problem with setting nat using pf
h bagade
bagadeh at gmail.com
Tue Aug 23 05:45:16 UTC 2011
thanks for your reply. defining an alias on interfaces has its drawbacks.
Only natted addresses should be accessible via interface, not the remaining
addresses in pool which still no session is natted to them. Is there a way
to make pf do the task? or get helps of other utilities which accept the
responsibility of pool address arp requests?
On Sun, Aug 21, 2011 at 11:54 PM, David Cornejo <dave at dogwood.com> wrote:
>
>
> On Sat, Aug 20, 2011 at 9:47 PM, h bagade <bagadeh at gmail.com> wrote:
>
>> Hi all,
>>
>> I am trying to use pf nat rules with pool support on FreeBsd 8.0, working
>> together with ipfw as the main firewall. According to the natting concepts
>> i
>> faced in manuals and docs, nat concept is to map the source address to the
>> natted address when sending the packets from that source and then map the
>> destination address of the related reply packets.
>>
>> but when I define pf nat rules with a pool of IP addresses not available
>> on
>> the outside interface ip addresses, the outgoing traffic is natted to one
>> of
>> the pool addresses but the response is not received via that interface so
>> the pf can map the destination address to the real one. here is one of my
>> configs i used during my tests:
>>
>> *configurations:*
>> *pf.conf:*
>> nat on eth1 from { 11.11.11.0/24} to any ->
>> {172.16.10.1,172.16.10.2,172.
>>
>> 16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10}
>>
>> main system configurations:
>> eth0: 11.11.11.1
>> eth1: 172.16.10.64
>>
>> system A: directly connected to eth0- 11.11.11.11
>> system B: directly connected to eth1- 172.16.10.65
>>
>> in this configs the dafult route of system A and system B are the middle
>> systems connected ip address.
>>
>> as mentioned, when systemA pings systemB, the ping requests are natted to
>> 172.16.10.1 and received at systemB but systemB doesn't send icmp replies
>> because it doesn't know to whom it should send the replies (no answer to
>> system B 's ARP requests about who has the natted IP).
>>
>> now my question is, isn't it the pf nat responsibilty to manage this
>> condition and send the ARP replies to SystemB?
>> or, are my configs wrong?
>> or i misunderstood the nat concepts?
>>
>> any ideas or helps are really appreciated as i have to set this nat on my
>> main system, asap.
>> Thanks in advance.
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>
> ARP is not handled by pf. You need to get the interface to respond to that
> IP address by creating an alias for the address using ifconfig - if you need
> more help please post your rc.conf
>
>
>
>
>
More information about the freebsd-net
mailing list