$ sudo pfctl -sr |grep nat-to match in on vic3 inet from 10.221.181.0/24 to any label "NATOut" nat-to (vic2) round-robin
pfctl -vsl shows only evaluated packets for all my rules, which worries me, it never increments the counter of packets gone through any of the nat rules. Only the first rules for management network and of course the block rule when it was in place. 2011/10/10 James Shupe <jsh...@osre.org>: > What does `pfctl -sr | grep nat-to` say? > > On 10/10/11 10:38 AM, Stefan Midjich wrote: >> Simplest of things but I'm failing miserably. >> >> $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address >> inet 50.50.50.59 255.255.255.0 50.50.50.255 >> >> $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two >> machines on same network >> inet 10.221.181.10 255.255.255.0 10.221.181.255 >> >> For troubleshooting I have removed the block all rule, to confirm that >> it is in fact my NAT related rules that don't work. >> >> These are my first and only NAT rules. The other rules work fine and >> are just to allow SSH to my management interface and ICMP response >> from the external IP and from the internal gateway IP. Besides I've >> removed the block all so the other rules don't matter much now. >> >> match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin >> pass inet from 10.221.181.0/24 to any flags S/SA keep state >> >> With tcpdump I can see packets going to vic3, but no further. >> >> With block all commented out I can fully test the network around and >> everything is working just fine, I can nc -kl 50.50.50.59 65535 and >> connect to that port from anywhere on the internet. I just can't >> connect out from the private network through the gateway. The systems >> in the private network have 10.221.181.10 as their default gateway. >> >> I even have the Book of PF 2nd edition here but it's of no use, the >> rules are mostly from there. Just for troubleshooting I can also nc >> -kl 10.221.181.10 65535 on the gateway and connect to that port from >> the private network machines without issues. >> >> So please tell me, what am I missing in this nat-to rule? >> >> -- >> >> >> Med vdnliga hdlsningar / With kind regards >> >> Stefan Midjich >> > > > -- > James Shupe, OSRE > developer/ engineer > jsh...@osre.org | 866.235.1288 > BSD/ Linux Support | Metro Ethernet | Hosting > check out our site at www.osre.org > > -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
