I have a gateway host running pf and NATing two private RFC1918 subnets behind a single public IP. I have the following interfaces configured:
and the following NAT rules:
Both private subnets can reach the Internet fine, but I'm unable to get them talking to eachother and I'm not able to figure out why.
I have 'set skip on em0' and 'set skip on ath0' in my pf ruleset, so these problems aren't due to other filter rules.
If I set a host on subnet A pinging a host on subnet B, tcpdump shows the ICMP packets coming into em0 and then being sent out of ath0, but the B-host doesn't sent any reply back via the gateway. It periodically sends an ARP request for the gateways MAC address and gets a response, but still won't route the ping responses back that way.
Can anyone advise on why this isn't working?
Code:
vr0: 88.x.x.x/yy
em0: 192.168.0.1/24 (subnet A)
ath0: 192.168.1.1/24 (subnet B)
and the following NAT rules:
Code:
no nat on vr0 inet from 192.168.0.0/24 to 192.168.1.0/24
no nat on vr0 inet from 192.168.1.0/24 to 192.168.0.0/24
nat on vr0 inet from 192.168.0.0/24 to any -> 88.x.x.x
nat on vr0 inet from 192.168.1.0/24 to any -> 88.x.x.x
Both private subnets can reach the Internet fine, but I'm unable to get them talking to eachother and I'm not able to figure out why.
I have 'set skip on em0' and 'set skip on ath0' in my pf ruleset, so these problems aren't due to other filter rules.
If I set a host on subnet A pinging a host on subnet B, tcpdump shows the ICMP packets coming into em0 and then being sent out of ath0, but the B-host doesn't sent any reply back via the gateway. It periodically sends an ARP request for the gateways MAC address and gets a response, but still won't route the ping responses back that way.
Can anyone advise on why this isn't working?