NAT Loopback

Cédric Jonas cedric at
Tue Nov 2 05:53:33 PST 2004

Hi freebsd-pf,

  Since 5 days, I try to install PF on my Server, to replace my old
  hardware router... Until now, everything was ok, better als the old
  router - BUT, what I miss is the NAT Loopback functionnality (so
  that IP packets which comes from the LAN and are destined to my WAN
  IP, leaves effectively the WAN interface and come back through the
  WAN interface => the packet is subjected to the filter rulesets for
  incoming packets on my WAN interface = NAT Loopback)
  I found this in the OpenBSD PF FAQ:, but it isn't what I
  search, because the packets don't leave and reentry the WAN

  So I try following: I blocked incoming Telnet connections on my WAN
  interface, and start a telnet to my WAN IP from a host on my LAN,
  telnet was successfull... so that isn't what I want.
  After a tcpdump on my 2 WAN and LAN interface (fxp0 and tun0 on the FreeBSD
  router), I noted that the server accepts already the telnet
  connection at fxp0, so I can see an incoming packet to my WAN IP,
  but nothing more, because it's already accepted here. Why? After
  some researchs, I found out that the TCP/IP stack on the router
  compares the destination address with his own interfaces and aliases
  - if one agrees, he accept the connection.
  Next test: with the same ruleset, I start a telnet on my WAN IP from
  the router, here the connection was blocked, and thanks tcpdump I
  see that the IP packet leaves tun0, come back - and was successfully
  blocked (packet had the WAN IP as source AND destination address).

  So, in conclusion, I try a nat rule on fxp0, the LAN interface:
  nat on fxp0 inet from fxp0:network to (tun0) -> (tun0)
  So that incoming connection on this interface, out the LAN, get the
  WAN IP was source address... but one more time, telnet from the LAN
  was successfull, the packet doesn't leave tun0, and was already
  accepted on fxp0.

  I don't know if it's really possible to realize NAT Loopback with
  PF, if yes, do you have experience with it?
  Or is it possible to oblige FreeBSD/PF to only accept connections
  with the same destination address as the IP address from the
  interface where the packet comes in (so that a comparison with every
  interface IP does not take place)?

  In resume, that's what I want:

  000509 rule 2/0(match): pass out on tun0: IP > S 1094509118:1094509118(0) win 65535 <mss 1452,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 13450428 0>
  000249 rule 0/0(match): block in on tun0: IP > S 1094509118:1094509118(0) win 65535 <mss 1452,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 13450428 0>
  That's from a tcpdump after a telnet connection to my WAN IP from
  the router... but in case of a telnet from a LAN host to the WAN IP,
  the only thing I was able to log was:
  555257 rule 5/0(match): pass in on fxp0: IP > S 377131760:377131760(0) win 16384 <mss 1460,nop,nop,sackOK>
  ... and the connection was accepted here - I wish to have the same
  "effect" here as above... a NAT Loopback.

  I hope that one will be able to help me here (and that I described
  it understandably), it's my last
  possibility I think.

  Sorry for my bad englisch, but I do what I can ;-)

Best regards,
 Cédric Jonas                       Courriel : cedric at

Post-Joint : <none>.

More information about the freebsd-pf mailing list