On May 31, 2013, at 7:37 PM, Peter Jeremy <pe...@rulingia.com> wrote:
> On 2013-May-30 17:54:53 -0500, Joe Moog <joem...@ebureau.com> wrote:
>> I'm building a server to handle outbound NAT to the internet using
>> FreeBSD 9.1 and its built-in distribution of pf. What I want to be
>> able to do is NAT three unique internal (private) VLANs to three
>> unique public IPs.
>
>> ext_if = "vlan11"
>> ext_addr1 = "a.b.c.3"
>> ext_addr2 = "a.b.c.4"
>> ext_addr3 = "a.b.c.5"
>> int_network1 = "10.0.1.0/24"
>> int_network2 = "172.16.1.0/24"
>> int_network3 = "192.168.1.0/24"
>> nat on $ext_if from $int_network1 to any -> $ext_addr1
>> nat on $ext_if from $int_network2 to any -> $ext_addr2
>> nat on $ext_if from $int_network3 to any -> $ext_addr3
>
> I don't see anything obviously wrong with what you've done. My initial
> checks would be:
> - Do you have the correct routes on the NAT box.
> - Do you have a.b.c.{3,4,5} setup as aliases on vlan11 (or faked using
> proxy ARP).
>
> (My suspicion is the second point - packets are going out successfully
> but the response is undeliverable because nothing is responding to the
> switch's ARP requests for a.b.c.{3,4,5}).
>
> Next would be to use tcpdump to do some snooping:
> - Firstly, make sure the packets are are arriving on the NAT box with
> appropriate src & dst IPs by tcpdump'ing the internal interface(s).
> - Secondly, tcpdump the external interface and see what is going out
> and returning (tcpdump will see the external addresses)
>
> Finally, add some 'log' keywords and tcpdump pflog0. Unfortunately,
> the stock FreeBSD tcpdump can't handle pflog packets. There are some
> patches in bin/124825 but you will need to do some work to get them
> to apply to the tcpdump in 9.1.
>
> That will hopefully give you some pointers as to where to investigate.
>
> --
> Peter Jeremy
Thanks for the response Peter.
Your assessment was spot-on. I added an alias to the vlan11 interface and
things seem to be functioning as expected now. I think I had overlooked the
interface alias requirement before because we had been testing with the
"bitmask" option which placed the entire a.b.c.0/24 network on the external
interface, but when we tried to scale it back to basic single-IP NAT'ting I
neglected to create the individual unique IP aliases on the interface.
Thank you!
Joe
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
