pf nat rule doesn't work

J

joggx

I have FreeBSD jails with the following IP bound to net interface bce1:

Code: 
192.168.50.3
192.168.50.4

I have enabled pf in FreeBSD, and in rc.conf set

Code: 
gateway_enable="YES"

And have only the following rule in /etc/pf.conf but it doesn't work:

Code: 
ext_if="bce0"
int_if="bce1"
nat on $ext_if from $int_if:network to any -> ($ext_if)

result:

Code: 
# telnet yahoo.com 80
yahoo.com: Name does not resolve

In either jail /etc/resolv.conf uses 8.8.8.8 as DNS server.
 
Hi,

Default gateway has been set:

Code: 
Destination        Gateway            Flags     Netif Expire
default            xxx.xxx.xxx.xxx       UGS        bce0

But can't ping within jail:

Code: 
ping: sendto: Can't assign requested address

There are multiple external IPs bound to bce0:

Code: 
bce0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c00b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
        ether 78:2b:cb:4c:9b:2f
        inet xxxx.24 netmask 0xfffffff8 broadcast xxxx.29
        inet xxxx.26 netmask 0xffffffff broadcast xxxx.26
        inet xxxx.28 netmask 0xffffffff broadcast xxxx.28
        inet xxxx.25 netmask 0xffffffff broadcast xxxx.25
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 78:2b:cb:4c:9b:30
        inet 10.0.0.1 netmask 0xffffffff broadcast 10.0.0.1
        inet 192.168.50.4 netmask 0xffffffff broadcast 192.168.50.4
        inet 192.168.50.2 netmask 0xffffffff broadcast 192.168.50.2
        inet 192.168.50.5 netmask 0xffffffff broadcast 192.168.50.5
        inet 192.168.50.3 netmask 0xffffffff broadcast 192.168.50.3
        media: Ethernet autoselect (none)
        status: no carrier
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
 
I'm guessing the problem is that (bce0) is expanding to all of the IP addresses associated with that interface. Try this: ping -S xxxx.24 xxx.xxx.xxx.xxx. Replace "xxxx.24" with one of the addresses bound to bce0 and replace "xxx.xxx.xxx.xxx" with your gateway's IP address.
 
The problem is solved with the following in /etc/pf.conf:

Code: 
ext_if="bce0"
jail_if="lo1"
jail_net=$jail_if:network
nat on $ext_if from $jail_net to any -> ($ext_if)
 
You must log in or register to reply here.
Back
Top