# NAT stopped working



## bogg (Oct 17, 2009)

Hi,

I had a working NAT config, upgraded 7.0->7.2, and now it no longer works - and I've no idea why! The gateway can access the net fine, but hosts that use it as their default gw can't get anywhere. My pf.conf is;


```
[root@e325 ~]# cat /etc/pf.conf
int_if="bge0"
ext_if="bge1"

tcp_services="{5631, 80}"
icmp_types="echoreq"

r50e="192.168.1.11"

set block-policy return
set loginterface $ext_if
set skip on lo
set limit tables 3000
set limit table-entries 350000

table <honeypots> persist file "/etc/pfdata/honeypots"
table <bogons> persist file "/etc/pfdata/bogons"
table <ads> persist file "/etc/pfdata/ads"


scrub in

nat on $ext_if from $int_if:network to any -> ($ext_if)

block in

pass out keep state

antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $r50e port 13074 flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in quick on $int_if

block quick on $ext_if inet proto tcp from <honeypots> port != 80 to any
block quick on $ext_if inet proto tcp from any to <honeypots> port != 80

block quick on $ext_if from <bogons> to any

block quick on $ext_if inet proto tcp from any to <ads> port = 80
```

rc.conf includes:

```
gateway_enable="YES"
pf_enable="YES"
```

Any ideas? I'm stumped as to what's going on and how to troubleshoot.


----------



## bogg (Oct 17, 2009)

Extra info - packets are sent out of ext_if from the LAN:


```
>telnet www.google.com 5631
```


```
[root@e325 ~]# tcpdump -i bge1 -n port 5631
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge1, link-type EN10MB (Ethernet), capture size 96 bytes
15:37:05.938819 IP 192.168.1.11.1679 > 209.85.227.99.5631: S 3514764237:3514764237(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK>
```


----------



## DutchDaemon (Oct 17, 2009)

Well, obviously NAT doesn't take place, because an RFC1918 address should never show up on your external interface as such. It should already have been translated to the public IP.

Does [cmd=]pfctl -s nat[/cmd] look logical to you? Is pf even enabled?


----------



## bogg (Oct 17, 2009)

Hi,

Yes, it looks logical;

```
nat on bge1 inet from 192.168.1.0/24 to any -> (bge1) round-robin
```
. I'm completely stumped.


----------



## DutchDaemon (Oct 17, 2009)

Can you try


```
nat on $ext_if from ! $ext_if to any -> $ext_if
```

as a test?


----------

