# trouble with pf and NAT



## wonslung (Sep 14, 2009)

Hello, i am not sure what i'm doing wrong....but here goes...

I have been trying to get nat to work for some jails...and I've been able to get it to work but not with the setup that i wanted.


right now, it's working with all ip'set as aliases on the single interface, but what i was originally trying to do was have nat working with the jails on ip's set on a cloned loopback device.  

So if i have a single interface, let's call it sis0 and then i have a cloned loopback called lo1 with ip's in the 10.0.0.0/24 range can i do nat?  And if so what is the proper rule?

why is it that this works with all ip's set on the single interface with this rule

```
nat on sis0 from 10.0.0.0/24 to any -> xxx.xxx.xxx.xxx
```

but if i put the ips' on a loopback interface this rule doesn't work:


```
nat on lo1 from 10.0.0.0/24 to any -> xxx.xxx.xxx.xxx
```

with the xxx.xxx.xxx.xxx being my public ip.


----------



## Alt (Sep 14, 2009)

If i correctly understood question, this is because connection is always opening from nearest interface. So if you ping inet, you will ping from sis0 not from lo1. Try to ping setting source address `ping -S IP1 IP2` where IP1 is ip from lo1, and IP2 is inet ip.


----------



## wonslung (Sep 14, 2009)

but i know you can do nat on 2 interfaces if you have 2 ACTUAL interfaces.....whats the difference?

also, does anyone see any major issues with this setup for now since i CANT get the other method to work?  This is my current pf.conf with the public ip changed to xxx.xxx.xxx.xxx

```
#INTERFACES
ext_if="sis0"

tcp_services="{ ssh, smtp, ftp, www, pop3, auth, https, pop3s, 6667, 6697 }"
udp_services="{ domain, ftp }"
icmp_types = "{ echoreq, unreach }"

web_j = "10.0.0.1"
mysql_j = "10.0.0.2"
ircd_j = "10.0.0.3"
#options
set loginterface $ext_if
set skip on lo0

# scrub
scrub in

# nat
nat on $ext_if from 10.0.0.0/24 to any -> xxx.xxx.xxx.xxx
rdr on $ext_if proto tcp from any to any port http -> $web_j port http
rdr on $ext_if proto tcp from any to any port https -> $web_j port https
rdr on $ext_if proto tcp from any to any port 3306 -> $mysql_j port 3306
rdr on $ext_if proto tcp from any to any port 6667 -> $ircd_j port 6667
rdr on $ext_if proto tcp from any to any port 6697 -> $ircd_j port 6697
rdr on $ext_if proto tcp from any to any port 22222 -> $web_j port ssh
rdr on $ext_if proto tcp from any to any port 22223 -> $mysql_j port ssh
rdr on $ext_if proto tcp from any to any port 22224 -> $ircd_j port ssh


block log all

pass in on $ext_if proto tcp from any to any port $tcp_services keep state
pass in on $ext_if proto udp from any to any port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types keep state

pass out on $ext_if proto tcp from any to any keep state
pass out on $ext_if proto udp from any to any keep state
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
```


----------



## Alt (Sep 14, 2009)

Ahh.. you using jails... I have some similar problem, but jail+ng_ipfw+ng_nat... Didnt not found solution yet


----------



## wonslung (Sep 14, 2009)

Alt said:
			
		

> Ahh.. you using jails... I have some similar problem, but jail+ng_ipfw+ng_nat... Didnt not found solution yet



like i said, nat works fine if i put all ip's on the same interface, but as soon as i put the jail ip's on a loopback interface it doesn't work.


----------



## wonslung (Sep 14, 2009)

I got it working...the problem was that i was thinking i needed to make the rule like this:


```
nat on lo1 from 10.0.0.0/24 to any -> 1.2.3.4
```

when really the exact same nat rule works that i have when i stick them on the same interface

the correct rule turned out to be the same (i didn't need to change the rule at all =))


```
nat on $ext_if from 10.0.0.0/24 to any -> 1.2.3.4
```
where 1.2.3.4 is my public ip and 10.0.0.0/24 is my loopback network....so now i have my nat working exactly like i want.

I prefer having them on the loopback interface...it just seems to make more sense to me.


----------

