On Tue, Apr 21, 2009 at 08:42:44PM +0300, Lars Nooden wrote: > Alexander Hall wrote: > > Lars Nooden wrote: > >> Sometimes I have to set up a LAN inside a pre-existing NAT'd LAN and > >> traffic from the inner LAN (B) does not make it to the Internet or even > >> to final, external interface (4). > >> > >> +-------+ +--------+ > >> LAN B ---+ 1 + + Box2 + > >> + NAT + + 4+---> Internet > >> + 2+--LAN A--+3 NAT + > >> + Box1 + + + > >> +-------+ +--------+ > >> > >> What kind of generic change is needed in PF to get from LAN B through to > >> the outside? > > > > If the subnets are different, say 192.168.10.0/24 and 192.168.11.0/24, > > and each box does its NAT and 'net.inet.ip.forwarding=1' I cannot see > > anything that would prevent this from working. > > > > Start by tracing how far the package makes it and what src address it has. > > I can ping from LAN B to interface 3 and get a response, but not to 4. > I can ping (and everything else) from LAN A to interface 4 and the Internet. > > I've searched around a bit and see there is something wrong (in general) > with "double NAT"
It's a simple matter of: * does the route exist * does the firewall allow it Verify that both are true. Monitor your traffic with tcpdump as needed. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
