pf NAT: Can't make anything else than ICMP work

Olivier Mauras olivier at mauras.ch
Wed Dec 20 15:05:08 UTC 2017 

Hello George,

Thanks for your reply.

The nat rule gives the exact same behaviour.
Logging enabled gives me the same result as a standard tcpdump actually. I see packets going out but replies never come back.

Thanks,
-O.

On Wed, 20 Dec 2017 09:43:21 -0500
George <g.lister at nodeunit.ch> wrote:

> On Wed, 20 Dec 2017 09:25:15 +0100
> Olivier Mauras <olivier at mauras.ch> wrote:
> 
> > Hello,
> > 
> > I can't seem to make this very simple setup work. I have a VM that
> > have 2 interfaces on two different subnets and want to route traffic
> > between them.
> > - 10.60.0.0/24
> > - 192.168.0.0/24
> > 
> > The 10.60.x.x interface gives access to local services and internet.
> > 192.168.x.x is a dedicated local subnet using this VM as their
> > default gateway
> > 
> > If that matters, 10.60.x.x interface is a lagg interface between two
> > physical interfaces using KVM PCI passthrough while 192.168.x.x is a
> > virtio interface.
> > 
> > gateway_enable is indeed set and I've added this very simple pf rule:
> > ####
> > ext_if="lagg0"
> > nat log on $ext_if proto { tcp udp icmp } from !($ext_if) to any ->
> > ($ext_if) pass all 
> > ####
> 
> I would suggest to enable logging to see what is going on on the pflog0,
> plus I think your nat rule is a bit strange try the standard:
> 
> nat on $ext_if from $local_net to any -> $ext_addr
> 
> HTH,
> George
> 
> 
> 
> > 
> > This let machines on the 192.168.0.0 subnet using this VM as a
> > gateway ping any ressources on 10.60.0.0 or internet. Fine. Problem
> > is that any other protocol doesn't work. Seems like replies are never
> > received correctly by the issuing machine.
> > 
> > This is the state table I get when issuing DNS connection from a
> > client (192.168.100.2) behind the GW to either 10.60.60.150 or
> > 8.8.8.8 DNS servers. 10.60.60.3 is my GW address on 10.60.0.0 subnet
> > on lagg0 interface. #### # pfctl -ss
> > all udp 10.60.60.150:53 <- 192.168.100.2:53372       NO_TRAFFIC:SINGLE
> > all udp 10.60.60.3:62261 (192.168.100.2:53372) ->
> > 10.60.60.150:53       SINGLE:NO_TRAFFIC all udp 10.60.60.150:53 <-
> > 192.168.100.2:28768       NO_TRAFFIC:SINGLE all udp 10.60.60.3:65271
> > (192.168.100.2:28768) -> 10.60.60.150:53       SINGLE:NO_TRAFFIC all
> > udp 8.8.8.8:53 <- 192.168.100.2:43155       NO_TRAFFIC:SINGLE all udp
> > 10.60.60.3:50948 (192.168.100.2:43155) -> 8.8.8.8:53
> > SINGLE:NO_TRAFFIC all udp 8.8.8.8:53 <- 192.168.100.2:47160
> > NO_TRAFFIC:SINGLE all udp 10.60.60.3:62818 (192.168.100.2:47160) ->
> > 8.8.8.8:53       SINGLE:NO_TRAFFIC
> > 
> > I believe that I'm missing a very simple obvious thing but cannot
> > point it out.
> > 
> > Thanks,
> > -O.
> > 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20171220/bf03ebc7/attachment.sig>

More information about the freebsd-questions mailing list