On Tue, Oct 01, 2002 at 11:40:52AM -0700, Adam Getchell wrote: > binat on $ext_if from $bdc_private_ip to any -> $bdc_public_ip > > This client (an NT4 BDC/WINS/DHCP server) loses network connectivity > outside. Even browsing without DNS (the errors below show DNS queries > failing). Setting pfctl -x m and looking at pfctl -sss yields:
I see nothing obviously wrong, so you have to provide some more information. Are you running a bridge or just plain IP forwarding on the pf machine? Is $NAT_public_ip != $bdc_public_ip? Is $bdc_public_ip an address/alias on the external interface of the pf box, can you ping $bdc_public_ip successfully from the outside when the binat rule is removed? Are $private_ip_range and $bdc_private_ip completely non-overlapping, so that no packet could possibly match both? If not, the order of nat and binat rule matters. Translation rules are used on a first-match basis, only the first matching translation rule is used. > udp $bdc_private_ip:1077 -> $bdc_public_ip:1077 -> 169.237.1.250:53 1:0 This is an outgoing connection, the inital packet successfully matched the binat rule, got translated and created state. Can you verify that the reply from 169.237.1.250 to $bdc_public_ip actually arrives on $ext_if (using tcpdump)? If it doesn't arrive, make sure destination $bdc_public_ip gets routed to the pf box. If it does arrive, does it go out through any other interface again (and what parts were translated, if any)? tcpdump again. Are you filtering on other interfaces than $ext_if, too? The state created on $ext_if doesn't automatically allow packets (including replies) to pass on other interfaces, maybe you're blocking the replies on the internal interface? Daniel
