From owner-freebsd-pf@freebsd.org  Wed Apr  5 11:47:53 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6646CD2FFE2
 for <freebsd-pf@mailman.ysv.freebsd.org>; Wed,  5 Apr 2017 11:47:53 +0000 (UTC)
 (envelope-from paul.g.webster@googlemail.com)
Received: from mail-yb0-x231.google.com (mail-yb0-x231.google.com
 [IPv6:2607:f8b0:4002:c09::231])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 291BC849
 for <freebsd-pf@freebsd.org>; Wed,  5 Apr 2017 11:47:53 +0000 (UTC)
 (envelope-from paul.g.webster@googlemail.com)
Received: by mail-yb0-x231.google.com with SMTP id f204so2395265ybc.2
 for <freebsd-pf@freebsd.org>; Wed, 05 Apr 2017 04:47:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=googlemail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
 bh=KhiY+2iS74i/G4wvYgw6g0eGr0JQLF8pUjMmt2hE15s=;
 b=ZjIi85mjuxqjnFdOtxnITxxWrcgZ8TwZ1jNdqq6pc+J1rSHkPCfqkjP89QNV5eDab+
 Ru0okhGb1Lco3XS1pjgUNtniLjID1/pjN81DyHKaLJJuFN+oGVhmDTUqABDLMgdJaYM9
 hMQ+j2//5tq2AeGgTYFLDq2VeTQ3IA3zjwmgSP2wO/1llHwVYV4Oah6YI74Qf8XBFrlo
 PnJYH5UKhvT29IV4i+tw3KgNcWAU3X9vkaIngjhOTVxHQilIog8uyK78lvo0KhQZK7AN
 S+/RGmG+hGdoxbsqfgycV13PJWLqoa8i2V5tnCsN6pXqObJWVQrZzEJEjbo0qVN2zzCU
 5qYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to;
 bh=KhiY+2iS74i/G4wvYgw6g0eGr0JQLF8pUjMmt2hE15s=;
 b=KM8szwHazsYXAeh4JWOmhMDv2mP+XAgS851RpdDI5gt9RxmS0SasO9mZq4UPuX+Fff
 NEDLEBuDmjWf9oiJEjG8l1rX6G2IGz+0Wef0NFS1O1fXcBJC8sMuRnd2xQE8kmSeebxh
 9Pt7CEaCEM4EnlpJ7RRTIdZzo7H4+y2tieFwphb3RiyoxPnV2r6pw4vZaln34ur5wZMS
 R8uVrNeZsx1oJmj7b14KJ6cJbRLBmXWKB2rZr0p7nHnQHqtDBdhhi2Ka85dMWEJh8+oh
 G3mrbVseKmeJiXK1LIjnp9iOq7x6mD8xIMffC8kwM/dPn+9Dx6Z2IeLP1PBrjf3p3tJL
 GQfA==
X-Gm-Message-State: AFeK/H2WzKDw6iZhu3kmWJsupLZYqJD/WC+R6ZIabQq0R5JgTXtpl49gftJFfac0cKb5YaK6+eUxkrjZP/a3fw==
X-Received: by 10.37.25.139 with SMTP id 133mr17531817ybz.15.1491392872061;
 Wed, 05 Apr 2017 04:47:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.37.5 with HTTP; Wed, 5 Apr 2017 04:47:51 -0700 (PDT)
In-Reply-To: <CADdqeiNyXdm46TAw_022ghrL9oOPfrpvuemouj-QqANW+=ewDQ@mail.gmail.com>
References: <CADdqeiOmW-kAi2q4yAGrQUvLshLZP3kRSTw7-segVJm7z6FONA@mail.gmail.com>
 <47feb5d2-ff8b-3657-5d92-207ca341a6ab@als.nnov.ru>
 <CADdqeiPqSNOV0giyAVUTwFPLdz7TWki9qHq36AraoqXFb14o7Q@mail.gmail.com>
 <CADdqeiNyXdm46TAw_022ghrL9oOPfrpvuemouj-QqANW+=ewDQ@mail.gmail.com>
From: Paul Webster <paul.g.webster@googlemail.com>
Date: Wed, 5 Apr 2017 12:47:51 +0100
Message-ID: <CADdqeiPOmR+Vwg5i-TfYPCMpOSOcGMc+AtOD3rrH=Ds7PZP+AQ@mail.gmail.com>
Subject: Re: Complicated NAT setup
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 11:47:53 -0000

thought I would post for if someone ends up in a similar situation, I
changed hte nat rules to be:

# xBox redirection
nat on $josh_if from $josh_xbox to any -> ($josh_if)   # Nat the Xbox out
via gre0 (outbound)
rdr on $josh_if from any to ($josh_if) -> $josh_xbox    # Redirect
everything received on gre0 to the xbox (inbound)

and working :)

Thank you for the hand out max


On 5 April 2017 at 11:10, Paul Webster <paul.g.webster@googlemail.com>
wrote:

> I just read over my first post, a note would be that it does work
> perfectly outbound the only thing not working is ICMP and UDP inbound
>
> On 5 April 2017 at 10:34, Paul Webster <paul.g.webster@googlemail.com>
> wrote:
>
>> Thank you for the fast reply mark, here is a list of interfaces with
>> there relative ips:
>>
>> GW1(local lan gateway):
>>  lo0: 127.0.0.1 ::1
>>  igb0: 86.5.192.180 (public_ip)
>>  igb1: 172.31.33.1/24 (private lan)
>>  msk0: unused/192.168.0.1
>>  tun0: 172.19.20.2
>>  gre0: 10.0.0.1 (via igb0)
>>
>> GW2(vps remote gateway):
>>  lo0: 127.0.0.1 ::1
>>  vio0: 185.157.232.30
>>  gre0: 10.0.0.2 (via vio0)
>>
>> Xbox1 ( GW1[igb1->gre0] -> GW2[gre0->vio0] ):
>>  lo0: 127.0.0.1 ::1
>>  vtnet0: 172.31.33.254
>>
>> NOTE: xbox1 in this case is really freebsd 12-current with the forced ip
>> 172.31.33.254, because xbox really is to restrictive for debug purposes,
>> all it requires is that I set the correct dhcp-host on GW1 to make the
>> xbox1 172.31.33.254 though.
>>
>> Also the $localnet is really { 172.31.33.2-200 } so when the XBOX is 172.31.33.254
>> it is not going out via primary NAT rule it is instead getting caught by
>>
>> pass in quick on $int_if from $josh_xbox rtable 1       # Swap packets
>> from the xbox to fib1 routing table
>>
>> and the corresponding NAT further up the ruleset, the 'default route' of
>> 'fib 1' is 10.0.0.2
>>
>>
>>
>