Solved PF NAT on one interface.

C

cr4sh

Hello, I have a request. I need to set up NAT on one interface. I am using two addressing schemes in one network: 192.168.2.0/24 and 192.168.8.0/24. This was done previously and I cannot change it at the moment. The router, which is based on FreeBSD, has an address of 192.168.2.1 and an alias on the same interface of 192.168.8.90. Computers in the 192.168.8.0/24 subnet have a gateway of 192.168.8.1, but they need to access computers in the 192.168.2.0/24 subnet. I thought I would set up routing on them to the 192.168.2.0/24 network with a gateway of 192.168.8.90, and I would need to set up NAT on FreeBSD from the 8.0 network to the 2.0 network on one interface. Unfortunately, it's not working for me. Can someone give me some advice on how to do this?
 
So, did you try just routing without NAT? I don't see what NAT should do good here.

Also, just adding routes to the respective "other" internal network on all hosts should be much simpler, as packages don't have to take a deviation that way.
 
I am trying to set up routing on a computer with the address 192.168.8.33 using the command: route 192.168.2.0 mask 255.255.255.0 192.168.8.90. Unfortunately, the host cannot access any hosts in the 192.168.2.0/24 subnet.
 
cr4sh said:
I am trying to set up routing on a computer with the address 192.168.8.33 using the command: route 192.168.2.0 mask 255.255.255.0 192.168.8.90.
Click to expand...
I don't see a reason for a gateway at all, just try instead: route add 192.168.2.0/24 192.168.8.33 -interface.

edit: of course you need the "opposite" routes in the other network as well for communication to work.
 
Okay, I'm not sure if I can set something like that under Microsoft systems. But I'll check it out. However, since I've already asked the question, I'm still curious if PF will allow me to do NAT on one network interface?
 
Quoting pf.conf(5):
Code: 
     nat   A nat rule specifies that IP addresses are to be changed as the
           packet traverses the given interface.

So, one interface is enough to specify nat rules. BUT: For your scenario, you'd need NAT in different "directions" and I'm pretty sure this won't work as you expect it (but if in doubt, just test and observe the traffic).

Anyways, NAT would only further complicate your situation.
 
It is not a good idea to use NAT for interconnecting two local networks.

Assuming 192.168.2.1 is a default gateway for 192.168.2.0/24

Try to set static route on 192.168.8.1:
route to 192.168.2.0/24 via 192.168.8.90

Also check on FreeBSD, that traffic from 192.168.2.0/24 to 192.168.8.0/24 IS NOT pass to NAT on FreeBSD.
So you should exclude that traffic from NATing,
and you must allow traffic between LANs in both directions on FreeBSD firewall.

It seems to be simplest way to connect two LANs for this case.

If you can't add static route on 192.168.8.1 then you can add the same route on every device in 192.168.8.0/24 network.

If it will not work as expected then I would have installed an additional Ethernet LAN card into FreeBSD,
to achieve completely independent physical interface for the 2nd network.
 
cr4sh said:
Hello, I have a request. I need to set up NAT on one interface. I am using two addressing schemes in one network: 192.168.2.0/24 and 192.168.8.0/24. This was done previously and I cannot change it at the moment. The router, which is based on FreeBSD, has an address of 192.168.2.1 and an alias on the same interface of 192.168.8.90. Computers in the 192.168.8.0/24 subnet have a gateway of 192.168.8.1, but they need to access computers in the 192.168.2.0/24 subnet. I thought I would set up routing on them to the 192.168.2.0/24 network with a gateway of 192.168.8.90, and I would need to set up NAT on FreeBSD from the 8.0 network to the 2.0 network on one interface. Unfortunately, it's not working for me. Can someone give me some advice on how to do this?
Click to expand...
What's at 192.168.8.1?
 
im said:
It is not a good idea to use NAT for interconnecting two local networks.

Assuming 192.168.2.1 is a default gateway for 192.168.2.0/24

Try to set static route on 192.168.8.1:
route to 192.168.2.0/24 via 192.168.8.90

Also check on FreeBSD, that traffic from 192.168.2.0/24 to 192.168.8.0/24 IS NOT pass to NAT on FreeBSD.
So you should exclude that traffic from NATing,
and you must allow traffic between LANs in both directions on FreeBSD firewall.

It seems to be simplest way to connect two LANs for this case.

If you can't add static route on 192.168.8.1 then you can add the same route on every device in 192.168.8.0/24 network.

If it will not work as expected then I would have installed an additional Ethernet LAN card into FreeBSD,
to achieve completely independent physical interface for the 2nd network.
Click to expand...
Here was such a problem that router 192.168.8.1 dont have options to set static routes.
But i get this with adding route to 2.0 and 8.0 with gw 0.0.0.0 localy and this work ok.

On hosts in subnet 2.0/24 i add
route add 192.168.8.0 mask 255.255.255.0 0.0.0.0

On hosts in subnet 8.0/24 i add
route add 192.168.2.0 mask 255.255.255.0 0.0.0.0

Thanks for help
 
There's no need for static routes if you can add an alias to 192.168.8.1. Everything will just work(tm) if you add, say 192.168.2.90 to whatever is at 192.168.8.1.
 
You must log in or register to reply here.
Back
Top