NAT Only Sort Of Working

Geezer

Well-Known Member

Reaction score: 161
Messages: 340

I am having difficulty with NAT. I thought it would have been easy.

/etc/rc.conf
Code:
defaultrouter="192.168.64.1"
gateway_enable="YES"
ifconfig_igb0="inet 192.168.32.22 netmask 255.255.255.0"
ifconfig_igb0_alias0="inet 192.168.32.5 netmask 255.255.255.255"
ifconfig_igb0_alias1="inet 192.168.33.1 netmask 255.255.255.0"
ifconfig_igb0_alias2="inet 192.168.34.1 netmask 255.255.255.0"
ifconfig_igb0_alias3="inet 192.168.35.1 netmask 255.255.255.0"
ifconfig_aq0="inet 192.168.64.5 netmask 255.255.255.0"

/etc/pf.conf
Code:
nat on aq0 from "192.168.32.0/22" to any -> (aq0)

Other machine on the LAN use 192.168.32.5 as the default route. From them I can ping few IPs on the internet, but most I cannot.

What a I doing wrong?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,563
Messages: 37,878

"192.168.32.0/22"
Wrong subnet mask.
Code:
ifconfig_igb0="inet 192.168.32.22 netmask 255.255.255.0"
ifconfig_igb0_alias0="inet 192.168.32.5 netmask 255.255.255.255"
ifconfig_igb0_alias1="inet 192.168.33.1 netmask 255.255.255.0"
ifconfig_igb0_alias2="inet 192.168.34.1 netmask 255.255.255.0"
ifconfig_igb0_alias3="inet 192.168.35.1 netmask 255.255.255.0"

You're trying to supernet here, which you shouldn't do. Supernetting can be done but it's really finicky and error-prone. Don't mix different subnets on the same interface. That's a recipe for disaster. The whole reason to split things up into different subnets is to limit broadcast domains, and here you're lumping them all together in the same broadcast domain.
 
OP
Geezer

Geezer

Well-Known Member

Reaction score: 161
Messages: 340

I have changed it:
Code:
ifconfig_igb0="inet 192.168.32.22 netmask 255.255.252.0"
ifconfig_igb0_alias0="inet 192.168.32.5 netmask 255.255.255.255"
ifconfig_igb0_alias1="inet 192.168.33.1 netmask 255.255.255.255"
ifconfig_igb0_alias2="inet 192.168.34.1 netmask 255.255.255.255"
ifconfig_igb0_alias3="inet 192.168.35.1 netmask 255.255.255.255"

But the same results.

What else may I be doing wrong?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,563
Messages: 37,878

Did you reload pf.conf after changing the IP addresses?

Check with tcpdump(1) and see what's actually on the wire.
 
OP
Geezer

Geezer

Well-Known Member

Reaction score: 161
Messages: 340

Code:
ifconfig_igb0="inet 192.168.32.22 netmask 255.255.252.0"
ifconfig_igb0_alias0="inet 192.168.32.5 netmask 255.255.255.255"

Code:
nat on aq0 from "192.168.32.0/24" to any -> (aq0)

Is that better? Or am I not allowed an alias?

Same results. From the machine next to it 192.168.32.17, I can ping 1.1.1.1 and not 8.8.8.8.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,563
Messages: 37,878

I can ping 1.1.1.1 and not 8.8.8.8.
That sounds like a firewall rule blocking access. In any case, tcpdump(1) is the tool to use. Then you can actually "see" the packets (or not), instead of having to guess what's happening.
 

mer

Well-Known Member

Reaction score: 179
Messages: 314

May be a silly question, but ip forwarding is enabled, yes?
sysctl net.inet.ip.forwarding?
 
OP
Geezer

Geezer

Well-Known Member

Reaction score: 161
Messages: 340

I think I have sorted it out.

SirDice, I take onboard what you were saying about supernetting.

Thank you for your help.

I have put in another network card and it all works wonders. I am using re0 instead of aq0.

Is if_atlantic only experimental? Is there another driver for aquantia?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,563
Messages: 37,878

That looks very new and that "Development preview" tag doesn't bode well either.
 
OP
Geezer

Geezer

Well-Known Member

Reaction score: 161
Messages: 340

Nice new Supermicro machine, and here I am tearing it apart and putting in cannibalised parts.

Maybe in a few months, the driver will improve and I can use it.

In the meantime, I am going to bed.
 

diizzy

Well-Known Member

Reaction score: 136
Messages: 495

I doubt that as Marvell have pretty much killed all Aquantia related projects since aquiring.
 
OP
Geezer

Geezer

Well-Known Member

Reaction score: 161
Messages: 340

I doubt that as Marvell have pretty much killed all Aquantia related projects since aquiring.

Oh dear, bit of a waste. Brand new mother board and I have had to put in a separate network card.
 
Top