Routing between two private networks behind NAT

I have a gateway host running pf and NATing two private RFC1918 subnets behind a single public IP. I have the following interfaces configured:

Code:
vr0:  88.x.x.x/yy
em0:  192.168.0.1/24 (subnet A)
ath0: 192.168.1.1/24 (subnet B)

and the following NAT rules:

Code:
no nat on vr0 inet from 192.168.0.0/24 to 192.168.1.0/24
no nat on vr0 inet from 192.168.1.0/24 to 192.168.0.0/24
nat on vr0 inet from 192.168.0.0/24 to any -> 88.x.x.x
nat on vr0 inet from 192.168.1.0/24 to any -> 88.x.x.x

Both private subnets can reach the Internet fine, but I'm unable to get them talking to eachother and I'm not able to figure out why.

I have 'set skip on em0' and 'set skip on ath0' in my pf ruleset, so these problems aren't due to other filter rules.

If I set a host on subnet A pinging a host on subnet B, tcpdump shows the ICMP packets coming into em0 and then being sent out of ath0, but the B-host doesn't sent any reply back via the gateway. It periodically sends an ARP request for the gateways MAC address and gets a response, but still won't route the ping responses back that way.

Can anyone advise on why this isn't working?
 
Can you show more of your pf.conf? Do you have 'set skip on lo0'?

Oh, and the two 'no nat' rules are unnecessary, because traffic between these networks will never touch vr0.
 
jem said:
If I set a host on subnet A pinging a host on subnet B, tcpdump shows the ICMP packets coming into em0 and then being sent out of ath0, but the B-host doesn't sent any reply back via the gateway. It periodically sends an ARP request for the gateways MAC address and gets a response, but still won't route the ping responses back that way.
So then where do its responses go? (ie. run a sniffer on B-host)
 
Make sure the hosts on both networks have a default gateway pointing at the fbsd box. Also make sure they don't have any other routing entries. Double check the subnetmask on those clients too.

Since both networks are directly connected on the fbsd box no additional routing entries are necessary.
 
Good morning. Thanks for the responses.

DutchDaemon said:
Can you show more of your pf.conf? Do you have 'set skip on lo0'?

Oh, and the two 'no nat' rules are unnecessary, because traffic between these networks will never touch vr0.

My pf.conf is here. Yes I do have 'set skip on lo0' too.

aragon said:
So then where do its responses go? (ie. run a sniffer on B-host)

The only two hosts are on subnet B are the gateway machine itself and the host being pinged. I'll run the sniffer on the B-host later, but it's my expectation that it simply isn't sending ping replies.

SirDice said:
Make sure the hosts on both networks have a default gateway pointing at the fbsd box. Also make sure they don't have any other routing entries. Double check the subnetmask on those clients too.

Since both networks are directly connected on the fbsd box no additional routing entries are necessary.

Hosts on both networks get their IP addressing via DHCP. The are both given a default gateway of 192.168.x.1 where x is 0 or 1 depending on which subnet it is. No other routes are created. Both get a subnet mask of 255.255.255.0.

I should point out that this problem exists in the reverse direction too - pinging from subnet B to subnet A. There are no filters on the hosts themselves blocking pings.
 
Ok, add 'log' to all 'block' rules, and run [cmd=]tcpdump -s 0 -pnli pflog0[/cmd] while you try to generate traffic between these networks. If anything shows up there, pf.conf is blocking too much. If nothing shows up there, it's a broader networking issue.
 
Back
Top