Solved Under NAT client cannot go out to WAN side network

[tknv]

I try to make NAT for two LAN network interfaces. But NAT client cannot go out to WAN side network.

pf.conf

# interfaces
wan_if="alc0"
wl1_if="wlan1"   # 10.0.0.254, interface wlan1 as Access Point
ue0_if="ue0"     # 10.0.0.1, connect to L2 switch
lan_if="{" $wl1_if $ue0_if "}"
lan="10.0.0.0/24"
wan="192.168.100.0/24"

#TCP service
tcp_services="{80,443}"

# ping requests
icmp_types = "{ echorep, unreach, squench, echoreq, timex, paramprob }"
icmp6_types = "{ unreach, toobig, timex, paramprob, echoreq, echorep, neighbradv, neighbrsol, routeradv, routersol }"

# options
set block-policy drop

# pass on lo
set skip on lo

scrub in all

# NAT
nat on $wan_if inet from $lan to !$lan -> ($wan_if)

# default, deny everything
block in log all

# out is ok
pass out quick keep state

# The antispoof mechanism protects against activity from spoofed or forged IP addresses
antispoof quick for $lan_if

# allow access to tcp_services on external interface
pass in on $wan_if inet proto tcp from any to ($wan_if) port $tcp_services flags S/SA keep state

# pass in on lan,wifi and wan
pass in quick on $lan_if
pass in on $wan_if from $wan

# icmp
## Allow the defined ICMP types
pass in inet proto icmp all icmp-type $icmp_types

## allow icmp6 for getting address using IPv6 autoconfiguration from router
pass inet6 proto ipv6-icmp all icmp6-type routeradv
pass inet6 proto ipv6-icmp all icmp6-type routersol

## allow icmp6 for getting neighbor addresses
pass inet6 proto ipv6-icmp all icmp6-type neighbradv
pass inet6 proto ipv6-icmp all icmp6-type neighbrsol

## allow icmp6 echo, not required, but sometimes nice
pass in inet6 proto ipv6-icmp all icmp6-type echoreq

## pass icmp-types: unreachable, time exceeded, parameter problem
pass in inet6 proto ipv6-icmp all icmp6-type {1 3 4}

# allow all traffic out via external interface
pass out on $wan_if proto tcp all modulate state flags S/SA
pass out on $wan_if proto { udp, icmp } all keep state

When NAT client at LAN:wlan1, client send ARP but blocked. I think "pass in quick on $lan_if" pass the ARP.
Why the NAT client cannot go out to WAN network?

At LAN there is DHCP server by dnsmasq. NAT client can get IP address but it slow to get IP address after DHCP request broadcast.
dnsmasq.conf

$ cat /usr/local/etc/dnsmasq.conf

# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
no-resolv

# forward all dns request to local dnscrypt-proxy
server=127.0.0.1#5353

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=ue0
interface=wlan1
interface=alc0
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
no-dhcp-interface=alc0

# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
expand-hosts

# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
#     as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
#    domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk
domain=awas.lab

# Set a different domain for a particular subnet
domain=experimentals.awas.lab,10.0.0.0/24

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
#dhcp-range=192.168.0.50,192.168.0.150,12h
dhcp-range=10.0.0.50,10.0.0.150,12h

# Do the same thing, but using the option name
#dhcp-option=option:router,1.2.3.4
dhcp-option=option:router,10.0.0.1

# DHCP option 6, list of domain name servers
dhcp-option=6,10.0.0.1

# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
dhcp-option=option:ntp-server,10.0.0.1

# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore

 

[SirDice]

Your networks on ue0 and wlan1 are on the same 10.0.0.0/24 subnet, that's not going to work.

 

[tknv]

Your networks on ue0 and wlan1 are on the same 10.0.0.0/24 subnet, that's not going to work.

Hi SirDice,
Thank you. No clearly understand why but makes sense. My set-up is NAT inside has two interfaces before actual NAT clients, looks it does not work.
Now create two subnets also create two set-up for DHCPD and DNS on dnsmasq. wlan(AP) is working fine with wireless client. wired lan side is not yet. But it's L2 switch matter I guess. Because of DHCP req not reach to wired lan interface.
Thank you very much for the quick respond !

 

[covacat]

the problem is that unless the source interface is kept in the aliasing table the kernel wont know were to send a de aliased packet, on what interface (that is)
so probably it always sends on wlan
you can probably bridge the two interfaces or choose another set of addresses for one of them

 

[tknv]

Hi covacat,
Thanks, yes something my foggy brain think like that idea. How kernel mapping which NAT client is which interface...
A bridge is a good idea. I will try too.