Lars Nooden wrote: > Alexander Hall wrote: >> Lars Nooden wrote: >>> Sometimes I have to set up a LAN inside a pre-existing NAT'd LAN and >>> traffic from the inner LAN (B) does not make it to the Internet or even >>> to final, external interface (4). >>> >>> +-------+ +--------+ >>> LAN B ---+ 1 + + Box2 + >>> + NAT + + 4+---> Internet >>> + 2+--LAN A--+3 NAT + >>> + Box1 + + + >>> +-------+ +--------+ >>> >>> What kind of generic change is needed in PF to get from LAN B through to >>> the outside? >> If the subnets are different, say 192.168.10.0/24 and 192.168.11.0/24, >> and each box does its NAT and 'net.inet.ip.forwarding=1' I cannot see >> anything that would prevent this from working. >> >> Start by tracing how far the package makes it and what src address it has. > > Thanks. > > I can ping from LAN B to interface 3 and get a response, but not to 4. > I can ping (and everything else) from LAN A to interface 4 and the Internet. > > I've searched around a bit and see there is something wrong (in general) > with "double NAT"
Did that come out correctly? Do you really mean there generally is something wrong with "double nat"? If so, I'd say you/they are (doing it) wrong. Ping some internet host from a computer at LAN B and run tcpdump for each interface on each box to see where the packet vanishes. If you've got pf running with more than the NAT rules, that could very well be causing you problems too. > > -Lars
