Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 Apr 2017 03:18:01 +0100
From:      Paul Webster <paul.g.webster@googlemail.com>
To:        freebsd-pf@freebsd.org
Subject:   Complicated NAT setup
Message-ID:  <CADdqeiOmW-kAi2q4yAGrQUvLshLZP3kRSTw7-segVJm7z6FONA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hey all I am having trouble with freebsd/pf and theattached config

my main issue is with the second nat; 'nat on $int_if from any to
($josh_if) -> $josh_xbox'

it seems to work for TCP inbound but not for UDP or ICMP I cannot see the
reason why; perhaps a binat rule would be better but I could never get it
quite working (in either direction)




# Macros
ext_if=igb0
int_if=igb1
localnet = "{ 172.31.33.2/32, ... lots of ips }"

josh_xbox="172.31.33.254"
josh_if="gre0"
josh_gateway="10.0.0.2"
josh_vpnhost="185.157.232.30"

tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s, 5901 }"
udp_services = "{ domain }"

# Global rules
set skip on lo0
scrub in all

# NAT and redirection
nat on $ext_if from $localnet to any -> ($ext_if)

# xBox redirection
nat on $josh_if from $josh_xbox to any -> ($josh_if)
nat on $int_if from any to ($josh_if) -> $josh_xbox

rdr-anchor "miniupnpd"

# Tables and sets
table <bruteforce> persist
table <blocked> persist

# Filtering rules (Quick first)

# Release GRE and QUICK release the protocol
pass in quick on $ext_if inet proto 47 from $josh_vpnhost to any no state
flags any
pass out quick on $ext_if inet proto 47 from any to $josh_vpnhost no state
flags any

# SSH, DNS, DHCP
block quick on $ext_if proto udp from any to any port 67
pass in quick on $int_if proto tcp from 172.31.33.1/24 to 172.31.33.1/32
port 22
pass in quick on $int_if proto {tcp,udp} from 172.31.33.1/24 to
172.31.33.1/32 port 53
pass in quick on $int_if proto udp from any to 172.31.33.1/32 port 63

# Pass out/in the xbox traffic (THIS MUST GO AFTER THE DNS RULES)
pass in quick on $int_if from $josh_xbox rtable 1       # Swap packets from
the xbox to fib1 routing table
pass in quick on $josh_if rtable 0

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADdqeiOmW-kAi2q4yAGrQUvLshLZP3kRSTw7-segVJm7z6FONA>