Chris Smith wrote:
OpenBSD 3.7
Some hosts will experience poor to seemingly no Internet access when
using NAT address pools - web sites time out, even pings to remote
addresses fail.
Using:
nat on $ext_if from !$ext_if -> $ext_if:0
works fine.
Using:
nat on $ext_if from !$ext_if -> $ext_if
or
nat on $ext_if from !$ext_if -> <ext_net>
does not.
Configuration:
T1-(cisco)-eth0 -------fxp0-(openBSD)-em0
|
em1
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:07:e9:93:2b:50
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 66.100.28.130 netmask 0xfffffff0 broadcast 66.100.28.143
inet6 fe80::207:e9ff:fe93:2b50%fxp0 prefixlen 64 scopeid 0x3
inet 66.100.28.131 netmask 0xffffffff broadcast 66.100.28.131
inet 66.100.28.132 netmask 0xffffffff broadcast 66.100.28.132
inet 66.100.28.133 netmask 0xffffffff broadcast 66.100.28.133
inet 66.100.28.134 netmask 0xffffffff broadcast 66.100.28.134
inet 66.100.28.135 netmask 0xffffffff broadcast 66.100.28.135
inet 66.100.28.136 netmask 0xffffffff broadcast 66.100.28.136
inet 66.100.28.137 netmask 0xffffffff broadcast 66.100.28.137
inet 66.100.28.138 netmask 0xffffffff broadcast 66.100.28.138
inet 66.100.28.139 netmask 0xffffffff broadcast 66.100.28.139
inet 66.100.28.140 netmask 0xffffffff broadcast 66.100.28.140
inet 66.100.28.141 netmask 0xffffffff broadcast 66.100.28.141
inet 66.100.28.142 netmask 0xffffffff broadcast 66.100.28.142
Alas I realized that the outbound mail server couldn't participate in
such a scheme as it needed to present the same addresses to the world
so that its dns name matched the helo name.
So I tried this:
nat on $ext_if from $server_1 -> $ext_ad
nat on $ext_if from <sp_net> -> $ext_ad_sp
nat on $ext_if from <kw_net_minus> -> <ext_net_minus>
where <sp_net> is the address block on em1 and <kw_net_minus> is the
address block on em0 minus ext_ad (66.100.28.130).
Same problem, although mail service was solid again (no bounces from
those MTA's doing reverse lookups).
After examining http://openbsd.org/faq/pf/pools.html, I thought it might
be a round-robin vs. source-hash issue and tried this:
nat on $ext_if from $server_1 -> $ext_ad
nat on $ext_if from <sp_net> -> $ext_ad_sp
nat on $ext_if from <kw_net_minus> -> 66.100.28.136/29 source-hash
as it appears, from the doc above that a CIDR block must be used when
specifying source-hash.
But again some clients experience very poor to what seems like no
Internet access.
The minute I revert back to:
nat on $ext_if from !$ext_if -> $ext_if:0
or
nat on $ext_if from { <kw_net>, <sp_net> } -> <ext_net>
everone works but my translations are limited to just the one address.
Pointers toward resolution? Thanks.
Chris,
First off, it's a bad idea to broadcast your real IP numbers
in a public place.
Secondly, here's what works for me.
nat_pool = "{ 169.1.2.64/29 }"
nat on $ext_if from 10.10.10.0/25 to any -> $nat_pool source-hash
At this site, I originally omitted "source-hash". Users of
secure web-sites like ADP (a payroll processing company) and
the IRS would get dumped out of secure sessions because the
client was changing IP numbers.
Best,
Ray