[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

L2 broadcast and NAT state

I'm having an issue with pf's translation that I can't figure out.

For reasons I won't go into, I have a dedicated ethernet link to a
device that does not do ARP for some IP addresses.  As a result, when
it sends packets toward my machine, they get tagged with a destination
MAC address of ff:ff:ff:ff:ff:ff.  Changing the behavior of this
device isn't possible for my purposes.

With one of these non-ARPed addresses attached to my outside
interface, and a pf rule such as
  pass out log-all on $ext_if from $problem_addr to any keep state
communications from the local machine work exactly as expected.

  nat on $ext_if from $int_test to any -> $problem_addr
does not.

$int_if: mac mac: $int_test > $remote: icmp echo request
pfsync0: insert state: icmp $int_test -> $problem_addr -> $remote
 pflog0: pass out on $ext_if: $problem_addr > $remote: icmp echo request
$ext_if: mac mac: $problem_addr > $remote: icmp echo request

$ext_if: mac broadcast: $remote > $problem_addr: icmp echo reply
 pflog0: pass in on $ext_if: $remote > $problem_addr: icmp echo reply

..and that's the last I see of it.  This is from a -current snapshot,
early March.

Where did my packet go?