Routing between two private networks behind NAT

Network related discussions (including general TCP/IP stuff, routing, etc).

Routing between two private networks behind NAT

Postby jem » 09 Nov 2009, 00:24

I have a gateway host running pf and NATing two private RFC1918 subnets behind a single public IP. I have the following interfaces configured:

Code: Select all
vr0:  88.x.x.x/yy
em0:  192.168.0.1/24 (subnet A)
ath0: 192.168.1.1/24 (subnet B)


and the following NAT rules:

Code: Select all
no nat on vr0 inet from 192.168.0.0/24 to 192.168.1.0/24
no nat on vr0 inet from 192.168.1.0/24 to 192.168.0.0/24
nat on vr0 inet from 192.168.0.0/24 to any -> 88.x.x.x
nat on vr0 inet from 192.168.1.0/24 to any -> 88.x.x.x


Both private subnets can reach the Internet fine, but I'm unable to get them talking to eachother and I'm not able to figure out why.

I have 'set skip on em0' and 'set skip on ath0' in my pf ruleset, so these problems aren't due to other filter rules.

If I set a host on subnet A pinging a host on subnet B, tcpdump shows the ICMP packets coming into em0 and then being sent out of ath0, but the B-host doesn't sent any reply back via the gateway. It periodically sends an ARP request for the gateways MAC address and gets a response, but still won't route the ping responses back that way.

Can anyone advise on why this isn't working?
jem
Member
 
Posts: 342
Joined: 23 Oct 2009, 11:24

Postby DutchDaemon » 09 Nov 2009, 00:41

Can you show more of your pf.conf? Do you have 'set skip on lo0'?

Oh, and the two 'no nat' rules are unnecessary, because traffic between these networks will never touch vr0.
User avatar
DutchDaemon
Old Fart
 
Posts: 10463
Joined: 16 Nov 2008, 20:17
Location: The Netherlands

Postby aragon » 09 Nov 2009, 06:07

jem wrote:If I set a host on subnet A pinging a host on subnet B, tcpdump shows the ICMP packets coming into em0 and then being sent out of ath0, but the B-host doesn't sent any reply back via the gateway. It periodically sends an ARP request for the gateways MAC address and gets a response, but still won't route the ping responses back that way.

So then where do its responses go? (ie. run a sniffer on B-host)
aragon
Giant Locked
 
Posts: 2031
Joined: 16 Nov 2008, 17:04
Location: Cape Town, South Africa

Postby SirDice » 09 Nov 2009, 07:46

Make sure the hosts on both networks have a default gateway pointing at the fbsd box. Also make sure they don't have any other routing entries. Double check the subnetmask on those clients too.

Since both networks are directly connected on the fbsd box no additional routing entries are necessary.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16166
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby jem » 09 Nov 2009, 09:02

Good morning. Thanks for the responses.

DutchDaemon wrote:Can you show more of your pf.conf? Do you have 'set skip on lo0'?

Oh, and the two 'no nat' rules are unnecessary, because traffic between these networks will never touch vr0.


My pf.conf is here. Yes I do have 'set skip on lo0' too.

aragon wrote:So then where do its responses go? (ie. run a sniffer on B-host)


The only two hosts are on subnet B are the gateway machine itself and the host being pinged. I'll run the sniffer on the B-host later, but it's my expectation that it simply isn't sending ping replies.

SirDice wrote:Make sure the hosts on both networks have a default gateway pointing at the fbsd box. Also make sure they don't have any other routing entries. Double check the subnetmask on those clients too.

Since both networks are directly connected on the fbsd box no additional routing entries are necessary.


Hosts on both networks get their IP addressing via DHCP. The are both given a default gateway of 192.168.x.1 where x is 0 or 1 depending on which subnet it is. No other routes are created. Both get a subnet mask of 255.255.255.0.

I should point out that this problem exists in the reverse direction too - pinging from subnet B to subnet A. There are no filters on the hosts themselves blocking pings.
jem
Member
 
Posts: 342
Joined: 23 Oct 2009, 11:24

Postby DutchDaemon » 09 Nov 2009, 11:14

Ok, add 'log' to all 'block' rules, and run [cmd=]tcpdump -s 0 -pnli pflog0[/cmd] while you try to generate traffic between these networks. If anything shows up there, pf.conf is blocking too much. If nothing shows up there, it's a broader networking issue.
User avatar
DutchDaemon
Old Fart
 
Posts: 10463
Joined: 16 Nov 2008, 20:17
Location: The Netherlands


Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests