pf NAT: Can't make anything else than ICMP work

George g.lister at nodeunit.ch
Wed Dec 20 14:51:36 UTC 2017 

On Wed, 20 Dec 2017 09:25:15 +0100
Olivier Mauras <olivier at mauras.ch> wrote:

> Hello,
> 
> I can't seem to make this very simple setup work. I have a VM that
> have 2 interfaces on two different subnets and want to route traffic
> between them.
> - 10.60.0.0/24
> - 192.168.0.0/24
> 
> The 10.60.x.x interface gives access to local services and internet.
> 192.168.x.x is a dedicated local subnet using this VM as their
> default gateway
> 
> If that matters, 10.60.x.x interface is a lagg interface between two
> physical interfaces using KVM PCI passthrough while 192.168.x.x is a
> virtio interface.
> 
> gateway_enable is indeed set and I've added this very simple pf rule:
> ####
> ext_if="lagg0"
> nat log on $ext_if proto { tcp udp icmp } from !($ext_if) to any ->
> ($ext_if) pass all 
> ####

I would suggest to enable logging to see what is going on on the pflog0,
plus I think your nat rule is a bit strange try the standard:

nat on $ext_if from $local_net to any -> $ext_addr

HTH,
George



> 
> This let machines on the 192.168.0.0 subnet using this VM as a
> gateway ping any ressources on 10.60.0.0 or internet. Fine. Problem
> is that any other protocol doesn't work. Seems like replies are never
> received correctly by the issuing machine.
> 
> This is the state table I get when issuing DNS connection from a
> client (192.168.100.2) behind the GW to either 10.60.60.150 or
> 8.8.8.8 DNS servers. 10.60.60.3 is my GW address on 10.60.0.0 subnet
> on lagg0 interface. #### # pfctl -ss
> all udp 10.60.60.150:53 <- 192.168.100.2:53372       NO_TRAFFIC:SINGLE
> all udp 10.60.60.3:62261 (192.168.100.2:53372) ->
> 10.60.60.150:53       SINGLE:NO_TRAFFIC all udp 10.60.60.150:53 <-
> 192.168.100.2:28768       NO_TRAFFIC:SINGLE all udp 10.60.60.3:65271
> (192.168.100.2:28768) -> 10.60.60.150:53       SINGLE:NO_TRAFFIC all
> udp 8.8.8.8:53 <- 192.168.100.2:43155       NO_TRAFFIC:SINGLE all udp
> 10.60.60.3:50948 (192.168.100.2:43155) -> 8.8.8.8:53
> SINGLE:NO_TRAFFIC all udp 8.8.8.8:53 <- 192.168.100.2:47160
> NO_TRAFFIC:SINGLE all udp 10.60.60.3:62818 (192.168.100.2:47160) ->
> 8.8.8.8:53       SINGLE:NO_TRAFFIC
> 
> I believe that I'm missing a very simple obvious thing but cannot
> point it out.
> 
> Thanks,
> -O.
>

More information about the freebsd-questions mailing list