On Tue, Jan 16, 2007 at 12:23:45PM -0500, Charles Farinella wrote:
> Thanks to all for the help.
>
> Martin Toft wrote:
> >On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote:
> >>I have an OpenBSD 3.9 machine with a public IP providing NAT and
> >>firewalling for our internal network. It has 3 interfaces:
> >>
> >>dc0: public ip from internet X.X.X.25
> >>dc1: 192.168.100.x to internal network. This works well.
> >>dc2: 192.168.200.x --> to Windows server.
> >>
> >>I need to allow public access to the Windows server connected to dc2
> >>(one port only). Currently I have a private network address
> >>assigned to dc2 and a public one (X.X.X.26) assigned to the machine
> >>connected to it.
> >
> >You should put a private 192.168.200.x IP address on the Windows box,
> >not a global X.X.X.26 address. Afterwards, do a simple port
> >forwarding (redirection in pf language) at the OpenBSD box, e.g.
>
> I currently have it set up like this:
>
> dc0 = X.X.X.25
> dc2 = 192.168.200.254
> test_box = 192.168.25.123
> services = "{ ssh, smtp, http, https }"
>
> I have the following in my pf.conf:
> rdr pass on dc0 proto tcp from any to X.X.X.25 port 80 ->
> 192.168.25.122 port 80
>
> If I ssh into the X.X.X.25 box I can access the test_box on port 80.
> I cannot access X.X.X.25 port 80 however.
You can't access X.X.X.25 port 80 from the OpenBSD box itself, as the
redirection happens on the dc0 interface. That's OK and shouldn't be
thought of as a problem.
> I've been using pfctl -f /etc/pf.conf to reload my rules. I see no
> reference in my pflog to any attempts to access port 80 on X.X.X.25.
That's probably because you don't log anything.
> >Remember to set up a default route on the Windows box (it should of
> >course use the OpenBSD box as its default route).
>
> Routing tables
>
[snip]
>
> Is this correct?
Sorry, but I can't answer that, as I can't figure out how your machines
are connected etc... I'm very confused about all your machines,
interfaces (dc0, dc1, dc2, ne3), and networks (192.168.100.x,
192.168.200.x, 192.168.25.x, X.X.X....).
Regards,
Martin
> Thanks again.
>
> --charlie
