Re: npf forwarding <-

To: Patrick Welche <prlw1%cam.ac.uk@localhost>
Subject: Re: npf forwarding <-
From: Dima Veselov <kab00m%lich.phys.spbu.ru@localhost>
Date: Mon, 19 Nov 2018 20:37:51 +0300

On Mon, Nov 19, 2018 at 03:14:33PM +0000, Patrick Welche wrote:
> > 
> procedure "log"
> 
> map iwn0 dynamic any -> 10.111.65.65 pass family inet4 from 10.168.204.0/24 # id="1" 
> map wm0 dynamic 10.111.65.4 <- any pass family inet4 to 128.232.132.8 # id="2" 

I got your setup working and now have to explain something:
typical pub->priv redirect always works with priv->pub mapping, 
because NAT have to allocate outleading port when inside server
replies. In your setup there is no rule for mapping replies.

You have to NAT replied packet and it will work with that:
map $int_if static 172.20.27.7 -> 128.232.132.8
map $int_if static 172.20.27.7 <- 128.232.132.8
map $ext_if dynamic $int_net -> $ext_v4

(172.20.27.7 is the outside webserver you are trying to reach).

I also converted "dynamic" to "static" and have no idea why it works,
maybe npf architector can tell us.

As for previous note about stateful - recently I got same problem.
It seems NAT will never work if inside->outside connection is stateful.

-- 
Sincerely yours,
Dima Veselov
Physics R&D Establishment of Saint-Petersburg University

Follow-Ups:
- Re: npf forwarding <-
  - From: Patrick Welche

References:
- npf forwarding <-
  - From: Patrick Welche
- Re: npf forwarding <-
  - From: Stephen Borrill
- Re: npf forwarding <-
  - From: Patrick Welche

Prev by Date: Re: npf forwarding <-
Next by Date: Re: Testing memory performance
Previous by Thread: Re: npf forwarding <-
Next by Thread: Re: npf forwarding <-
Indexes:

Home | Main Index | Thread Index | Old Index