route-to and nat :-)

Mathieu Arnold mat at FreeBSD.org
Wed Mar 30 02:15:59 PST 2005 

Hello,

I have my home network with 2 subnets :
PRIV : 192.168.1.0/24
PUB  : 193.30.224.120/29.
I have a dsl router, and a freebsd gw.

so, it could look like that :


  +-----+
  | DSL +-- internet
  +-----+
     | 192.168.1.1/24
     |
     |               +---------+
     +---------------| freebsd |
     |           dc0 +---------+
     |           192.168.1.3/24, 193.30.224.121/29
     |
     |
other boxes, some in PRIV, some other in PUB. boxes in PRIV have
192.168.1.1 as their gateway, box in PUB have 193.30.224.121.

I have a tun0 on the freebsd box which brings me back the trafic for PUB.

my dsl router is nice enough to only nat the trafic from PRIV, and not for
PUB, so, packets coming from PRIV and going out are natted, the other, no,
it works because the packets come back through tun0.

the default gw is on tun0.

Now, I have that :
int_if="dc0"
int_gw="192.168.1.1"
int_addr="192.168.1.3"
ext_if="tun0"

pub="193.30.224.120/29"
priv="192.168.1.0/24"

no nat on $int_if from any to { $pub, $priv }
no nat on $int_if from { $priv } to any
nat on $int_if from any to any -> $int_addr

works nice, if I :
route add xx.xx.xx.xx 192.168.1.1
the packets get out on dc0 and are natted nicely and it works.

but, but, I wanted to do some finer grained routing, so I tried :
pass in quick on $int_if route-to ($int_if $int_gw) proto tcp from $pub to
any port 25

The packets are going out via dc0 like I want, but they don't seem to go
through nat.

I tried also :
pass out quick on $ext_if route-to ($int_if $int_gw) proto tcp from $pub to
any port 25

The paquets are taken out nicely to dc0, are natted, but something strange
happens when they come back, and the originating box never sees the packets.

here is what is seen on the remote smtp server :

12:06:00.738633 i01v-41-206.d4.club-internet.fr.61540 >
plouf.absolight.net.smtp: S 1477496869:1477496869(0) win 64240 <mss
1402,nop,nop,sackOK> (DF)
12:06:00.738678 plouf.absolight.net.smtp >
i01v-41-206.d4.club-internet.fr.61540: S 817947484:817947484(0) ack
1477496870 win 57344 <mss 1460> (DF)
12:06:03.736622 plouf.absolight.net.smtp >
i01v-41-206.d4.club-internet.fr.61540: S 817947484:817947484(0) ack
1477496870 win 57344 <mss 1460> (DF)
12:06:09.736298 plouf.absolight.net.smtp >
i01v-41-206.d4.club-internet.fr.61540: S 817947484:817947484(0) ack
1477496870 win 57344 <mss 1460> (DF)
12:06:21.735650 plouf.absolight.net.smtp >
i01v-41-206.d4.club-internet.fr.61540: S 817947484:817947484(0) ack
1477496870 win 57344 <mss 1460> (DF)

here is what's seen on my freebsd gw :
12:06:00.662626 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: S
1477496869:1477496869(0) win 64240 <mss 1460,nop,nop,sackOK>
12:06:00.663018 IP 192.168.1.3.58512 > plouf.absolight.net.smtp: S
1477496869:1477496869(0) win 64240 <mss 1460,nop,nop,sackOK>
12:06:00.693868 IP plouf.absolight.net.smtp > 192.168.1.3.58512: S
817947484:817947484(0) ack 1477496870 win 57344 <mss 1402>
12:06:00.694097 IP plouf.absolight.net.smtp > pouet.in.mat.cc.4643: S
817947484:817947484(0) ack 1477496870 win 57344 <mss 1402>
12:06:00.694274 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: . ack 1
win 64492
12:06:03.691499 IP plouf.absolight.net.smtp > 192.168.1.3.58512: S
817947484:817947484(0) ack 1477496870 win 57344 <mss 1402>
12:06:03.691771 IP plouf.absolight.net.smtp > pouet.in.mat.cc.4643: S
817947484:817947484(0) ack 1477496870 win 57344 <mss 1402>
12:06:03.694103 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: . ack 1
win 64492
12:06:09.718270 IP plouf.absolight.net.smtp > 192.168.1.3.58512: S
817947484:817947484(0) ack 1477496870 win 57344 <mss 1402>
12:06:09.718987 IP plouf.absolight.net.smtp > pouet.in.mat.cc.4643: S
817947484:817947484(0) ack 1477496870 win 57344 <mss 1402>
12:06:09.719179 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: . ack 1
win 64492
12:06:21.135016 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: F
1:1(0) ack 1 win 64492
12:06:21.690741 IP plouf.absolight.net.smtp > 192.168.1.3.58512: S
817947484:817947484(0) ack 1477496870 win 57344 <mss 1402>
12:06:21.690955 IP plouf.absolight.net.smtp > pouet.in.mat.cc.4643: S
817947484:817947484(0) ack 1477496870 win 57344 <mss 1402>
12:06:21.691106 IP pouet.in.mat.cc.4643 > plouf.absolight.net.smtp: . ack 1
win 64492

If someone understand what this is all about, I'd be glad to know :-)

-- 
Mathieu Arnold

More information about the freebsd-pf mailing list