Mitja wrote: > Andreas Bihlmaier wrote: >> On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote: >>> Hello, >>> >>> I am trying to configure nat from internal network 192.168.1.0/24 to >>> external nat gateway address 193.189.180.193. The problem is that >>> packets are not passing from nat gateway to the interface 193.77.12.154 >>> to the internet. >>> >>> ISP <-> 193.77.12.154 -- hostA -- 192.168.1.1 >>> | >>> 193.189.180.193 (em1) >>> | >>> /27 network
More testing: I changed my pf.conf to: # pfctl -s all TRANSLATION RULES: nat on bge0 inet from 192.168.1.0/24 to any -> (bge0:0) rdr pass on em1 inet proto tcp from any to any port = 5900 -> 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use Now I am doing translation from 192.168.1.0/24 to bge0 (193.77.12.154), the closest interface to my ISP. Test: # ping -I 192.168.1.95 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes 64 bytes from 209.85.129.147: icmp_seq=0 ttl=242 time=45.439 ms 64 bytes from 209.85.129.147: icmp_seq=1 ttl=242 time=45.307 ms --- 209.85.129.147 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 45.307/45.373/45.439/0.066 ms # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:46:10.614558 193.77.12.154 > 209.85.129.147: icmp: echo request 14:46:10.659932 209.85.129.147 > 193.77.12.154: icmp: echo reply 14:46:11.624513 193.77.12.154 > 209.85.129.147: icmp: echo request 14:46:11.669838 209.85.129.147 > 193.77.12.154: icmp: echo reply It looks like NAT is working. The same test with changed configuration in pf.conf to: # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any -> (em1:0) rdr pass on em1 inet proto tcp from any to any port = 5900 -> 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use The same test, with tcpdump on the last interface (bge0;193.77.12.154). # ping -I 192.168.1.95 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes --- 209.85.129.147 ping statistics --- 15 packets transmitted, 0 packets received, 100.0% packet loss # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:49:16.377482 192.168.1.95 > 209.85.129.147: icmp: echo request 14:49:17.387437 192.168.1.95 > 209.85.129.147: icmp: echo request 14:49:18.397398 192.168.1.95 > 209.85.129.147: icmp: echo request icmp packets are going out, but it looks like NAT is not working (it should change my source IP address). I checked with google, http://www.openbsd.org/faq/pf/nat.html, http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+4.0 and did not found anything usefull. I'm stuck. Any ideas? Regards, Mitja
