pf stops nat suddenly

BostonDriver

BostonDriver

I noticed that IPv4 networking just suddenly stopped. Debugging with tcpdump on my external interface shows that pf NAT isn't taking place. My internal (non-routable) IPv4 addresses are being put on the wire to my ISP. Things were just fine.

/etc/rc.d/pf stop followed by /etc/rc.d/pf start clears the condition.

My IPv6 (via tunnel broker, gif0 on $ext_if) works. I can use IPv4 from the FreeBSD 8.2 machine itself. Only the boxes on the IPv4 subnet(s) (all need NAT) show problems. These same systems can use IPv6 to the 'net just fine.

Is there anything I can start looking at to see what is going on?
 
Hello,

When nat stops to work, you can first check if your firewall is runing, what rules are currently running and how many states do you have:

Code: 
pfctl -si
Code: 
pfctl -sa
with -sr will now be showed filter rules (correspondenting to NAT, redirection, ...) on this PF version, with -sa you will also see states, which also can be seen by -ss.
Code: 
pfctl -ss | wc -l
 
SirDice said:
Post your pf.conf.
Click to expand...

I took this to get going (longtime ipfw users, just now moving to pf)

http://www.benzedrine.cx/pf.conf

Other than adding set skip on lo0, the only difference was the interface names were changed.

If I didn't see my subnet show up as IPv4 SA on $ext_if via tcpdump -i $ext_if, I would have assumed it was my pf.conf and would not have bothered to post the question. I have not seen the issue since that one time.
 
Try changing this line:
Code: 
nat on $ext_if inet from 10.0.0.0/8 to any -> $ext_if
to:
Code: 
nat on $ext_if inet from 10.0.0.0/8 to any -> ($ext_if)
 
You must log in or register to reply here.
Back
Top