Hi, see my sample, it is well explained. http://mouedine.net/ruleset49.aspx
All the best, Wesley MOUEDINE ASSABY www.mouedine.net On Mon, 10 Oct 2011 17:38:26 +0200, Stefan Midjich <sweh...@gmail.com> wrote: > Simplest of things but I'm failing miserably. > > $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 > address > inet 50.50.50.59 255.255.255.0 50.50.50.255 > > $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two > machines on same network > inet 10.221.181.10 255.255.255.0 10.221.181.255 > > For troubleshooting I have removed the block all rule, to confirm that > it is in fact my NAT related rules that don't work. > > These are my first and only NAT rules. The other rules work fine and > are just to allow SSH to my management interface and ICMP response > from the external IP and from the internal gateway IP. Besides I've > removed the block all so the other rules don't matter much now. > > match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) > round-robin > pass inet from 10.221.181.0/24 to any flags S/SA keep state > > With tcpdump I can see packets going to vic3, but no further. > > With block all commented out I can fully test the network around and > everything is working just fine, I can nc -kl 50.50.50.59 65535 and > connect to that port from anywhere on the internet. I just can't > connect out from the private network through the gateway. The systems > in the private network have 10.221.181.10 as their default gateway. > > I even have the Book of PF 2nd edition here but it's of no use, the > rules are mostly from there. Just for troubleshooting I can also nc > -kl 10.221.181.10 65535 on the gateway and connect to that port from > the private network machines without issues. > > So please tell me, what am I missing in this nat-to rule? > > -- > > > Med vdnliga hdlsningar / With kind regards > > Stefan Midjich
