Multicast over NAT

Jany sebosik at demax.sk
Tue Nov 15 14:35:06 PST 2005


Hello

in our network it is possible to watch TV and to hear radio over net 
(they are multicasted). I`ve got simple NAT on my FreeBSD 6 (pf.conf) box:

## PF config for my test box
#
## macros
ext_if = "fxp0"
int_if = "ex0"

## tables
table <lan_net>    const { 192.168.1.0/24 }

## packet normalization
scrub in all

## NAT
nat on $ext_if from $int_if:network to any -> $ext_if

# FTP workaround
rdr pass on $int_if proto tcp from any to !($ext_if) port 21 -> 
127.0.0.1 port 8021

# DC++ redir -port 19670
rdr pass on $ext_if proto {tcp,udp} from any to 195.62.17.204 port 19670 \
    -> 192.168.1.2
   
# torrent to local LAN on port 41800:41810
rdr pass on $ext_if proto {tcp,udp} from any to $ext_if port 41800:41810 \
    -> 192.168.1.2 port 41800:*
   
## packet filtering
#######################################################################
## default blocking policy
block in log on $ext_if all

## antispoof-ing :)
antispoof quick for $int_if inet

## lo0 all traffic passing
pass on lo0 all

## allowing traffic to the LAN
pass on $int_if from any to any flags S/SA keep state

## allow traffic to remote hosts from $ext_if
pass out on $ext_if proto {tcp, udp} from $ext_if to any flags S/SA 
modulate state
pass in log on $ext_if proto {tcp, udp} from any to $ext_if port {123, 53}\
     keep state flags S/SA

## allow DNS resolving from local to 195.62.17.204
pass out on $int_if proto {tcp, udp} from $int_if:network to $int_if \
     port 53 flags S/SA keep state
pass out on lo0 proto {tcp, udp} from $ext_if to $ext_if port 53 keep state

## allowing ICMP from internet, 8-echo 0-echoreply  3-destination 
unreachable
pass inet proto { icmp } icmp-type { 0, 3, 8 } keep state

## allowing torrent traffic
pass in on $ext_if proto {tcp,udp} from any to 195.62.17.204 port \
     { 6880 >< 6890, 40800 >< 40810, 41800 >< 41810 } flags S/SA keep state

## allow DC++ traffic
pass in on $ext_if proto { tcp, udp } from any to 195.62.17.204 port 
19670 flags S/SA keep state

## allow accessing FTP server from internet
pass in log on $ext_if proto { tcp, udp } from any to 195.62.17.204 port 
21 \
     flags S/SA keep state
pass in log on $ext_if proto { tcp, udp } from any to 195.62.17.204 port 
 >= 49152 \
     flags S/SA keep state

## FTP from local net
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
     user proxy flags S/SA keep state


I found that I need to allow packets with allow-opts (IGMP) - which I 
also tried, but it doesn`t help... If i trie to fetch playlist in VLC 
via SAP announces, it sends some IGMP packets to $int_if, but they won`t 
pass out on $ext_if. Is it possible to config Packet Filter to support 
multicast traffic.


More information about the freebsd-pf mailing list