1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Routing between two private networks behind NAT

Discussion in 'Networking' started by jem, Nov 9, 2009.

  1. jem

    jem Member

    Messages:
    346
    Likes Received:
    0
    I have a gateway host running pf and NATing two private RFC1918 subnets behind a single public IP. I have the following interfaces configured:

    Code:
    vr0:  88.x.x.x/yy
    em0:  192.168.0.1/24 (subnet A)
    ath0: 192.168.1.1/24 (subnet B)
    and the following NAT rules:

    Code:
    no nat on vr0 inet from 192.168.0.0/24 to 192.168.1.0/24
    no nat on vr0 inet from 192.168.1.0/24 to 192.168.0.0/24
    nat on vr0 inet from 192.168.0.0/24 to any -> 88.x.x.x
    nat on vr0 inet from 192.168.1.0/24 to any -> 88.x.x.x
    Both private subnets can reach the Internet fine, but I'm unable to get them talking to eachother and I'm not able to figure out why.

    I have 'set skip on em0' and 'set skip on ath0' in my pf ruleset, so these problems aren't due to other filter rules.

    If I set a host on subnet A pinging a host on subnet B, tcpdump shows the ICMP packets coming into em0 and then being sent out of ath0, but the B-host doesn't sent any reply back via the gateway. It periodically sends an ARP request for the gateways MAC address and gets a response, but still won't route the ping responses back that way.

    Can anyone advise on why this isn't working?
     
  2. DutchDaemon

    DutchDaemon Administrator Staff Member Administrator Moderator

    Messages:
    10,672
    Likes Received:
    26
    Can you show more of your pf.conf? Do you have 'set skip on lo0'?

    Oh, and the two 'no nat' rules are unnecessary, because traffic between these networks will never touch vr0.
     
  3. aragon

    aragon New Member

    Messages:
    2,031
    Likes Received:
    0
    So then where do its responses go? (ie. run a sniffer on B-host)
     
  4. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,422
    Likes Received:
    14
    Make sure the hosts on both networks have a default gateway pointing at the fbsd box. Also make sure they don't have any other routing entries. Double check the subnetmask on those clients too.

    Since both networks are directly connected on the fbsd box no additional routing entries are necessary.
     
  5. jem

    jem Member

    Messages:
    346
    Likes Received:
    0
    Good morning. Thanks for the responses.

    My pf.conf is here. Yes I do have 'set skip on lo0' too.

    The only two hosts are on subnet B are the gateway machine itself and the host being pinged. I'll run the sniffer on the B-host later, but it's my expectation that it simply isn't sending ping replies.

    Hosts on both networks get their IP addressing via DHCP. The are both given a default gateway of 192.168.x.1 where x is 0 or 1 depending on which subnet it is. No other routes are created. Both get a subnet mask of 255.255.255.0.

    I should point out that this problem exists in the reverse direction too - pinging from subnet B to subnet A. There are no filters on the hosts themselves blocking pings.
     
  6. DutchDaemon

    DutchDaemon Administrator Staff Member Administrator Moderator

    Messages:
    10,672
    Likes Received:
    26
    Ok, add 'log' to all 'block' rules, and run tcpdump -s 0 -pnli pflog0 while you try to generate traffic between these networks. If anything shows up there, pf.conf is blocking too much. If nothing shows up there, it's a broader networking issue.