dvl@
Developer
I'm trying to get NAT working in my basement. NAT is running fine on my gateway, but this is another situation. In this post, I'm trying to mix in enough detail without overloading.
EDIT: I did get the NAT working. In the end, I did not use it.
I have a 10.55.0.0/24 network in the basement. The gateway handles incoming traffic. One host inside the gateway has a VPN connection to a host at a colo facility. The goal of the VPN is to all that remote host to proxy incoming web requests to webservers in my basement. In short, I am relocating an existing proxy in my basement to a proxy in a colo.
Let's refer to these two hosts as the portal host (the one in the colo) and the basement host (the one... in my basement, seen below as r720-01).
Current status: both hosts are connected via a Wireguard tunnel. The portal host can ping any host in my basement network.
These are the PF rules in place on the basement host:
That IP address I'm trying to NAT to is defined on the NIC:
Forwarding is enabled on this host:
And the wg0 NIC:
This is the incoming ping request as seen on the basement host. ix0 is the main NIC on this host.
This is what that ping looks like on the host being pinged:
Instead of 10.9.1.144 being seen on the network, I'd like to NAT that to 10.55.0.59.
Ideas please?
EDIT: I did get the NAT working. In the end, I did not use it.
I have a 10.55.0.0/24 network in the basement. The gateway handles incoming traffic. One host inside the gateway has a VPN connection to a host at a colo facility. The goal of the VPN is to all that remote host to proxy incoming web requests to webservers in my basement. In short, I am relocating an existing proxy in my basement to a proxy in a colo.
Let's refer to these two hosts as the portal host (the one in the colo) and the basement host (the one... in my basement, seen below as r720-01).
Current status: both hosts are connected via a Wireguard tunnel. The portal host can ping any host in my basement network.
These are the PF rules in place on the basement host:
Code:
[r720-01 dan ~] % cat /etc/pf.conf
EXT_IF="ix0"
WG_IF="wg0"
LAN="10.55.0.0/24"
# e.g. 10.9.1.144
WG_LAN="10.9.1.0/24"
set skip on lo0
#set skip on $EXT_IF
scrub in all
#nat on $EXT_IF from $WG_LAN to any -> ($EXT_IF)
nat on $EXT_IF inet from $WG_LAN -> 10.55.0.59
pass in all
pass out all
That IP address I'm trying to NAT to is defined on the NIC:
Code:
[r720-01 dan ~] % ifconfig | grep 10.55.0.59
inet 10.55.0.59 netmask 0xffffffff broadcast 10.55.0.59
Forwarding is enabled on this host:
Code:
[r720-01 dan ~] % sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1
And the wg0 NIC:
Code:
[r720-01 dan ~] % ifconfig wg0
wg0: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1420
options=80000<LINKSTATE>
inet 10.9.1.145 netmask 0xfffffffc broadcast 10.9.1.147
groups: tun
nd6 options=109<PERFORMNUD,IFDISABLED,NO_DAD>
Opened by PID 88424
[r720-01 dan ~] %
This is the incoming ping request as seen on the basement host. ix0 is the main NIC on this host.
Code:
[r720-01 dan ~] % sudo tcpdump -ni ix0 host 10.9.1.144
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ix0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:31:38.540370 IP 10.9.1.144 > 10.55.0.73: ICMP echo request, id 17234, seq 913, length 64
14:31:38.540677 IP 108.36.95.115 > 10.9.1.144: ICMP echo reply, id 56414, seq 913, length 64
14:31:39.603879 IP 10.9.1.144 > 10.55.0.73: ICMP echo request, id 17234, seq 914, length 64
14:31:39.604183 IP 108.36.95.115 > 10.9.1.144: ICMP echo reply, id 56414, seq 914, length 64
^C
4 packets captured
54 packets received by filter
0 packets dropped by kernel
[r720-01 dan ~] %
This is what that ping looks like on the host being pinged:
Code:
14:32:23.112376 IP 10.9.1.144 > 10.55.0.73: ICMP echo request, id 17234, seq 955, length 64
14:32:23.112424 IP 10.55.0.73 > 10.9.1.144: ICMP echo reply, id 17234, seq 955, length 64
Instead of 10.9.1.144 being seen on the network, I'd like to NAT that to 10.55.0.59.
Ideas please?
Last edited: