From owner-freebsd-pf@freebsd.org Wed Apr 5 06:01:17 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EC774D2F29A for ; Wed, 5 Apr 2017 06:01:17 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from mx.als.nnov.ru (mx.als.nnov.ru [95.79.102.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AF01560 for ; Wed, 5 Apr 2017 06:01:17 +0000 (UTC) (envelope-from maximos@als.nnov.ru) Received: from [10.4.1.100] by mx.als.nnov.ru with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87 (FreeBSD)) (envelope-from ) id 1cvddF-000GAc-7w for freebsd-pf@freebsd.org; Wed, 05 Apr 2017 08:37:25 +0300 Subject: Re: Complicated NAT setup To: freebsd-pf@freebsd.org References: From: Max Message-ID: <47feb5d2-ff8b-3657-5d92-207ca341a6ab@als.nnov.ru> Date: Wed, 5 Apr 2017 08:37:25 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 06:01:18 -0000 Hello, Paul. > # xBox redirection > nat on $josh_if from $josh_xbox to any -> ($josh_if) > nat on $int_if from any to ($josh_if) -> $josh_xbox Something wrong with these rules. It seems that $josh_xbox is a host (xbox) in your local network. But the second rule changes source address to $josh_xbox. Probably it should be # out nat on $josh_if from $josh_xbox to any -> ($josh_if) # in rdr on $josh_if from any to ($josh_if) -> $josh_xbox nat on $int_if from any to $josh_xbox -> $int_if Can you describe in details your network setup and direction of xbox connections? 05.04.2017 5:18, Paul Webster via freebsd-pf пишет: > Hey all I am having trouble with freebsd/pf and theattached config > > my main issue is with the second nat; 'nat on $int_if from any to > ($josh_if) -> $josh_xbox' > > it seems to work for TCP inbound but not for UDP or ICMP I cannot see the > reason why; perhaps a binat rule would be better but I could never get it > quite working (in either direction) > > > > > # Macros > ext_if=igb0 > int_if=igb1 > localnet = "{ 172.31.33.2/32, ... lots of ips }" > > josh_xbox="172.31.33.254" > josh_if="gre0" > josh_gateway="10.0.0.2" > josh_vpnhost="185.157.232.30" > > tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s, 5901 }" > udp_services = "{ domain }" > > # Global rules > set skip on lo0 > scrub in all > > # NAT and redirection > nat on $ext_if from $localnet to any -> ($ext_if) > > # xBox redirection > nat on $josh_if from $josh_xbox to any -> ($josh_if) > nat on $int_if from any to ($josh_if) -> $josh_xbox > > rdr-anchor "miniupnpd" > > # Tables and sets > table persist > table persist > > # Filtering rules (Quick first) > > # Release GRE and QUICK release the protocol > pass in quick on $ext_if inet proto 47 from $josh_vpnhost to any no state > flags any > pass out quick on $ext_if inet proto 47 from any to $josh_vpnhost no state > flags any > > # SSH, DNS, DHCP > block quick on $ext_if proto udp from any to any port 67 > pass in quick on $int_if proto tcp from 172.31.33.1/24 to 172.31.33.1/32 > port 22 > pass in quick on $int_if proto {tcp,udp} from 172.31.33.1/24 to > 172.31.33.1/32 port 53 > pass in quick on $int_if proto udp from any to 172.31.33.1/32 port 63 > > # Pass out/in the xbox traffic (THIS MUST GO AFTER THE DNS RULES) > pass in quick on $int_if from $josh_xbox rtable 1 # Swap packets from > the xbox to fib1 routing table > pass in quick on $josh_if rtable 0 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"