Solved NAT with forwarding is not working

Hi guys!

I've been a couple of days trying to set up a router in a virtual network using FreeBSD and I can't get it work I'm afraid.

A quick summary of what I have and what I want to achieve:

I have 2 interfaces: xn0, which is the external interface, and bridge0 which is internal.

The internal LAN is, but in the future, I will also add a third interface that connects to a VPN which is At the moment I'm only using the .1.0/24 network

The router, which has an internal ip of should NAT the internal network to the external interface, and port 22 should be forwarded to an internal machine.

This is the configuration I have at the moment:


tcp_services = "{ 22 }"

table <allowed_lans> {, }
table <private> const { 192.168/16, 10/8 }

#sachiel is another external server that should have full access to this host

set skip on lo0
set loginterface $ext_if

scrub in all

nat on $ext_if from $int_lan to ! <private> -> ($ext_if)
rdr pass inet proto tcp from any to $ext_ip port 22 -> port 22

block all
pass out from <allowed_lans> to any
pass out from $ext_ip to any
pass in from <allowed_lans> to <allowed_lans>
pass from $sachiel to $ext_ip 

pass in on $ext_if inet proto tcp from any to $ext_ip port $tcp_services flags S/SA keep state

With this configuration, the remote server (sachiel) can access the host, other IP's are blocked, and the router itself can access the network freely. So far so good.

However, the machines in int_lan can access the router, but they can't access the internet, so I guess NAT's not working or I'm filtering it without knowing it.

Also, port forwarding is not working, from the remote server I can ping the router, but if I ssh to it (which should forward the ssh port) it says "No route to host".

I'm sure I'm overlooking something, I've been reading the handbook and some other literature on PF but I'm a bit lost since I'm very used to iptables.

Could you guys point me where I messed up?

Thank you very much
OK, I more or less solved it

One problem was totally unrelated to PF or FreeBSD. These machines are virtualized using Xen, and it seems that having TCP offloading enabled seriously degrades performance to the point it seems not to work.

Now however, unless I comment the block all statement, the VMs under the NAT don't have connectivity

I will keep trying stuff
I did it, it was a stupid mistake, I should be blocking on the external interface only

block in on $ext_if did it

I hope this is helpful to someone somehow