PF NAT/masquerade

A

aabaab

Hi,
I am using PF firewall and have a logical interface vlan1010 which has a live IP, I want to write a nat/masquerade rule which says that whatever packet goes out from this interface, it should have source-IP same as the live IP assigned to this logical interface i.e. vlan1010 and when the packet comes back it should be routed back to the original local IP.
Can you help me write this rule ? I have tried following but it didn't help.
Code: 
nat on vlan1010 from {192.168.0.0/24} to any -> (vlan1010).

Regards
 
When I ping an IP within the same Live network (IP assigned to the vlan1010 interface), I do not get the reply, but when I do ifconfig vlan1010 down, then the ping works.
Actually when I bring the vlan1010 interface UP, it adds a route for public network this live IP is part of, when I delete this route ping works.
 
Well, the gateway (freebsd) can ping it but the machines behind this gateway can't ping this live IP.
 
adeelarifbhatti said:
When I ping an IP within the same Live network (IP assigned to the vlan1010 interface), I do not get the reply, but when I do ifconfig vlan1010 down, then the ping works.
Click to expand...
The NAT rule is for outgoing traffic, not incoming traffic. It does a source NAT on the source address for traffic that goes out of the vlan1010 interface. It does absolutely nothing to traffic coming in on vlan1010.
 
I see the ping request on the gateway sent by the 192.168.1.141, I can see the packet via tcpdump, it is following, with and without the NAT rule I added with pf (i.e. nat on vlan1010 from {192.168.0.0/24} to any -> (vlan1010).), both give the same result.
Code: 
16:39:06.661459 04:42:1a:MAC > d4:5d:64:MAC, ethertype 802.1Q (0x8100), length 102: vlan 1010, p 0, ethertype IPv4, 192.168.1.141 > A.B.C.D (live IP): ICMP echo request, id 26, seq 7, length 64
Why the gateway doesn't receive the echo-reply ?

And on the remote gateway, I get following via tcpdump

Code: 
16:41:12.771287 04:42:1a:MAC > d4:5d:64:MAC, ethertype 802.1Q (0x8100), length 102: vlan 1010, p 0, ethertype IPv4, 192.168.1.141 > A.B.C.D (live IP): ICMP echo request, id 26, seq 2, length 64
16:41:12.771296 d4:5d:64:MAC > 00:50:56:MAC, ethertype 802.1Q (0x8100), length 102: vlan 1010, p 0, ethertype IPv4, A.B.C.D (live IP) > 192.168.1.141: ICMP echo reply, id 26, seq 2, length 64
16:41:13.791107 04:42:1a:MAC > d4:5d:64:MAC, ethertype 802.1Q (0x8100), length 102: vlan 1010, p 0, ethertype IPv4, 192.168.1.141 > A.B.C.D (live IP): ICMP echo request, id 26, seq 3, length 64
16:41:13.791117 d4:5d:64:MAC > 00:50:56:MAC, ethertype 802.1Q (0x8100), length 102: vlan 1010, p 0, ethertype IPv4, A.B.C.D (live IP) > 192.168.1.141: ICMP echo reply, id 26, seq 3, length 64
But why the client 192.168.1.141 doesn't receive the reply ?
 
adeelarifbhatti said:
I can see the packet via tcpdump, it is following, with and without the NAT rule I added with pf
Click to expand...
The rule only applies to traffic with a 192.168.0.0/24 source address, 192.168.1.141 isn't in that range. Do you understand how subnets work?

adeelarifbhatti said:
Why the gateway doesn't receive the echo-reply ?
Click to expand...
It doesn't know where 192.168.1.141 is. If by "live IP" you mean an actual internet IP address, you do know that 192.168.0.0/16 is a private range that isn't routed on the internet?
 
It was typo, I meant 192.168.X.0/24 (192.168.0.141/24).
Yes I know its private address (class C) and not routable over internet, thats why I want to put NAT/masquerade on
the source/originating end but it doesn't work.
 
Pinging the gateway IP (which is within 192.168.0.0/24) from an outside network (192.168.1.0/24) doesn't affect your (S)NAT rule at all (and vice versa); this is a completely different matter.

Do you have any packet filter rules blocking outgoing ICMP replies?
 
I said I have only one local network which is 192.168.0.0/24 or 192.168.1.0/24, I am very well aware of this fact that 192.168.0.0/24 and 192.168.1.0/24 are two networks. I made a typo earlier, can we please stop discussing about two /24 networks (class C) ?
My rule in the /etc/pf.conf is follows,
Code: 
nat on vlan1010 from {192.168.1.0/24} to any -> (vlan1010).
 
Are you capturing those packets on the parent interface of vlan1010? Because you can see the VLAN encapsulation in the tcpdump. It's tagged traffic, and I presume you want to have the untagged traffic somewhere?

And to help us better understand your situation can you make a simple diagram how things are connected? Your explanation of the situation is a little confusing.
 
You can just do tcpdump -ni vlan1010. It's an interface like every other.
 
Thanks,
I know what the problem is, the problem is that the 192.168.1.0/24 doesn't get masquerade to the Live-IP. In other words following is not working in the /etc/pf.conf file
Code: 
 # cat /etc/pf.conf
nat on vlan1010 from {192.168.1.0/24} to any -> (vlan1010).
#
I have following in my rc.conf file as well
Code: 
gateway_enable="YES"
pf_enable="yes"
pf_rules="/etc/pf.conf"
What else do I need to get the outbound to masquerade 192.168.1.0/24 network to live IP ?

Regards
Adeel
 
It's called NAT, not masquerade. You can remove the pf_rules from /etc/rc.conf, it's the default, no need to explicitly set it.

What does pfctl -sn show?
 
pfctl -sn gives no output earlier, I think it was because the pf was not started and was only enabled although I ran pfctl -e thinking that it would enabled pf and start it as well but that doesn't seem to be the case, now I restarted the pf and it shows the following rule.
# pfctl -sn
nat on vlan1010 inet from 192.168.1.0/24 to any -> (vlan1010) round-robin
Click to expand...
And now the ping works, many thanks for the support.
 
Yes, you need to actually load the rules. You can do this with pfctl -f /etc/pf.conf.
 
You must log in or register to reply here.
Back
Top