Complicated NAT setup

[Paul Webster]

Hey all I am having trouble with freebsd/pf and theattached config

my main issue is with the second nat; 'nat on $int_if from any to
($josh_if) -> $josh_xbox'

it seems to work for TCP inbound but not for UDP or ICMP I cannot see the
reason why; perhaps a binat rule would be better but I could never get it
quite working (in either direction)




# Macros
ext_if=igb0
int_if=igb1
localnet = "{ 172.31.33.2/32, ... lots of ips }"

josh_xbox="172.31.33.254"
josh_if="gre0"
josh_gateway="10.0.0.2"
josh_vpnhost="185.157.232.30"

tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s, 5901 }"
udp_services = "{ domain }"

# Global rules
set skip on lo0
scrub in all

# NAT and redirection
nat on $ext_if from $localnet to any -> ($ext_if)

# xBox redirection
nat on $josh_if from $josh_xbox to any -> ($josh_if)
nat on $int_if from any to ($josh_if) -> $josh_xbox

rdr-anchor "miniupnpd"

# Tables and sets
table <bruteforce> persist
table <blocked> persist

# Filtering rules (Quick first)

# Release GRE and QUICK release the protocol
pass in quick on $ext_if inet proto 47 from $josh_vpnhost to any no state
flags any
pass out quick on $ext_if inet proto 47 from any to $josh_vpnhost no state
flags any

# SSH, DNS, DHCP
block quick on $ext_if proto udp from any to any port 67
pass in quick on $int_if proto tcp from 172.31.33.1/24 to 172.31.33.1/32
port 22
pass in quick on $int_if proto {tcp,udp} from 172.31.33.1/24 to
172.31.33.1/32 port 53
pass in quick on $int_if proto udp from any to 172.31.33.1/32 port 63

# Pass out/in the xbox traffic (THIS MUST GO AFTER THE DNS RULES)
pass in quick on $int_if from $josh_xbox rtable 1       # Swap packets from
the xbox to fib1 routing table
pass in quick on $josh_if rtable 0