> From: Lars Nooden > Sent: Tuesday, April 21, 2009 3:33 AM > To: OpenBSD Misc. > Subject: Multiple layers of NAT > > > Sometimes I have to set up a LAN inside a pre-existing NAT'd LAN and > traffic from the inner LAN (B) does not make it to the > Internet or even > to final, external interface (4). > > +-------+ +--------+ > LAN B ---+ 1 + + Box2 + > + NAT + + 4+---> Internet > + 2+--LAN A--+3 NAT + > + Box1 + + + > +-------+ +--------+ > > What kind of generic change is needed in PF to get from LAN B > through to > the outside? > > Setting the IP range for LAN B to match those of LAN A is one option, > but has to be done each time and also may run the risk of collision on > some subnets. > > Regards > -Lars > >
I do this all the time and it works fine for me. You do have to remember that the firewall rules on box2 won't see anything as coming from LAN B because all of that is being NATed to the IP of interface 2. So, if you want a "LAN B"er to have www access you have to tell box 2 to give interface 2 www access (as well as telling box 1 to allow the www traffic). Think of it from the perspective of each firewall with regards to what each box will THINK it is getting (because of the NAT) not where the traffic is actually coming from. I hope this helps. s
