Re: VLAN in 5.9 - NAT problem

[Brian S. Vangsgaard]

pass out on rl0 inet from vlan309:network to any nat-to rl0

match out on rl0 inet from vlan:309:network nat-to rl0
pass out on rl0

Since you did not submit a full pf.conf, I have no chance of knowing if you do 
a later pass that changes the NAT state.

You could use tags for more fine-grained control.


#cat /etc/rc.conf.local
dhcpd_flags="vlan300 vlan308 vlan309 vlan310 vlan311 vlan400"
pf_rules=/etc/pf.conf

#cat /etc/dhcpd.interfaces
vlan300
vlan308
vlan309
vlan310
vlan311
vlan400

#cat /etc/hostname.em0
up

#cat /etc/hostname.em1
up

#cat /etc/hostname.trunk0
trunkproto lacp trunkport em0 trunkport em1 lladdr 00:01:02:03:11:11
up

#cat /etc/hostname.vlan300
inet 10.0.30.254 255.255.255.0 NONE vlan 300 vlandev trunk0 lladdr 
00:01:02:03:03:00 description "Interface VLAN-SERV"

#cat /etc/hostname.vlan308
inet 10.0.8.254 255.255.255.0 NONE vlan 308 vlandev trunk0 lladdr 
00:01:02:03:03:08 description "Interface VLAN-308I"

#cat /etc/hostname.vlan309
inet 10.0.9.254 255.255.255.0 NONE vlan 309 vlandev trunk0 lladdr 
00:01:02:03:03:09 description "Interface VLAN-309I"
[...]



@2. Then I removed trunk0. DHCPserver works, clients get IP. NAT does not work 
still.

#cat /etc/pf.conf [changed to very short and simple for tests]
pass out on rl0 inet from vlan309:network to any nat-to rl0

#cat /etc/rc.conf.local
dhcpd_flags="vlan300 vlan308 vlan309 vlan310 vlan311 vlan400"
pf_rules=/etc/pf.conf

#cat /etc/dhcpd.interfaces
vlan300
vlan308
vlan309
vlan310
vlan311
vlan400

#cat /etc/hostname.em0
up

#cat /etc/hostname.vlan300
inet 10.0.30.254 255.255.255.0 NONE vlan 300 vlandev em0 lladdr 
00:01:02:03:03:00 description "Interface VLAN-SERV"

#cat /etc/hostname.vlan308
inet 10.0.8.254 255.255.255.0 NONE vlan 308 vlandev em0 lladdr 
00:01:02:03:03:08 description "Interface VLAN-308I"

#cat /etc/hostname.vlan309
inet 10.0.9.254 255.255.255.0 NONE vlan 309 vlandev em0 lladdr 
00:01:02:03:03:09 description "Interface VLAN-309I"
[...]



@3. Finally, I removed VLANs and NAT started to work.

#cat /etc/pf.conf [changed to very short and simple for tests]
pass out on rl0 inet from em0:network to any nat-to rl0

#cat /etc/rc.conf.local
dhcpd_flags="em0"
pf_rules=/etc/pf.conf

#cat /etc/dhcpd.interfaces
em0

#cat /etc/hostname.em0
inet 10.0.8.254 255.255.255.0 NONE lladdr 00:01:02:03:03:08 description 
"Interface VLAN-308"


#dmesg
OpenBSD 5.9 (GENERIC) #1561: Fri Feb 26 01:22:37 MST 2016
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.93GHz ("GenuineIntel" 686-class) 2.93 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,CNXT-ID,xTPR,PERF
real mem = 2137800704 (2038MB)
avail mem = 2084323328 (1987MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 08/26/04, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 
0xfb21f (4 entries)
bios0: vendor American Megatrends Inc. version "P1.80" date 08/26/2004
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC OEMB
acpi0: wakeup devices P0P4(S4) MC97(S4) USB1(S4) USB2(S4) USB3(S4) USB4(S4) 
EUSB(S4) PS2K(S4) PS2M(S4) UAR1(S4) GBEN(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
cpu0: mwait min=64, max=64
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (P0P4)
acpicpu0 at acpi0: C1(@1 halt!)
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
bios0: ROM list: 0xc0000/0xa000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82865G Host" rev 0x02
inteldrm0 at pci0 dev 2 function 0 "Intel 82865G Video" rev 0x02
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0xf0000000, size 0x8000000
inteldrm0: apic 1 int 16
inteldrm0: 1920x1080
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 16
uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 19
uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 18
uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 16
ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: apic 1 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc2
pci1 at ppb0 bus 1
1:3:0: mem address conflict 0xfffc0000/0x40000
em0 at pci1 dev 3 function 0 "Intel 82546EB" rev 0x01: apic 1 int 20, address 
00:11:0a:62:f3:42
em1 at pci1 dev 3 function 1 "Intel 82546EB" rev 0x01: apic 1 int 21, address 
00:11:0a:62:f3:43
rl0 at pci1 dev 5 function 0 "Realtek 8139" rev 0x10: apic 1 int 22, address 
00:0b:6a:cf:6f:2d
rlphy0 at rl0 phy 0: RTL internal PHY
ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA, channel 
0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: <ST340014A>
wd0: 16-sector PIO, LBA48, 38166MB, 78165360 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <HL-DT-ST, CD-ROM GCR-8523B, 1.03> ATAPI 5/cdrom 
removable
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
cd0(pciide0:0:1): using PIO mode 4, DMA mode 2
pciide0: channel 1 disabled (no drives)
ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: apic 1 int 
17
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0
spdmem1 at iic0 addr 0x51: 1GB DDR SDRAM non-parity PC3200CL3.0
auich0 at pci0 dev 31 function 5 "Intel 82801EB/ER AC97" rev 0x02: apic 1 int 
17, ICH5 AC97
ac97: codec id 0x434d4983 (C-Media Electronics CMI9761A+)
audio0 at auich0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x2e/2: W83627HF rev 0x41
lm1 at wbsio0 port 0x290/8: W83627HF
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (e8a3ba715d004629.a) swap on wd0b dump on wd0b

--
radek