pf NAT: Can't make anything else than ICMP work

Olivier Mauras olivier at mauras.ch
Wed Dec 20 08:48:59 UTC 2017 

Hello,

I can't seem to make this very simple setup work. I have a VM that have 2 interfaces on two different subnets and want to route traffic between them.
- 10.60.0.0/24
- 192.168.0.0/24

The 10.60.x.x interface gives access to local services and internet.
192.168.x.x is a dedicated local subnet using this VM as their default gateway

If that matters, 10.60.x.x interface is a lagg interface between two physical interfaces using KVM PCI passthrough while 192.168.x.x is a virtio interface.

gateway_enable is indeed set and I've added this very simple pf rule:
####
ext_if="lagg0"
nat log on $ext_if proto { tcp udp icmp } from !($ext_if) to any -> ($ext_if)
pass all 
####

This let machines on the 192.168.0.0 subnet using this VM as a gateway ping any ressources on 10.60.0.0 or internet. Fine.
Problem is that any other protocol doesn't work. Seems like replies are never received correctly by the issuing machine.

This is the state table I get when issuing DNS connection from a client (192.168.100.2) behind the GW to either 10.60.60.150 or 8.8.8.8 DNS servers.
10.60.60.3 is my GW address on 10.60.0.0 subnet on lagg0 interface.
####
# pfctl -ss
all udp 10.60.60.150:53 <- 192.168.100.2:53372       NO_TRAFFIC:SINGLE
all udp 10.60.60.3:62261 (192.168.100.2:53372) -> 10.60.60.150:53       SINGLE:NO_TRAFFIC
all udp 10.60.60.150:53 <- 192.168.100.2:28768       NO_TRAFFIC:SINGLE
all udp 10.60.60.3:65271 (192.168.100.2:28768) -> 10.60.60.150:53       SINGLE:NO_TRAFFIC
all udp 8.8.8.8:53 <- 192.168.100.2:43155       NO_TRAFFIC:SINGLE
all udp 10.60.60.3:50948 (192.168.100.2:43155) -> 8.8.8.8:53       SINGLE:NO_TRAFFIC
all udp 8.8.8.8:53 <- 192.168.100.2:47160       NO_TRAFFIC:SINGLE
all udp 10.60.60.3:62818 (192.168.100.2:47160) -> 8.8.8.8:53       SINGLE:NO_TRAFFIC

I believe that I'm missing a very simple obvious thing but cannot point it out.

Thanks,
-O.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20171220/8522132b/attachment.sig>

More information about the freebsd-questions mailing list