Hey David,
I was doing the testing more less the same scenario with yours and having the
source NAT issue.
Below is my diagram:
There are 2 scenarios that I did:
1.without nat (successfull) - can ping from notebook <-->webserver, notebook
can
access webserver/tcp-443 successfully
2.With source NAT(not successfull)
The diagram is:
notebook----em0[OpenBSD 4.9 PF]em1-----webserver(TCP/443)
Detail:
em0 is 192.168.1.216/24
notebook is 192.168.1.21/24
em1 is 192.168.2.216/24
webserver is 192.168.2.80/24
IP alias for source NAT on em1 is 192.168.2.232/32
ip forwarding on sysctl =1
Notebook's gateway is firewall internal IP: 192.168.1.216
Firewall's gateway is webserver :192.168.2.80
Webserver's gateway is firewall external IP: 192.168.2.216
I have tried to do source NAT testing to allow traffic from notebook to
webserver using source NAT on em1.
192.168.1.21-->192.168.2.232-->192.168.2.80
For the routing table,I don't have other static routes. Only default gateway
which is pointing to 192.168.2.80(webserver)
Unfortunately it hasn't worked at all. I have tried to monitor the traffic using
1.tcpdump on em1(external int) but there are no packets pass through em1 at all.
2.tcpdump on em0(internal int), there are some packets from 192.168.1.21 to
192.168.2.80 (syn) but no reply at all from webserver.
Below is the rule of the scenario above using NAT:
# Tables: (2)
table <tbl.r0.d> { 192.168.1.216 , 192.168.2.216 }
table <tbl.r0.dx> { 192.168.1.216 , 192.168.2.80 , 192.168.2.216 }
#
# Rule 0 (NAT)
match out on em1 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to
192.168.2.232
#ssh access rule
pass in quick inet proto tcp from 192.168.1.21 to <tbl.r0.d> port 22 label
"RULE -1 -- ACCEPT "
#
# Rule 0
pass log quick on { em0 em1 ) inet proto icmp from any to <tbl.r0.dx>
# Rule 1 (em1,em0)
pass log quick on em1 inet proto tcp from 192.168.2.232 to 192.168.2.80
port
443
block quick inet from any to any no state
Stefan
________________________________
From: David Gwynne <l...@animata.net>
To: David Schulz <mailingli...@ironwhale.com>
Cc: misc@openbsd.org
Sent: Tue, May 17, 2011 9:29:13 PM
Subject: Re: Routing Issue
hey david,
pf is run twice on packets going through a box, once before the network stack
and again as it leaves it. this means you have to allow a packet in one side
as well as when it goes out the other.
dlg
On 17/05/2011, at 10:16 PM, David Schulz wrote:
> Hi all,
>
> i have a LAN within a LAN and the setup is as follows:
>
> 192.168.1.0/24 <-- OpenBSD 4.9 Router with 2 NICS --> 10.1.0.0/21
>
> My goal is to get both Sides talking to each other (lets start with making
> them be able to ping each other). I got it working by using the following
> pf.conf, however i thought i should not need to have those match out
> statements, because OpenBSD routes packets between interfaces by default as
> long sysctl net.inet.ip.forwarding=1 is set.
>
> From inside my OpenBSD Box i can ping Devices on either Side just fine. From
a
> machine sitting on either Side, i can ping the OpenBSD Box just fine. But i
> simply cannot get Side A Machines to talk to Side B Machines unless i
> uncomment the two below match out statements inside my pf.conf.
>
> If someone could share some insight, id be most thankful.
>
> regards,
> D
>
> Here my simplified pf.conf which again does not work unless i uncomment the
> two match out Rules:
> ++++++++ pf.conf
> int_if="sis0"
> ext_if="sis1"
>
> icmp_types = "{ echoreq, unreach }"
>
> set require-order yes
> set block-policy return
> set optimization normal
> set loginterface $ext_if
>
> match in all scrub (no-df)
>
> set skip on lo
>
> #match out on $int_if from 192.168.1.0/24 to any nat-to ($int_if)
> #match out on $ext_if from 10.1.0.0/21 to any nat-to ($ext_if)
>
> block log all
>
> #Simplified for 'making it work purposes'
> pass out quick
> pass in quick
>
> antispoof quick for { lo0 $int_if $ext_if } inet
>
> # allow ICMP
> pass in quick on { $int_if $ext_if } inet proto icmp all icmp-type
$icmp_types
> keep state
> ++++++++
>
> ++++++++ route -n
> cndlne001'root(~)> route -n show | grep default
> default 10.1.3.1 UGS 0 23106 - 8
sis0
>
> cndlne001'root(~)> route -n show | grep 192.168.1
> 192.168.1/24 link#2 UC 2 0 - 4
sis1
