FreeBSD 6.2-STABLE + PF + BINAT problem

Антон Дергачев a.v.dergatcheff at
Mon Oct 1 06:52:05 PDT 2007

Good time of day!

I have two servers with FreeBSD 6.2-STABLE on it, both with pf compiled in
First one works fine. It has 5 ISPs registered in world IP
addresses and serves small LAN with some WEB and FTP servers.
Second one didn't work at all.
It has over 100 ISP IPs, and list of binat rules in config. I don't know
what to do, but this pf.conf works fine under OpenBSD 3.9 for a year!
pfctl -xm && pfctl -si and reading /var/log/messages doesn't clear the
options gateway_enable="YES" in rc.conf presents.

# cat /etc/pf.conf


set timeout { interval 30, frag 90 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 120, udp.single 60, udp.multiple 120 }
set timeout { icmp.first 80, icmp.error 40 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 1000000, frags 1000000, src-nodes 1000000 }
set loginterface none
set optimization conservative
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

scrub in all fragment reassemble min-ttl 15 max-mss 2500
scrub all reassemble tcp

altq on $ext_if cbq bandwidth 5.0Mb queue { cli }
queue cli bandwidth 4.0Mb { adsl_ext }
queue adsl_ext bandwidth 100% cbq(default red)

altq on $cli_if cbq bandwidth 5.0Mb queue { adsl_int }
queue adsl_int bandwidth 4.0Mb priority 5 cbq(default red)

binat on $ext_if from to any -> a.b.c.1
<... and so on for over 100 IPs....>
nat on $ext_if from em1:network to any -> { z.x.y.1, z.x.y.2, z.x.y.3}
round-robin sticky-address

table <badhosts> persist
block quick on $ext_if from <badhosts> to any

pass out on $ext_if from $adsl_net to any queue adsl_ext

pass out on $cli_if from any to $adsl_net queue adsl_int

As you see, only one rule for filtering, and two rules for shaper.

Where is my error?

Sincerely yours,
Anthony V.

