I have an OpenBSD 3.8 device, running on Soekris 4801 hardware, sitting on a private network. Its sole purpose is to NAT traffic before it goes through an IPsec tunnel.
I am using binat and static routes to reach the Two interfaces are connected to the network. This is the pf.conf file: > # default pf.conf file > > if0="sis0" > if1="sis1" > ip_sis0="10.212.0.31" > ip_sis1="10.212.0.32" > server_a="10.212.0.104" > server_b="10.212.0.103" > > set skip on lo > > #nat on $if0 from $if1:network to any -> ($if0) > binat pass log on $if1 from $server_a to 10.15.0.0/23 -> 10.14.91.10 > binat pass on $if1 from $server_a to 10.10.0.0/16 -> 10.14.91.10 > binat pass on $if1 from $server_b to 10.15.0.0/23 -> 10.14.91.13 > binat pass on $if1 from $server_b to 10.10.0.0/16 -> 10.14.91.13 > binat pass log on $if0 from $server_a to 10.15.0.0/23 -> 10.14.91.10 > binat pass on $if0 from $server_a to 10.10.0.0/16 -> 10.14.91.10 > binat pass on $if0 from $server_b to 10.15.0.0/23 -> 10.14.91.13 > binat pass on $if0 from $server_b to 10.10.0.0/16 -> 10.14.91.13 > > rdr pass on $if1 proto udp from $if1:network to $if1 port 53 -> (lo) > > block > pass out keep state > pass in on $if0 from $if0:network to ! (self) > pass in on $if0 proto icmp from $if0:network to $if0 keep state > pass in on $if0 proto tcp from $if0:network to $if0 port 22 keep state > pass in on $if1 from $if1:network to ! (self) > pass in on $if1 proto icmp from $if1:network to $if1 keep state > pass in on $if1 proto tcp from $if1:network to $if1 port 22 keep state With simple nat commands, I am able to ping a host in 10.15.0.0/23, but that host is not able to initiate connections going the other way. When I use binat, I am unable to connect at all. As binat is a form of blanket redirect, I'm wondering if this is even possible, since traffic is going in and out of the same interface. If it's not, how can I force traffic that is coming in on one interface to go out the other interface, considering that both interfaces are on the same network? Thanks for any advice, -Stephen-
