Date: Wed, 20 Dec 2017 09:25:15 +0100 From: Olivier Mauras <olivier@mauras.ch> To: freebsd-questions@freebsd.org Subject: pf NAT: Can't make anything else than ICMP work Message-ID: <20171220092515.e0a757a560781ddead2d92d1@mauras.ch>
next in thread | raw e-mail | index | archive | help
--Signature=_Wed__20_Dec_2017_09_25_15_+0100_7SRJvO0azut/kxLG
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello,
I can't seem to make this very simple setup work. I have a VM that have 2 i=
nterfaces on two different subnets and want to route traffic between them.
- 10.60.0.0/24
- 192.168.0.0/24
The 10.60.x.x interface gives access to local services and internet.
192.168.x.x is a dedicated local subnet using this VM as their default gate=
way
If that matters, 10.60.x.x interface is a lagg interface between two physic=
al interfaces using KVM PCI passthrough while 192.168.x.x is a virtio inter=
face.
gateway_enable is indeed set and I've added this very simple pf rule:
####
ext_if=3D"lagg0"
nat log on $ext_if proto { tcp udp icmp } from !($ext_if) to any -> ($ext_i=
f)
pass all=20
####
This let machines on the 192.168.0.0 subnet using this VM as a gateway ping=
any ressources on 10.60.0.0 or internet. Fine.
Problem is that any other protocol doesn't work. Seems like replies are nev=
er received correctly by the issuing machine.
This is the state table I get when issuing DNS connection from a client (19=
2.168.100.2) behind the GW to either 10.60.60.150 or 8.8.8.8 DNS servers.
10.60.60.3 is my GW address on 10.60.0.0 subnet on lagg0 interface.
####
# pfctl -ss
all udp 10.60.60.150:53 <- 192.168.100.2:53372 NO_TRAFFIC:SINGLE
all udp 10.60.60.3:62261 (192.168.100.2:53372) -> 10.60.60.150:53 SIN=
GLE:NO_TRAFFIC
all udp 10.60.60.150:53 <- 192.168.100.2:28768 NO_TRAFFIC:SINGLE
all udp 10.60.60.3:65271 (192.168.100.2:28768) -> 10.60.60.150:53 SIN=
GLE:NO_TRAFFIC
all udp 8.8.8.8:53 <- 192.168.100.2:43155 NO_TRAFFIC:SINGLE
all udp 10.60.60.3:50948 (192.168.100.2:43155) -> 8.8.8.8:53 SINGLE:N=
O_TRAFFIC
all udp 8.8.8.8:53 <- 192.168.100.2:47160 NO_TRAFFIC:SINGLE
all udp 10.60.60.3:62818 (192.168.100.2:47160) -> 8.8.8.8:53 SINGLE:N=
O_TRAFFIC
I believe that I'm missing a very simple obvious thing but cannot point it =
out.
Thanks,
-O.
--Signature=_Wed__20_Dec_2017_09_25_15_+0100_7SRJvO0azut/kxLG
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
iQIyBAEBCAAdFiEEhdCcMcx2wDxNPQTeldDBUc+t03wFAlo6HmsACgkQldDBUc+t
03xZ1w/45RJSxFasJHYPMSEOGLFC4sKdQH5/IfIaE8OBvBfk45JYC3tEwPhb5+jP
/8Y2+Ch48GRNZgL5ygLPutiKXe3H7gK3LL8IEIW40fdc2OpsoW64TWK0jBdzLs2D
FzqWtNPuE6SWFtxHYNqds9Kzkx3HT1KvEoh6dFB1FSax/XM7gmKHF2g+NNm2/8sQ
2vwQD5bLn7ioYOcKOnYV8Xr9WX06pf5mHEzzMGiM6SXgLmMZzO4vBDLDnwIWWYDH
03UnERUEtn0FNIlMOTwXYF+k111XnOn310nl9bSgZaEk55BfeaSSctmHjKL4fYHQ
S207nPT8IENF1GN5iGyiZ12TfPNA35l4uO6CZJfAUZBPoLJIj2Sf5SfeLu0oYrii
SGaEZZkHSxxuE6YEEMaHrkcLy4aE1m2C6OJseoSvSGByQqGGHHNkKkXIrO52dfKv
xkBasj8m1/Sr02N0fFYZHJPYpHBPPLEamQZ1HFGFq1qoG7npdUrDj5OrH9JduoX8
v6FAnDXovmsn3E6ovPWdJCxoVTJPtnr6BS8dYaVvdQImj9+W1yswhjJoQ/58XxgN
HjGU+9t1fdQO0xlyFqbIoah4QM7HD6O2kduBJFZ6aY4e0sp8sOqoftZkA74mgY39
JRuSf7AGvyd+cHJJQzQbHWalekVvKIU6ywZJxRGDZsXhgnkPHQ==
=zm1d
-----END PGP SIGNATURE-----
--Signature=_Wed__20_Dec_2017_09_25_15_+0100_7SRJvO0azut/kxLG--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171220092515.e0a757a560781ddead2d92d1>