Basic NAT server setup

[Peter Jeremy]

On 2013-May-30 17:54:53 -0500, Joe Moog <joemoog at ebureau.com> wrote:
>I'm building a server to handle outbound NAT to the internet using
>FreeBSD 9.1 and its built-in distribution of pf. What I want to be
>able to do is NAT three unique internal (private) VLANs to three
>unique public IPs.

>ext_if = "vlan11"
>ext_addr1 = "a.b.c.3"
>ext_addr2 = "a.b.c.4"
>ext_addr3 = "a.b.c.5"
>int_network1 = "10.0.1.0/24"
>int_network2 = "172.16.1.0/24" 
>int_network3 = "192.168.1.0/24"
>nat on $ext_if from $int_network1 to any -> $ext_addr1
>nat on $ext_if from $int_network2 to any -> $ext_addr2
>nat on $ext_if from $int_network3 to any -> $ext_addr3

I don't see anything obviously wrong with what you've done.  My initial
checks would be:
- Do you have the correct routes on the NAT box.
- Do you have a.b.c.{3,4,5} setup as aliases on vlan11 (or faked using
  proxy ARP).

(My suspicion is the second point - packets are going out successfully
but the response is undeliverable because nothing is responding to the
switch's ARP requests for a.b.c.{3,4,5}).

Next would be to use tcpdump to do some snooping:
- Firstly, make sure the packets are are arriving on the NAT box with
  appropriate src & dst IPs by tcpdump'ing the internal interface(s).
- Secondly, tcpdump the external interface and see what is going out
  and returning (tcpdump will see the external addresses)

Finally, add some 'log' keywords and tcpdump pflog0.  Unfortunately,
the stock FreeBSD tcpdump can't handle pflog packets.  There are some
patches in bin/124825 but you will need to do some work to get them
to apply to the tcpdump in 9.1.

That will hopefully give you some pointers as to where to investigate.

-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20130601/8bb4ab73/attachment.sig>