NAT possible with single interface box?

Paul Webster paul.g.webster at googlemail.com
Tue Mar 13 18:17:34 UTC 2018 

Depending what you need an easy hack for it would be running an openvpn or
other vpn server, then you can just nat out from that

On 12 March 2018 at 22:50, Rick van der Zwet <info at rickvanderzwet.nl> wrote:

> On 2018-03-12 15:32, Ultima wrote:
>
>> Please provide netstat -nr. If you have more in pf.conf, please provide
>> this too.
>>
>
> Thanks for the suggestion, it made me thing again.
>
> I recreated the setup with different network settings for more easy
> testing:
>  - em0 instead of sis0
>  - 192.168.178.181/24 instead of 192.168.1.10/24
>  - gateway 192.168.178.1 instead of 192.168.1.1
>
>
> root at vbsd11:~ # uname -a
> FreeBSD vbsd11.vanderzwet.net 11.0-RELEASE-p9 FreeBSD 11.0-RELEASE-p9 #0:
> Tue Apr 11 08:42:58 UTC 2017     root at amd64-builder.daemonology.net:
> /usr/obj/usr/src/sys/GENERIC  i386
>
>
> root at vbsd11:~ # netstat -nr -f inet
> Routing tables
>
> Internet:
> Destination        Gateway            Flags     Netif Expire
> default            192.168.178.1      UGS         em0
> 127.0.0.1          link#2             UH          lo0
> 172.16.0.0/24      link#1             U           em0
> 172.16.0.1         link#1             UHS         lo0
> 192.168.178.0/24   link#1             U           em0
> 192.168.178.181    link#1             UHS         lo0
>
>
> root at vbsd11:~ # cat /etc/pf.conf
> nat on em0 inet from 172.16.0.0/24 to !172.16.0.0/24 -> 192.168.178.181
>
>
> root at vbsd11:~ # cat /etc/rc.conf
> hostname="vbsd11.vanderzwet.net"
> sshd_enable="YES"
> ntpd_enable="YES"
>
> ifconfig_em0="192.168.178.181/24"
> ifconfig_em0_alias0="172.16.0.1/24"
>
> defaultrouter="192.168.178.1"
> gateway_enable="YES"
>
> pf_enable="YES"
> pf_rules="/etc/pf.conf"
>
>
> Looking at tcpdump of the router I now see packages been translated:
> root at vbsd11:~ # tcpdump -ni em0 icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 00:11:25.758323 IP 172.16.0.10 > 192.168.178.1: ICMP echo request, id
> 6976, seq 96, length 64
> 00:11:25.758435 IP 192.168.178.181 > 192.168.178.1: ICMP echo request, id
> 57418, seq 96, length 64
> 00:11:25.758880 IP 192.168.178.1 > 192.168.178.181: ICMP echo reply, id
> 57418, seq 96, length 64
> 00:11:25.758950 IP 192.168.178.1 > 172.16.0.10: ICMP echo reply, id 6976,
> seq 96, length 64
>
>
> Looking in hindsight the simplified example was instead working, the
> problem was caused by blocking firewall rules further down the script.
>
> Best regards,
> -Rick
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list