Basic NAT server setup

Joe Moog joemoog at ebureau.com
Thu May 30 23:00:12 UTC 2013 

I'm building a server to handle outbound NAT to the internet using FreeBSD 9.1 and its built-in distribution of pf. What I want to be able to do is NAT three unique internal (private) VLANs to three unique public IPs. Our current setup utilizes a single external IP address for all three internal networks and seems to work well when our internal hosts use the BSD box as their gateway. pf.conf is as follows:

ext_if = "vlan11"
ext_addr = "a.b.c.2"
int_network1 = "10.0.1.0/24"
int_network2 = "172.16.1.0/24" 
int_network3 = "192.168.1.0/24"
nat on $ext_if from $int_network1 to any -> $ext_addr
nat on $ext_if from $int_network2 to any -> $ext_addr
nat on $ext_if from $int_network3 to any -> $ext_addr

However, when we introduce two additional external IPs the system fails to establish external connections. pf.conf again:

ext_if = "vlan11"
ext_addr1 = "a.b.c.3"
ext_addr2 = "a.b.c.4"
ext_addr3 = "a.b.c.5"
int_network1 = "10.0.1.0/24"
int_network2 = "172.16.1.0/24" 
int_network3 = "192.168.1.0/24"
nat on $ext_if from $int_network1 to any -> $ext_addr1
nat on $ext_if from $int_network2 to any -> $ext_addr2
nat on $ext_if from $int_network3 to any -> $ext_addr3

On our border router we have a route to send all traffic belonging to the a.b.c.0/24 network to the public side of the NAT host, and as mentioned before, single-IP NAT works fine. "pfctl -s nat" indicates that the host knows how to translate the connections, but the connections somehow do not succeed. We are not leveraging the packet filtering capabilities of pf at this time -- all we need the host to do right now is NAT.

I might also note that on the host we have a dot1q trunk carrying our three internal VLANs to the host, and we are routing all private traffic through another dedicated private VLAN. Default gateway on the NAT host is the router address for its public-facing IP. I realize some of this may be more specific to pf, but since there are (obviously) many moving parts here I thought it best to start with the freebsd-net list and see if I can get some direction.

Thank you

Joe

More information about the freebsd-net mailing list