From owner-freebsd-pf@freebsd.org Wed Apr 5 10:10:33 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19A1BD2FBC8 for ; Wed, 5 Apr 2017 10:10:33 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CC3D7C28 for ; Wed, 5 Apr 2017 10:10:32 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: by mail-yw0-x229.google.com with SMTP id d191so3684210ywe.2 for ; Wed, 05 Apr 2017 03:10:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=NLxk7AxmHIKvyYnII3S0SHhQJJ3OpA82SMyEz2H9Anw=; b=PtBX3kJG0okxJhWmZawJc9lpwVd/L/Yare3MQPQ2XP5BDMJj2DYQPQzcnimLDnjPcI xM8Eaes92xOcDnTkNR6qSvOzgweWqxzUKoniC1+axVa0PNuHmec60EDsoiZk/l4LTvJ4 AFBcOcjpxRf9bu5I62kc8xj4xEgCrpAtqHBSwsEwXTa2D/dujHQiCE3v25KzIKHzqlRF JV/kNch5WAo5Uk2mc5DYwoF45BjZyTDSFsNKVHbCmyzrYlGHDBGRHkt5aEOiCMGFg9s9 P0UZzY+2XOr/G0+NsNoMDsySoPUoRUY2qLibPnBtwa73OBPAav3w7vRQ1W++YHLkHfQP K6bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=NLxk7AxmHIKvyYnII3S0SHhQJJ3OpA82SMyEz2H9Anw=; b=aOLiPX82x6OGbH1CoO8mT9Cibxl+hq8oWnXxTz+vhOE7h5MbAbercgjix0h8LzV0S3 bU3EnoRL4O7WuwXqlVdbUooubAlfNvWQ4cfJV/66a91qAXBgVZoABRoq/zz59kW+wIH0 MNjD3PF6YBCw+/bdn3F0sXSHF7Xl36rsTHT/IT6yo4vUdVFohtsTFGC3Ghg7jsW5oneb 3ehogU5eOyji+/5Mee9TZRIBYIjQbMGingyuirdTitGUGCU+eRh9QkHxoNXNOVjrTTwU aeIRdodxn4hzqgB5R+QM9PsIIm7JUIEqIscBKWkqEn6h+P4KvCpwfbAEGRJm9O6wTYXr MDNg== X-Gm-Message-State: AFeK/H2QIJ1eY26pFoEZKWrz8Nu7nFVYky5Zw97iO4Tk5s6vD4sJJBj/Ja6kjLhCf0b47cnZanstL9W2qQJmug== X-Received: by 10.13.194.70 with SMTP id e67mr17892125ywd.10.1491387031578; Wed, 05 Apr 2017 03:10:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.37.37.5 with HTTP; Wed, 5 Apr 2017 03:10:31 -0700 (PDT) In-Reply-To: References: <47feb5d2-ff8b-3657-5d92-207ca341a6ab@als.nnov.ru> From: Paul Webster Date: Wed, 5 Apr 2017 11:10:31 +0100 Message-ID: Subject: Re: Complicated NAT setup To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 10:10:33 -0000 I just read over my first post, a note would be that it does work perfectly outbound the only thing not working is ICMP and UDP inbound On 5 April 2017 at 10:34, Paul Webster wrote: > Thank you for the fast reply mark, here is a list of interfaces with there > relative ips: > > GW1(local lan gateway): > lo0: 127.0.0.1 ::1 > igb0: 86.5.192.180 (public_ip) > igb1: 172.31.33.1/24 (private lan) > msk0: unused/192.168.0.1 > tun0: 172.19.20.2 > gre0: 10.0.0.1 (via igb0) > > GW2(vps remote gateway): > lo0: 127.0.0.1 ::1 > vio0: 185.157.232.30 > gre0: 10.0.0.2 (via vio0) > > Xbox1 ( GW1[igb1->gre0] -> GW2[gre0->vio0] ): > lo0: 127.0.0.1 ::1 > vtnet0: 172.31.33.254 > > NOTE: xbox1 in this case is really freebsd 12-current with the forced ip > 172.31.33.254, because xbox really is to restrictive for debug purposes, > all it requires is that I set the correct dhcp-host on GW1 to make the > xbox1 172.31.33.254 though. > > Also the $localnet is really { 172.31.33.2-200 } so when the XBOX is 172.31.33.254 > it is not going out via primary NAT rule it is instead getting caught by > > pass in quick on $int_if from $josh_xbox rtable 1 # Swap packets > from the xbox to fib1 routing table > > and the corresponding NAT further up the ruleset, the 'default route' of > 'fib 1' is 10.0.0.2 > > >