# how to make NAT invisible to internal client



## Wout_Tankink (Apr 5, 2013)

I want to reach a client machine with

ip4-adress: 192.168.200.200
and network mask 255.255.255.0
and no default gateway set
from my LAN (192.168.100/24).

I can't change the network settings of the client machine.

I have connected the client machine (em1) to a FreeBSD machine on the LAN (em0).
With these settings I can connect from the LAN the client machine through RDP if a proper default gateway has been set on the client.

My /etc/rc.conf:
	
	



```
ifconfig_em0="DHCP"
ifconfig_em1="inet 192.168.200.101 netmask 255.255.255.0"
pf_enable="YES"
gateway_enable="YES"
```

My /etc/pf.conf:
	
	



```
ext_if="em0"
int_if="em1"

tcp_services="{ ssh, http, auth, https }"
udp_services="{ domain, ntp }"

icmp_types="echoreq"

client="192.168.200.200"
priv_nets = "{ 127.0.0.0/8, 192.168.200.0/24 }"

# Tables

# Options
set block-policy return
set optimization normal
set loginterface $ext_if
set skip on lo0

# Traffic Normalization
scrub in all
scrub out all

# Translation
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from !($ext_if) -> ($ext_if:0)

# Redirection

rdr pass on $ext_if inet proto tcp from any to $ext_if port rdp -> $client

# Packet Filtering
block log all

pass out on $int_if inet proto tcp from any to $client port rdp

block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

# allow traffic on ssh [22], http [80], https [443] & auth [113] ports to host
pass in log quick on $ext_if proto tcp from any to $ext_if port $tcp_services keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

antispoof for $ext_if
antispoof for { lo0, $int_if }
```

The default gateway is necessary for the return traffic because the client is aware of the real IP address of the machine on the LAN that tried to contact him. But in my case I can't set the default gateway on the client machine. In what way can I change the settings on the host that does the natting, so that the client machine is unaware of the identity of the machine on the LAN that is connecting it. I would prefer to use PF (and not one of the other available packet filtering/NAT solutions).


----------



## SirDice (Apr 5, 2013)

Can you add a static route to the client? I think that's all that would be needed to get it working.


----------



## SirDice (Apr 5, 2013)

Hmm, static route wouldn't be needed, neither does a default gateway. Your FreeBSD machine and the client machine are both on the same network (192.168.200.0/24). So no routes necessary.


----------



## Wout_Tankink (Apr 5, 2013)

I can't change any network settings of the client (I can for testing purposes).

And do know it's outerworld is rather simple:
1. the client machine is the only machine in the 192.168.200.200;
2. only a few machines and services on the LAN have to connect to the client;
3. I can set the host in promiscuous mode.


----------



## SirDice (Apr 5, 2013)

Try putting the NAT on the em1 interface instead. On your LAN machine (I assume you can change its settings) you'd only need to add a static route to 192.168.200.0/24 and point it to the FreeBSD machine. You should then be able to connect to it using the 192.168.200.200 address.

Another option is not to use NAT at all and use an ssh(1) tunnel to tunnel RDP through it.

`# ssh -L3389:192.168.200.200:3389 [email]my@freebsd.machin[/email]e`
And connect your RDP client to localhost:3389.


----------

