Basic NAT server setup

Joe Moog joemoog at ebureau.com
Mon Jun 3 17:08:53 UTC 2013 

On May 31, 2013, at 7:37 PM, Peter Jeremy <peter at rulingia.com> wrote:

> On 2013-May-30 17:54:53 -0500, Joe Moog <joemoog at ebureau.com> wrote:
>> I'm building a server to handle outbound NAT to the internet using
>> FreeBSD 9.1 and its built-in distribution of pf. What I want to be
>> able to do is NAT three unique internal (private) VLANs to three
>> unique public IPs.
> 
>> ext_if = "vlan11"
>> ext_addr1 = "a.b.c.3"
>> ext_addr2 = "a.b.c.4"
>> ext_addr3 = "a.b.c.5"
>> int_network1 = "10.0.1.0/24"
>> int_network2 = "172.16.1.0/24" 
>> int_network3 = "192.168.1.0/24"
>> nat on $ext_if from $int_network1 to any -> $ext_addr1
>> nat on $ext_if from $int_network2 to any -> $ext_addr2
>> nat on $ext_if from $int_network3 to any -> $ext_addr3
> 
> I don't see anything obviously wrong with what you've done.  My initial
> checks would be:
> - Do you have the correct routes on the NAT box.
> - Do you have a.b.c.{3,4,5} setup as aliases on vlan11 (or faked using
>  proxy ARP).
> 
> (My suspicion is the second point - packets are going out successfully
> but the response is undeliverable because nothing is responding to the
> switch's ARP requests for a.b.c.{3,4,5}).
> 
> Next would be to use tcpdump to do some snooping:
> - Firstly, make sure the packets are are arriving on the NAT box with
>  appropriate src & dst IPs by tcpdump'ing the internal interface(s).
> - Secondly, tcpdump the external interface and see what is going out
>  and returning (tcpdump will see the external addresses)
> 
> Finally, add some 'log' keywords and tcpdump pflog0.  Unfortunately,
> the stock FreeBSD tcpdump can't handle pflog packets.  There are some
> patches in bin/124825 but you will need to do some work to get them
> to apply to the tcpdump in 9.1.
> 
> That will hopefully give you some pointers as to where to investigate.
> 
> -- 
> Peter Jeremy

Thanks for the response Peter. 

Your assessment was spot-on. I added an alias to the vlan11 interface and things seem to be functioning as expected now. I think I had overlooked the interface alias requirement before because we had been testing with the "bitmask" option which placed the entire a.b.c.0/24 network on the external interface, but when we tried to scale it back to basic single-IP NAT'ting I neglected to create the individual unique IP aliases on the interface.

Thank you!

Joe

More information about the freebsd-net mailing list