn_a = 10.160.15.11
myn_b = 10.160.15.12
myn_c = 10.160.15.13
myn_d = 10.160.15.14
myn_e = 10.160.15.15
#
pass in on egress proto tcp from any to egress \
   port $tcp_services keep state
pass out on egress proto { tcp udp icmp } all keep state
#
match out on $myn_if from $sdv_a to any binat-to $myn_a
match out on $myn_if from $sdv_b to any binat-to $myn_b
match out on $myn_if from $sdv_c to any binat-to $myn_c
match out on $myn_if from $sdv_d to any binat-to $myn_d
match out on $myn_if from $sdv_e to any binat-to $myn_e
#
pass on $myn_if from $sdv_a to any binat-to $myn_a
pass on $myn_if from $sdv_b to any binat-to $myn_b
pass on $myn_if from $sdv_c to any binat-to $myn_c
pass on $myn_if from $sdv_d to any binat-to $myn_d
pass on $myn_if from $sdv_e to any binat-to $myn_e
Then reloaded configuration by issuing "sh /etc/netstart" but without any effect. I can connect to this box using ssh, but trying to connect to the stupid box behind with "ssh 10.160.15.12" fails. 

- Any ideas why? Is the ruleset correct for what I want to achieve?
- Do I have to define address aliases on this box for $myn_{a..e}
   to make it work?



Hi,

I have not used binat, but I think that you need to add
10.160.15.{11..25} as IP aliases on bge1, so try adding

inet alias 10.160.15.11 255.255.255.255
inet alias 10.160.15.12 255.255.255.255
inet alias 10.160.15.13 255.255.255.255
inet alias 10.160.15.14 255.255.255.255
inet alias 10.160.15.15 255.255.255.255

to hostname.bge1

Don't forget to enable forwarding:
sysctl net.inet.ip.forwarding=1
Also, the "stupid devices" have to have default gateway pointed at 192.168.111.2, or you have to do SNAT on traffic leaving bge0, since otherwise "stupid devices" will not know the packet's return path. 


Kind regards,
--
Łukasz Moskała

Reply via email to