Scenario: DSL -> DSL "modem" -> OpenBSD Firewall -> LAN
Firewall has three legs: bge0 - External Interface, 206.124.14.98 bge1 - Internal Interface, 192.168.0.1 sk0 - Management Interface, 192.168.0.36 Desired goal: Perform multiple static NAT translations along with a fairly standard rule set, using bge1 as the default gateway for the LAN and bge0 as the public interface. Current functionality: Overload NAT to a single IP through the DSL modem, using the OpenBSD firewall in bridge mode. Problem: When I reconfigure the OpenBSD firewall to take it out of bridge mode and run in full NAT mode, it mucks with the IP's assigned to the two inside interfaces, which causes packets to go nowhere. Relevant (hopefully) data: Current bridge mode pf.conf: ext_if = "bge0" int_if = "bge1" set skip on lo0 0_ns = "192.168.0.17" 1_ns = "192.168.0.19" megarea = "192.168.0.32" clotho = "192.168.0.33" pheme = "192.168.0.35" heimdall = "192.168.0.36" 0_mx = "192.168.0.34" dns = "{" $0_ns $1_ns "}" external = "{ 192.168.0.1, 192.168.0.5 }" internal = "{ 192.168.0.32, 192.168.0.34 }" table <eq2_tcp> { 64.37.156.7, 64.37.129.41, 199.108.194.76, 199.108.194.75, 64.37.129.42 } table <eq2_udp> { 64.37.148.142, 64.37.148.144, 64.37.158.0/24, 199.108.2.0/24, 199.108.12.0/24, 199.108.202.0/24, 199.108.203.0/24, 195.33.135.0/24 } table <eq2_icmp> { 64.37.158.0/24, 199.108.2.0/24, 199.108.12.0/24, 199.108.202.0/24, 199.108.203.0/24, 195.33.135.0/24 } scrub in on $int_if all no-df random-id scrub in on $ext_if all no-df fragment reassemble scrub on $ext_if reassemble tcp rdr on $ext_if proto tcp from any to $0_mx port 109 -> $0_mx port 25 pass in quick on $int_if all pass out quick on $int_if all block in log (all) on $ext_if all pass out quick \ on $ext_if \ proto tcp \ from $clotho \ to <eq2_tcp> \ modulate state pass out quick \ on $ext_if \ proto udp \ from $clotho \ to <eq2_udp> pass out quick \ on $ext_if \ inet proto icmp \ from $clotho \ to <eq2_icmp> pass out \ on $ext_if \ inet proto icmp \ all \ keep state pass out \ on $ext_if \ proto tcp \ all \ modulate state pass out \ on $ext_if \ proto udp \ all \ keep state pass in quick \ on $ext_if \ proto tcp \ from <eq2_tcp> \ to $clotho \ modulate state pass in quick \ on $ext_if \ proto udp \ from <eq2_udp> \ to $clotho pass in quick \ on $ext_if \ inet proto icmp \ from <eq2_icmp> \ to $clotho pass in \ on $ext_if \ proto tcp \ from any \ to $pheme \ port { https } \ modulate state pass in \ on $ext_if \ proto tcp \ from any \ to $0_mx \ port { smtp, imap, imaps } \ modulate state pass in log (all) \ on $ext_if \ proto tcp \ from any \ to $dns \ port { 53 } \ modulate state pass in \ on $ext_if \ proto udp \ from any \ to $dns \ port { 53 } \ keep state pass in \ on $ext_if \ proto tcp \ from $external \ to $internal \ port { 68, 69, 123, 514 } \ modulate state pass in \ on $ext_if \ proto udp \ from $external \ to $internal \ port { 68, 69, 123, 514 } \ keep state pass in \ on $ext_if \ proto tcp \ from $external \ to { 192.168.0.16, 192.168.0.18 } \ port { 53 } \ modulate state pass in \ on $ext_if \ proto udp \ from $external \ to { 192.168.0.16, 192.168.0.18 } \ port { 53 } \ keep state pass in \ on $ext_if \ proto 24 \ from $external \ to $internal pass in \ on $ext_if \ proto tcp \ from $external \ to { 192.168.0.36 } \ port { 123 } \ modulate state pass in \ on $ext_if \ proto udp \ from $external \ to { 192.168.0.36 } \ port { 123 } \ keep state pass in log (all) \ on $ext_if \ proto tcp \ from { 205.156.51.200 } \ port { ftp-data } \ to any \ modulate state pass in log (all) \ on $ext_if \ proto tcp \ from any \ to any \ port { ftp-data, ftp, ssh } \ modulate state Current hostname /bridgename files: # cat /etc/hostname.bge0 up # cat /etc/hostname.bge1 up # cat /etc/hostname.sk0 dhcp NONE NONE NONE description "Internal Firewall" # cat /etc/bridgename.bridge0 add bge0 add bge1 up # ifconfig -a lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:e0:ed:07:eb:ec media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::2e0:edff:fe07:ebec%bge0 prefixlen 64 scopeid 0x1 bge1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:e0:ed:07:eb:ed media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::2e0:edff:fe07:ebed%bge1 prefixlen 64 scopeid 0x2 sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:00:5a:9c:df:86 description: Internal Firewall groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::200:5aff:fe9c:df86%sk0 prefixlen 64 scopeid 0x3 inet 192.168.0.36 netmask 0xffffffc0 broadcast 192.168.0.63 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224 pfsync0: flags=0<> mtu 1460 enc0: flags=0<> mtu 1536 bridge0: flags=41<UP,RUNNING> mtu 1500 groups: bridge When attempting to move to NAT, the files are: pf.conf: ext_if = "bge0" int_if = "bge1" set skip on lo0 i_hermes = "192.168.0.5" i_0_ns = "192.168.0.17" i_1_ns = "192.168.0.19" i_megarea = "192.168.0.32" i_clotho = "192.168.0.33" i_0_mx = "192.168.0.34" i_pheme = "192.168.0.35" i_heimdall = "192.168.0.36" e_heimdall = "206.124.14.98" e_hermes = "206.124.14.99" e_pheme = "206.124.14.105" e_0_ns = "206.124.14.106" e_megarea = "206.124.14.107" e_clotho = "206.124.14.108" e_0_mx = "206.124.14.109" e_1_ns = "206.124.14.110" i_dns = "{" $i_0_ns $i_1_ns "}" e_dns = "{" $e_0_ns $e_1_ns "}" external = "{ 206.124.14.97 }" internal = "{ 192.168.0.32, 192.168.0.34 }" voipports = "{ 5060, 5061, 16384:32767 }" table <eq2_tcp> { 64.37.156.7, 64.37.129.41, 199.108.194.76, 199.108.194.75, 64.37.129.42 } table <eq2_udp> { 64.37.148.142, 64.37.148.144, 64.37.158.0/24, 199.108.2.0/24, 199.108.12.0/24, 199.108.202.0/24, 199.108.203.0/24, 195.33.135.0/24 } table <eq2_icmp> { 64.37.158.0/24, 199.108.2.0/24, 199.108.12.0/24, 199.108.202.0/24, 199.108.203.0/24, 195.33.135.0/24 } table <bogon> { 0.0.0.0/7, 2.0.0.0/8, 5.0.0.0/8, 7.0.0.0/8, 10.0.0.0/8, 23.0.0.0/8, 27.0.0.0/8, 31.0.0.0/8, 36.0.0.0/7, 39.0.0.0/8, 42.0.0.0/8, 49.0.0.0/8, 50.0.0.0/8, 92.0.0.0/6, 100.0.0.0/6, 104.0.0.0/5, 112.0.0.0/5, 120.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/5, 184.0.0.0/6, 192.0.2.0/24, 192.168.0.0/16, 197.0.0.0/8, 198.18.0.0/15, 223.0.0.0/8, 224.0.0.0/3 } scrub in on $int_if all no-df random-id scrub in on $ext_if all no-df fragment reassemble scrub on $ext_if reassemble tcp altq on $ext_if priq bandwidth 350Kb queue { std, voip, tcpack } queue std priq(red default) queue voip priority 10 priq(red) queue tcpack priority 15 priq(red) no nat on $ext_if from 192.168.0.16 to $external no nat on $ext_if from 192.168.0.18 to $external binat on $ext_if from $i_hermes to any -> $e_hermes binat on $ext_if from $i_0_ns to any -> $e_0_ns binat on $ext_if from $i_1_ns to any -> $e_1_ns binat on $ext_if from $i_megarea to any -> $e_megarea binat on $ext_if from $i_clotho to any -> $e_clotho binat on $ext_if from $i_0_mx to any -> $e_0_mx binat on $ext_if from $i_pheme to any -> $e_pheme binat on $ext_if from $i_heimdall to any -> $e_heimdall nat on $ext_if from 192.168.0.0/16 to any -> 206.124.14.100 rdr on $ext_if proto tcp from any to $e_0_mx port 109 -> $e_0_mx port 25 # block log (all) all block drop in quick on $ext_if from <bogon> to any block drop out quick on $ext_if from any to <bogon> pass in quick \ on $int_if \ proto udp \ from $i_hermes \ to any \ port $voipports \ tag QVOICE_OUT \ keep state pass in quick \ on $int_if \ proto tcp \ from $i_hermes \ to any \ port { 5060, 5061 } \ tag QVOICE_OUT \ keep state pass in \ on $int_if \ from { 192.168.0.0/16 } \ to any \ modulate state pass out \ on $ext_if \ tagged QVOICE_OUT \ keep state \ queue(voip, tcpack) pass out quick \ on $ext_if \ proto tcp \ from $i_clotho \ to <eq2_tcp> \ modulate state pass out quick \ on $ext_if \ proto udp \ from $i_clotho \ to <eq2_udp> pass out quick \ on $ext_if \ inet proto icmp \ from $i_clotho \ to <eq2_icmp> pass out \ on $ext_if \ inet proto icmp \ all \ keep state pass out \ on $ext_if \ proto tcp \ all \ modulate state pass out \ on $ext_if \ proto udp \ all \ keep state pass in quick \ on $ext_if \ proto tcp \ from <eq2_tcp> \ to $e_clotho \ modulate state pass in quick \ on $ext_if \ proto udp \ from <eq2_udp> \ to $e_clotho pass in quick \ on $ext_if \ inet proto icmp \ from <eq2_icmp> \ to $e_clotho pass in \ on $ext_if \ proto tcp \ from any \ to $e_pheme \ port { https } \ modulate state pass in \ on $ext_if \ proto tcp \ from any \ to $e_0_mx \ port { smtp, imap, imaps } \ modulate state pass in log (all) \ on $ext_if \ proto tcp \ from any \ to $e_dns \ port { 53 } \ modulate state pass in \ on $ext_if \ proto udp \ from any \ to $e_dns \ port { 53 } \ keep state pass in \ on $ext_if \ proto tcp \ from $external \ to $internal \ port { 68, 69, 123, 514 } \ modulate state pass in \ on $ext_if \ proto udp \ from $external \ to $internal \ port { 68, 69, 123, 514 } \ keep state pass in \ on $ext_if \ proto tcp \ from $external \ to { 192.168.0.16, 192.168.0.18 } \ port { 53 } \ modulate state pass in \ on $ext_if \ proto udp \ from $external \ to { 192.168.0.16, 192.168.0.18 } \ port { 53 } \ keep state pass in \ on $ext_if \ proto tcp \ from $external \ to { 192.168.0.36 } \ port { 123 } \ modulate state pass in \ on $ext_if \ proto udp \ from $external \ to { 192.168.0.36 } \ port { 123 } \ keep state pass in log (all) \ on $ext_if \ proto tcp \ from { 205.156.51.200 } \ port { ftp-data } \ to any \ modulate state pass in log (all) \ on $ext_if \ proto tcp \ from any \ to any \ port { ftp-data, ftp, ssh } \ modulate state hostname files: # cat /etc/hostname.bge0 inet 206.124.14.98 255.255.255.240 NONE # cat /etc/hostname.bge1 inet 192.168.0.1 255.255.0.0 NONE # cat /etc/hostname.sk0 dhcp NONE NONE NONE description "Internal Firewall Mgt" # ifconfig -a lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:e0:ed:07:eb:ec media: Ethernet autoselect (100baseTX full-duplex) status: active inet 206.124.14.98 netmask 0xfffffff0 broadcast 206.124.14.111 inet6 fe80::2e0:edff:fe07:ebec%bge0 prefixlen 64 scopeid 0x1 bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:e0:ed:07:eb:ed media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.0.1 netmask 0xffff0000 broadcast 192.168.255.255 inet6 fe80::2e0:edff:fe07:ebed%bge1 prefixlen 64 scopeid 0x2 sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:00:5a:9c:df:86 description: Internal Firewall groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::200:5aff:fe9c:df86%sk0 prefixlen 64 scopeid 0x3 inet 192.168.0.36 netmask 0xffffffc0 broadcast 192.168.0.63 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224 pfsync0: flags=0<> mtu 1460 enc0: flags=0<> mtu 1536 Just to make sure, I delete and then re-add the default gateway: # route delete default 192.168.0.1 delete net default: gateway 192.168.0.1 # route add default 192.168.0.1 add net default: gateway 192.168.0.1 # route -n show -inet Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 192.168.0.1 UGS 0 0 - bge1 127/8 127.0.0.1 UGRS 0 0 33224 lo0 127.0.0.1 127.0.0.1 UH 0 0 33224 lo0 192.168.0.0/26 link#3 UC 0 0 - sk0 192.168/16 link#2 UC 0 0 - bge1 192.168.0.1 00:e0:ed:07:eb:ed UHLc 0 0 - sk0 192.168.0.32 00:50:8d:52:ae:b4 UHLc 0 5482 - sk0 192.168.0.33 00:00:d1:7a:1e:63 UHLc 0 69472 - sk0 192.168.0.34 00:00:d1:6a:f7:bb UHLc 0 6312 - sk0 192.168.0.36 127.0.0.1 UGHS 0 40 33224 lo0 192.168.0.97 link#2 UHLc 0 1 - bge1 206.124.14.96/28 link#1 UC 0 0 - bge0 206.124.14.97 00:30:da:91:95:8a UHLc 0 7 - bge0 224/4 127.0.0.1 URS 0 0 33224 lo0 However, once I run: pfctl -F rules pfctl -gf /etc/pf.conf I get: # route -n show -inet Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 192.168.0.1 UGS 0 2159 - sk0 127/8 127.0.0.1 UGRS 0 0 33224 lo0 127.0.0.1 127.0.0.1 UH 0 0 33224 lo0 192.168.0.0/26 link#3 UC 0 0 - sk0 192.168/16 link#2 UC 0 0 - bge1 192.168.0.1 00:e0:ed:07:eb:ed UHLc 0 0 - sk0 192.168.0.16 00:00:d1:6a:f7:bb UHLc 0 13 - sk0 192.168.0.18 00:50:8d:52:ae:b4 UHLc 0 3 - sk0 192.168.0.32 00:50:8d:52:ae:b4 UHLc 0 5026 - sk0 192.168.0.33 00:00:d1:7a:1e:63 UHLc 0 69368 - sk0 192.168.0.34 00:00:d1:6a:f7:bb UHLc 0 5600 - sk0 192.168.0.36 127.0.0.1 UGHS 0 40 33224 lo0 206.124.14.96/28 link#1 UC 0 0 - bge0 206.124.14.97 00:30:da:91:95:8a UHLc 0 4 - bge0 despite the static assignment of the .1 address to bge1 above. I have to have hosed something up myself, but I can't spot it. Can anyone help? Thank you, -- Ed V. 26 December 2006 21:27:38 IBM: Invented By Maladroits [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]