Date: Wed, 5 Apr 2017 08:37:25 +0300 From: Max <maximos@als.nnov.ru> To: freebsd-pf@freebsd.org Subject: Re: Complicated NAT setup Message-ID: <47feb5d2-ff8b-3657-5d92-207ca341a6ab@als.nnov.ru> In-Reply-To: <CADdqeiOmW-kAi2q4yAGrQUvLshLZP3kRSTw7-segVJm7z6FONA@mail.gmail.com> References: <CADdqeiOmW-kAi2q4yAGrQUvLshLZP3kRSTw7-segVJm7z6FONA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Paul.
> # xBox redirection
> nat on $josh_if from $josh_xbox to any -> ($josh_if)
> nat on $int_if from any to ($josh_if) -> $josh_xbox
Something wrong with these rules. It seems that $josh_xbox is a host
(xbox) in your local network. But the second rule changes source address
to $josh_xbox. Probably it should be
# out
nat on $josh_if from $josh_xbox to any -> ($josh_if)
# in
rdr on $josh_if from any to ($josh_if) -> $josh_xbox
nat on $int_if from any to $josh_xbox -> $int_if
Can you describe in details your network setup and direction of xbox
connections?
05.04.2017 5:18, Paul Webster via freebsd-pf пишет:
> Hey all I am having trouble with freebsd/pf and theattached config
>
> my main issue is with the second nat; 'nat on $int_if from any to
> ($josh_if) -> $josh_xbox'
>
> it seems to work for TCP inbound but not for UDP or ICMP I cannot see the
> reason why; perhaps a binat rule would be better but I could never get it
> quite working (in either direction)
>
>
>
>
> # Macros
> ext_if=igb0
> int_if=igb1
> localnet = "{ 172.31.33.2/32, ... lots of ips }"
>
> josh_xbox="172.31.33.254"
> josh_if="gre0"
> josh_gateway="10.0.0.2"
> josh_vpnhost="185.157.232.30"
>
> tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s, 5901 }"
> udp_services = "{ domain }"
>
> # Global rules
> set skip on lo0
> scrub in all
>
> # NAT and redirection
> nat on $ext_if from $localnet to any -> ($ext_if)
>
> # xBox redirection
> nat on $josh_if from $josh_xbox to any -> ($josh_if)
> nat on $int_if from any to ($josh_if) -> $josh_xbox
>
> rdr-anchor "miniupnpd"
>
> # Tables and sets
> table <bruteforce> persist
> table <blocked> persist
>
> # Filtering rules (Quick first)
>
> # Release GRE and QUICK release the protocol
> pass in quick on $ext_if inet proto 47 from $josh_vpnhost to any no state
> flags any
> pass out quick on $ext_if inet proto 47 from any to $josh_vpnhost no state
> flags any
>
> # SSH, DNS, DHCP
> block quick on $ext_if proto udp from any to any port 67
> pass in quick on $int_if proto tcp from 172.31.33.1/24 to 172.31.33.1/32
> port 22
> pass in quick on $int_if proto {tcp,udp} from 172.31.33.1/24 to
> 172.31.33.1/32 port 53
> pass in quick on $int_if proto udp from any to 172.31.33.1/32 port 63
>
> # Pass out/in the xbox traffic (THIS MUST GO AFTER THE DNS RULES)
> pass in quick on $int_if from $josh_xbox rtable 1 # Swap packets from
> the xbox to fib1 routing table
> pass in quick on $josh_if rtable 0
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47feb5d2-ff8b-3657-5d92-207ca341a6ab>