Mikael Fridh wrote:
>> # pfctl -s all
>> TRANSLATION RULES:
>> nat on bge0 inet from 192.168.1.0/24 to any -> (bge0:0)
>> rdr pass on em1 inet proto tcp from any to any port = 5900 ->
>> 192.168.1.111 port 5900
>
> If bge0 is your external interface that nat line now looks correct.
> If your internal hosts on the 192.168.1.0/24 net have default gateway
> 192.168.1.1 it should be nating properly.
Yes and it is nating, but I am trying to set my source IP to
193.189.180.193 (em1).
> Sounds like you want traffic to traverse:
> 192.168.1.0/24 -> 192.168.1.1 -> 193.189.180.193 -> 193.77.12.154 -> 0/0
> I don't yet fully get what you're trying to accomplish.
You got it right. That's what I am trying to accomplish:
em0 em1 bge0
192.168.1.0/24 -> 192.168.1.1 -> 193.189.180.193 -> 193.77.12.154 -> 0/0
>> # tcpdump -i bge0 icmp
>> tcpdump: listening on bge0, link-type EN10MB
>> 14:49:16.377482 192.168.1.95 > 209.85.129.147: icmp: echo request
>> 14:49:17.387437 192.168.1.95 > 209.85.129.147: icmp: echo request
>> 14:49:18.397398 192.168.1.95 > 209.85.129.147: icmp: echo request
>>
>> icmp packets are going out, but it looks like NAT is not working (it
>> should change my source IP address).
>
> That's because now you are dumping traffic on the "internal" interface
> where the packets hasn't traversed the NAT yet.
> The nat rule you made above has the internal interface where it should
> have the external:
>> nat on em1:0 from int_net to -> em1:0.
bge0 is my external interface (it routes to 0/0). em1 is a network with
a range of pubblic IPs. I am trying to use one of those IPs, to NAT
traffic from.
> # This is a proper simple nat example (that works):
> ext_if="rl0" # (or whatever is your external interface)
> nat on $ext_if inet from ! ($ext_if) -> ($ext_if:0)
This means NAT from all interfaces but not from the external one. It is
correct to use this statement?
# pfctl -s all
TRANSLATION RULES:
nat on em1 inet from ! (em1) to any -> (em1:0)
rdr pass on em1 inet proto tcp from any to any port = 5900 ->
192.168.1.111 port 5900
I tested with suggested configuration. tcpdump on my external (bge0)
interface shows gateway private IP (192.168.1.1). So the packets did not
traverse NAT yet.
# ping -I 192.168.1.1 72.14.221.104
# tcpdump -i bge0 icmp
tcpdump: listening on bge0, link-type EN10MB
14:29:50.077139 192.168.1.1 > 72.14.221.147: icmp: echo request
14:29:51.086365 192.168.1.1 > 72.14.221.147: icmp: echo request
14:29:52.096350 192.168.1.1 > 72.14.221.147: icmp: echo request
Other ideas?
Regards,
Mitja
