Re: nat or routing problem?

Fri, 08 Dec 2006 10:30:46 -0800 

Mitja wrote:

Mitja wrote:


Andreas Bihlmaier wrote:


On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote:


Hello,

I am trying to configure nat from internal network 192.168.1.0/24 to
external nat gateway address 193.189.180.193. The problem is that
packets are not passing from nat gateway to the interface 193.77.12.154
to the internet.

ISP <-> 193.77.12.154 -- hostA -- 192.168.1.1
                          |
                    193.189.180.193 (em1)
                          |
                      /27 network



More testing:
I changed my pf.conf to:

# pfctl -s all
TRANSLATION RULES:
nat on bge0 inet from 192.168.1.0/24 to any -> (bge0:0)
rdr pass on em1 inet proto tcp from any to any port = 5900 ->
192.168.1.111 port 5900


If bge0 is your external interface that nat line now looks correct.
If your internal hosts on the 192.168.1.0/24 net have default gateway 192.168.1.1 it should be nating properly. 

Sounds like you want traffic to traverse:
192.168.1.0/24 -> 192.168.1.1 -> 193.189.180.193 -> 193.77.12.154 -> 0/0

I don't yet fully get what you're trying to accomplish.


# pfctl -s all
TRANSLATION RULES:
nat on em1 inet from 192.168.1.0/24 to any -> (em1:0)
rdr pass on em1 inet proto tcp from any to any port = 5900 ->
192.168.1.111 port 5900

FILTER RULES:
pass in all keep state
pass out all keep state
No queue in use

The same test, with tcpdump on the last interface (bge0;193.77.12.154).

# ping -I 192.168.1.95 209.85.129.147
PING 209.85.129.147 (209.85.129.147): 56 data bytes
--- 209.85.129.147 ping statistics ---
15 packets transmitted, 0 packets received, 100.0% packet loss

# tcpdump -i bge0 icmp
tcpdump: listening on bge0, link-type EN10MB
14:49:16.377482 192.168.1.95 > 209.85.129.147: icmp: echo request
14:49:17.387437 192.168.1.95 > 209.85.129.147: icmp: echo request
14:49:18.397398 192.168.1.95 > 209.85.129.147: icmp: echo request

icmp packets are going out, but it looks like NAT is not working (it
should change my source IP address).
That's because now you are dumping traffic on the "internal" interface where the packets hasn't traversed the NAT yet. The nat rule you made above has the internal interface where it should have the external: 
nat on em1:0 from int_net to -> em1:0.


# This is a proper simple nat example (that works):
ext_if="rl0" # (or whatever is your external interface)
nat on $ext_if inet from ! ($ext_if) -> ($ext_if:0)

--
Fridh

Reply via email to