NAT possible with single interface box?
Paul Webster
paul.g.webster at googlemail.com
Tue Mar 13 18:17:34 UTC 2018
Depending what you need an easy hack for it would be running an openvpn or
other vpn server, then you can just nat out from that
On 12 March 2018 at 22:50, Rick van der Zwet <info at rickvanderzwet.nl> wrote:
> On 2018-03-12 15:32, Ultima wrote:
>
>> Please provide netstat -nr. If you have more in pf.conf, please provide
>> this too.
>>
>
> Thanks for the suggestion, it made me thing again.
>
> I recreated the setup with different network settings for more easy
> testing:
> - em0 instead of sis0
> - 192.168.178.181/24 instead of 192.168.1.10/24
> - gateway 192.168.178.1 instead of 192.168.1.1
>
>
> root at vbsd11:~ # uname -a
> FreeBSD vbsd11.vanderzwet.net 11.0-RELEASE-p9 FreeBSD 11.0-RELEASE-p9 #0:
> Tue Apr 11 08:42:58 UTC 2017 root at amd64-builder.daemonology.net:
> /usr/obj/usr/src/sys/GENERIC i386
>
>
> root at vbsd11:~ # netstat -nr -f inet
> Routing tables
>
> Internet:
> Destination Gateway Flags Netif Expire
> default 192.168.178.1 UGS em0
> 127.0.0.1 link#2 UH lo0
> 172.16.0.0/24 link#1 U em0
> 172.16.0.1 link#1 UHS lo0
> 192.168.178.0/24 link#1 U em0
> 192.168.178.181 link#1 UHS lo0
>
>
> root at vbsd11:~ # cat /etc/pf.conf
> nat on em0 inet from 172.16.0.0/24 to !172.16.0.0/24 -> 192.168.178.181
>
>
> root at vbsd11:~ # cat /etc/rc.conf
> hostname="vbsd11.vanderzwet.net"
> sshd_enable="YES"
> ntpd_enable="YES"
>
> ifconfig_em0="192.168.178.181/24"
> ifconfig_em0_alias0="172.16.0.1/24"
>
> defaultrouter="192.168.178.1"
> gateway_enable="YES"
>
> pf_enable="YES"
> pf_rules="/etc/pf.conf"
>
>
> Looking at tcpdump of the router I now see packages been translated:
> root at vbsd11:~ # tcpdump -ni em0 icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 00:11:25.758323 IP 172.16.0.10 > 192.168.178.1: ICMP echo request, id
> 6976, seq 96, length 64
> 00:11:25.758435 IP 192.168.178.181 > 192.168.178.1: ICMP echo request, id
> 57418, seq 96, length 64
> 00:11:25.758880 IP 192.168.178.1 > 192.168.178.181: ICMP echo reply, id
> 57418, seq 96, length 64
> 00:11:25.758950 IP 192.168.178.1 > 172.16.0.10: ICMP echo reply, id 6976,
> seq 96, length 64
>
>
> Looking in hindsight the simplified example was instead working, the
> problem was caused by blocking firewall rules further down the script.
>
> Best regards,
> -Rick
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list