NAT possible with single interface box?

Rick van der Zwet info at rickvanderzwet.nl
Mon Mar 12 22:50:51 UTC 2018 

On 2018-03-12 15:32, Ultima wrote:
> Please provide netstat -nr. If you have more in pf.conf, please provide 
> this too.

Thanks for the suggestion, it made me thing again.

I recreated the setup with different network settings for more easy 
testing:
  - em0 instead of sis0
  - 192.168.178.181/24 instead of 192.168.1.10/24
  - gateway 192.168.178.1 instead of 192.168.1.1


root at vbsd11:~ # uname -a
FreeBSD vbsd11.vanderzwet.net 11.0-RELEASE-p9 FreeBSD 11.0-RELEASE-p9 
#0: Tue Apr 11 08:42:58 UTC 2017     
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386


root at vbsd11:~ # netstat -nr -f inet
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.178.1      UGS         em0
127.0.0.1          link#2             UH          lo0
172.16.0.0/24      link#1             U           em0
172.16.0.1         link#1             UHS         lo0
192.168.178.0/24   link#1             U           em0
192.168.178.181    link#1             UHS         lo0


root at vbsd11:~ # cat /etc/pf.conf
nat on em0 inet from 172.16.0.0/24 to !172.16.0.0/24 -> 192.168.178.181


root at vbsd11:~ # cat /etc/rc.conf
hostname="vbsd11.vanderzwet.net"
sshd_enable="YES"
ntpd_enable="YES"

ifconfig_em0="192.168.178.181/24"
ifconfig_em0_alias0="172.16.0.1/24"

defaultrouter="192.168.178.1"
gateway_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"


Looking at tcpdump of the router I now see packages been translated:
root at vbsd11:~ # tcpdump -ni em0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol 
decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:11:25.758323 IP 172.16.0.10 > 192.168.178.1: ICMP echo request, id 
6976, seq 96, length 64
00:11:25.758435 IP 192.168.178.181 > 192.168.178.1: ICMP echo request, 
id 57418, seq 96, length 64
00:11:25.758880 IP 192.168.178.1 > 192.168.178.181: ICMP echo reply, id 
57418, seq 96, length 64
00:11:25.758950 IP 192.168.178.1 > 172.16.0.10: ICMP echo reply, id 
6976, seq 96, length 64


Looking in hindsight the simplified example was instead working, the 
problem was caused by blocking firewall rules further down the script.

Best regards,
-Rick

More information about the freebsd-pf mailing list