PF pf nat setting problem

[Raffeale]

When I run pfctl -f /etc/pf.conf
I got following messages

/usr/local/etc/pf.conf:1: Rules must be in order: options, normalization, queueing, translation, filtering

rc.conf

gateway_enable="YES"
natd_enable="YES"
cloned_interfaces="bridge0 tap10"
ifconfig_bridge0="addm re0 addm tap10"
ifconfig_tap0="inet 192.168.3.1 netmask 255.255.255.0"
if_tap_load="YES"
#pptdevs="2/0/0"
ifconfig_tap10="inet 192.168.3.1 netmask 255.255.255.0"

I install windows with bhyve and setting its IP 192.168.3.2, and set tap10 192.168.3.1, now I can ping 192.168.3.1 and 192.168.1.5(re0 ip) in windows(bhyve) but I can't ping the router 192.168.1.1 and internet ip

pf.conf

nat on re0 from {tap10:network} to any -> (re0)

I search a lot and trying anything, it's not work.

 

[Eric A. Borisch]

If you are using a bridge like this (between the bhyve tap and your physical network card), you don’t need NAT — the virtual device will participate in the network as if you had a physical switch that the host computer, the upstream network, and the bhyve “machine” were all plugged into to it.

If you want to use NAT, then you should get rid of the bridge.

 

[Raffeale]

thank you for your answer. I want to use nat ,I will delete bridge0 ,could you tell me how to set of nat rule

 

[SirDice]

Remove the IP conflict too. You cannot have two (or more) interfaces with the same IP address. Remove natd_enable, that's for IPFW not PF.

 

[Raffeale]

Yes, I have just removed the tap0 interface and pfctl -f /etc/pf.conf got same error messages.

 

[SirDice]

Your pf.conf has more than that single line you posted. Order is rather important in that file and the order is not correct. That's what the error is telling you.

 

[Raffeale]

This is my pf.conf, please help me to check it.

all_ifs = "{"re0 wlan0 ue0 lo0 tap10 "}"

web_all_ifs = "{"re0 wlan0 ue0 "}"



block in all
antispoof for $web_all_ifs
set skip on lo0
set skip on tap10
set skip on bridge0

#nat on re0 inet from (bridge0) -> (re0)

block in from no-route to any
block in from urpf-failed to any 
block in quick on $all_ifs from any to 255.255.255.255

nat on re0 from {tap10:network} to any -> {re0} 
#nat on {re0} from any to any  
#binat on re0 from 192.168.3.0 to any -> 192.168.1.1 

#allow ping other machine , deny all ping from out
block in on $all_ifs inet proto icmp all icmp-type 8 code 0
pass out on $all_ifs inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $all_ifs inet proto icmp all icmp-type 8 code 0

pass out quick on re0 inet proto icmp all keep state
pass out on $web_all_ifs  proto {tcp,udp } from any to any port {21,22,23,123,8080} keep state

pass out on $web_all_ifs  proto {udp} from any to any port domain  
pass out on $web_all_ifs  proto tcp from any to any port {80,443,8080} keep state
block in on $web_all_ifs proto {tcp , udp} from any



pass in quick on lo0  inet proto {tcp,udp} from localhost to localhost port 3690 
pass out quick on lo0  inet proto {tcp,udp} from localhost to localhost port 3690

block in on $web_all_ifs all

 

[Raffeale]

You are right, it's is order problem. I just moved the NAT line to first line and the error disappeared.
But my windows VM still can't access internet and router I change the VM IP to 192.168.3.2 and tap0 192.168.3.1.

 

[Raffeale]

my ifconfig

re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
	ether f2:c4:5a:1f:62:33
	inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether c2:a2:31:88:a2:3d
	inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255
	groups: wlan
	ssid CMCC-ev5n channel 8 (2447 MHz 11g) bssid 94:ff:61:12:6c:37
	regdomain FCC country US authmode WPA2/802.11i privacy ON
	deftxkey UNDEF TKIP 2:128-bit powersavemode CAM powersavesleep 100
	txpower 30 bmiss 10 scanvalid 60 protmode CTS wme roaming MANUAL
	parent interface: iwm0
	media: IEEE 802.11 Wireless Ethernet OFDM/48Mbps mode 11g
	status: associated
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tap10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	ether 58:9c:fc:10:ff:bf
	inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
	groups: tap
	media: Ethernet autoselect
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	Opened by PID 51847

 

[SirDice]

Your wlan0 and re0 are both active. Use one or the other, not both. Your NAT is set to the wired interface, so disable your wireless.

nat on re0 from {tap10:network} to any -> {re0}

That should be

nat on re0 from {tap10:network} to any -> (re0)

 

[Raffeale]

it's work now ,thanks ! the nat configureation is right !

 

[Raffeale]

i found there is a problem about pf firewall , when i use pfctl to setting re0 to use nat function and i restart netif service the vm can't access router and internet , i have to load pf.conf again then it will be work. that's mean when netif restart the pf will delete re0 all rules?

 

[SirDice]

i restart netif service the vm can't access router and internet

Also restart the routing service; service routing restart.

 

[Raffeale]

yes,thank you a lot. it can work