Re: Help setting up a PF NAT gateway

2011-10-12 Thread Stefan Midjich 
I must say that thanks to your help on this list I've finally managed
to get it working. I have bought FreeBSD CD sets in the past as a
means to donate and I intend to buy 5.0 sets now because I believe
strongly in open source software.

Well it was also thanks to some pf.conf samples I found online from
4.7 and 4.8.

http://mouedine.net/ruleset49.aspx
http://serverfault.com/questions/175405/help-me-upgrade-my-pf-conf-for-openbsd-4-7

The only thing I have yet to solve is the ftp-proxy redirection. Here
is my current ruleset.

Here's my current pfctl -vf output.

block drop all
pass in quick on vic0 inet proto tcp from any to 10.220.100.0/24 port
= 1022 flags S/SA keep state label PassInMGMTSSH
pass in quick on vic0 inet proto tcp from any to 10.220.100.0/24 port
= ssh flags S/SA keep state label PassInMGMTSSH
pass out quick on vic0 inet proto tcp from 10.220.100.0/24 to any port
= 1022 flags S/SA keep state label PassOutMGMTSSH
pass out quick on vic0 inet proto tcp from 10.220.100.0/24 to any port
= ssh flags S/SA keep state label PassOutMGMTSSH
pass on vic0 proto udp from any to any port = domain keep state label
PassMGMTDNS
pass on vic0 inet proto icmp all icmp-type echorep keep state label
PassMGMTICMP
pass on vic0 inet proto icmp all icmp-type echoreq keep state label
PassMGMTICMP
pass on vic0 inet proto icmp all icmp-type unreach keep state label
PassMGMTICMP
pass quick on vic2 proto carp all keep state label CUST-PassCarp
pass quick on vic3 proto carp all keep state label CUST-PassCarp
pass in on vic2 inet proto icmp from any to 50.50.50.0/24 icmp-type
echoreq keep state label CUST-PingOut
pass in on vic2 inet proto icmp from any to 50.50.50.0/24 icmp-type
echorep keep state label CUST-PingOut
pass in on vic2 inet proto icmp from any to 50.50.50.0/24 icmp-type
unreach keep state label CUST-PingOut
pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type echoreq keep state label CUST-PingIn
pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type echorep keep state label CUST-PingIn
pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type unreach keep state label CUST-PingIn
match out on vic2 inet from 10.221.181.10 to any nat-to (vic2) round-robin
match in on vic2 proto tcp from any to any port = smtp rdr-to
CUST_FrontendPool round-robin
match in on vic2 proto tcp from any to any port = www rdr-to
CUST_FrontendPool round-robin
match in on vic2 proto tcp from any to any port = ssh rdr-to
CUST_FrontendPool round-robin
match in on vic2 proto tcp from any to any port = 5222 rdr-to
CUST_FrontendPool round-robin
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = smtp
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = www
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = ssh
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = 5222
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = smtp
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = www
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = ssh
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = 5222
flags S/SA keep state
pass out on vic2 all flags S/SA keep state
pass on vic3 all flags S/SA keep state
anchor ftp-proxy/* all
pass in quick inet proto tcp from any to any port = ftp flags S/SA
keep state rdr-to 127.0.0.1 port 8021
pass out inet proto tcp from 127.0.0.1 to any port = ftp flags S/SA keep state

All of this works sans the ftp-proxy, it is listening on 8021 and I
get no errors in the syslog. Just a message that it started.

If I tcpdump -i lo0 I get no packets at all. I do see packets coming
in on the internal interface.

Re: Help setting up a PF NAT gateway

2011-10-12 Thread Norman Golisz 
Hi Stefan,

On Wed Oct 12 2011 14:59, Stefan Midjich wrote:
 I must say that thanks to your help on this list I've finally managed
 to get it working. I have bought FreeBSD CD sets in the past as a
 means to donate and I intend to buy 5.0 sets now because I believe
 strongly in open source software.

really fine!

 The only thing I have yet to solve is the ftp-proxy redirection. Here
 is my current ruleset.
  
Well, you defined this match for outgoing packets of vic2:

 match out on vic2 inet from 10.221.181.10 to any nat-to (vic2) round-robin

but allow the ftp-proxy to send packets from 127.0.0.1:

 pass out inet proto tcp from 127.0.0.1 to any port = ftp flags S/SA keep state

Hence, change the match rule to:

 match out on vic2 inet all nat-to (vic2) round-robin

Good luck,
Norman

Re: Help setting up a PF NAT gateway

2011-10-12 Thread Stefan Midjich 
After all that I was still doing NAT wrong, I thank you Norman! It
works perfectly now and it makes much more sense as NAT must be done
from the lo0 too out on the external IF.

2011/10/13 Norman Golisz li...@zcat.de:
 Hi Stefan,

 On Wed Oct 12 2011 14:59, Stefan Midjich wrote:
 I must say that thanks to your help on this list I've finally managed
 to get it working. I have bought FreeBSD CD sets in the past as a
 means to donate and I intend to buy 5.0 sets now because I believe
 strongly in open source software.

 really fine!

 The only thing I have yet to solve is the ftp-proxy redirection. Here
 is my current ruleset.

 Well, you defined this match for outgoing packets of vic2:

 match out on vic2 inet from 10.221.181.10 to any nat-to (vic2) round-robin

 but allow the ftp-proxy to send packets from 127.0.0.1:

 pass out inet proto tcp from 127.0.0.1 to any port = ftp flags S/SA keep
state

 Hence, change the match rule to:

 match out on vic2 inet all nat-to (vic2) round-robin

 Good luck,
 Norman




--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

2011-10-11 Thread Stefan N 
Okay. If you're going to give access to internet users to be able to access
your system inside your LAN/DMZ(eg webserver), you will need to do NAT.
If you
want the server which is configured by private ip address is reachable from
internet users, you will need NAT.

The way you do NAT might depend on your
network infra setup and how you design and plan the traffic flow.
IP aliasing
is associating more than one IP address to a network interface. With this, one
node on a network can have multiple connections to a network, each serving a
different purpose.Now I will explain you with an example so that you can
visualize it in a better way:

I have web server with IP address 192.168.1.100
My firewall has 2 NICs, one internal(192.168.1.1) and one external using
public IP(50.50.50.59).
I would like to allow users from the internet to
access my webserver. Since I configured webserver using private IP, internet
users can not access my webserver directly, that is why NAT is needed.
For
this example I have 2 scenarios doing NAT.
1.If I have limited public IP
address assigned to me by ISP
any http traffic from internet accessing  to
firewallexternalIPaddress will be redirected to my webserver
internet user
port 80 --- FW ext IP address -- Web server

In this case I don't need to
use additional IP address as an alias, because internet users will access my
website via: http://50.50.50.59
and the traffic will be redirected to the
webserver which is located inside LAN(192.168.1.100)

2.If I have spare public
IP address. this where IP alias can play the role.
I have another public IP
(let say 50.50.50.58) and I would like to assign it to webserver.
The
webserver is still located inside my LAN with IP 192.168.1.100. But I want to
assign the IP 50.50.50.58 only for application server services purpose,
because I don't want to mix it up with firewall service.
So the same concept
applies here.
any http traffic from internet accessing  IP 50.50.50.58 will be
redirected to my webserver
internet user port 80 --- 50.50.50.58 -- Web
server
As the 50.50.50.58 and 50.50.50.59 are within the same subnet ( and
also assigned for my business from ISP), then I need to assign it on the
external firewall interface. If I didn't assign it on the external firewall
interface, the http incoming traffic will not be able to pass through because
neither router nor firewall know how and where to redirect the incoming packet
and also neither router nor firewall take the ownership of 50.50.50.58
although 50.50.50.58 is assigned for my business by ISP. By assigning
50.50.50.58 on the external firewall interface as an IP alias, the firewall
will know how and where to redirect the incoming traffic.When the http traffic
on 50.50.50.58 is coming in, firewall will take the ownership,check the
routing table and then PF engine will check from the rule list whether the
incoming traffic to the webserver is alllowed or not. Once the rule is
matched, then the packet will be redirected to the destination. You can do
the
 same by creating the rule for email server etc.internet user port 25 ---
50.50.50.58 -- my email server.

The same IP alias concept also applies if
you want to implement many to one NAT. For example to alllow your LAN users to
access internet access.
You can use IP alias or use firewall ext int IP as a
NAT IP. All depends on how your infra is configured and planned.
In which
scenario your setup is? If you're using 1st scenario, you don't need to use IP
alias, because the external ip addr for firewall which is accessed by the
public users for http traffic is belong to firewall. If you used  2nd
scenario, you will need to use IP alias configured on ext firewall interface.
Please also check the routing table in the router and the default gateway on
your destination node.

I hope it helps.

Regards,
Stefan

From: Stefan Midjich sweh...@gmail.com
To:
Stefan N stefanbsd...@yahoo.com
Cc: misc@openbsd.org misc@openbsd.org
Sent: Tuesday, October 11, 2011 1:25 PM
Subject: Re: Help setting up a PF NAT
gateway

No I was not aware of this. Could you please explain the meaning of
an
alias address on the external interface for NAT?

There is no mention of
using an alias for NAT in this document for
example
http://www.openbsd.org/faq/pf/nat.html

Just to be clear, I already have an
external and internal physical
interface to work with, so I am unclear as to
why I need an alias.

2011/10/11 Stefan N stefanbsd...@yahoo.com:
 Hi
Stefan,
 As you mentioned that the IP forwarding is already enabled on your
system.
 Have you configured the IP alias on the network interface for the
NAT
 purpose?
 If the NAT is done on external interface then you'll need to
add in the IP
 alias on /etc/hostname.vic2
 Please read the guide from
openbsd url below:

http://www.openbsd.org/cgi-bin/man.cgi?query=hostname.ifapropos=0sektion=0;
manpath=OpenBSD+4.9arch=i386format=html
 Sample of hostname.if config with
IP alias:

  A typical file contains only one

Re: Help setting up a PF NAT gateway

2011-10-11 Thread Stefan Midjich 
It works now that I started over from scratch, I have a block in all
and a pass out all by default and NAT is working. I can see packets on
both in and out-interfaces with tcpdump. Of course ICMP response is
not being sent back since I have a block in all but at least NAT is
working and it is forwarding packets.

I think what I was missing, a crucial step and basic knowledge to any
networking tech, was the ins and the outs of gateways. I didn't
understand what Out or In was in the eyes of the gateway. I now
understand that Out is where the default gateway points, /etc/mygate,
in other words egress group in ifconfig. And In is of course the
opposite.

This is a very subtle detail but it made a WORLD of difference.

Thank you all for your support. :)

Re: Help setting up a PF NAT gateway

2011-10-11 Thread Rodrigo Mosconi 
2011/10/10 Stefan Midjich sweh...@gmail.com:
 Simplest of things but I'm failing miserably.

 $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address
 inet 50.50.50.59 255.255.255.0 50.50.50.255

 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
 machines on same network
 inet 10.221.181.10 255.255.255.0 10.221.181.255

 For troubleshooting I have removed the block all rule, to confirm that
 it is in fact my NAT related rules that don't work.

 These are my first and only NAT rules. The other rules work fine and
 are just to allow SSH to my management interface and ICMP response
 from the external IP and from the internal gateway IP. Besides I've
 removed the block all so the other rules don't matter much now.

 match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin
 pass inet from 10.221.181.0/24 to any flags S/SA keep state

can be changed to

pass out on vic2 inet from 10.221.181.0/24 to any nat-to vic2

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Christiano F. Haesbaert 
On 10 October 2011 12:38, Stefan Midjich sweh...@gmail.com wrote:
 Simplest of things but I'm failing miserably.

 $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address
 inet 50.50.50.59 255.255.255.0 50.50.50.255

 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
 machines on same network
 inet 10.221.181.10 255.255.255.0 10.221.181.255

 For troubleshooting I have removed the block all rule, to confirm that
 it is in fact my NAT related rules that don't work.

 These are my first and only NAT rules. The other rules work fine and
 are just to allow SSH to my management interface and ICMP response
 from the external IP and from the internal gateway IP. Besides I've
 removed the block all so the other rules don't matter much now.

 match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin
 pass inet from 10.221.181.0/24 to any flags S/SA keep state

 With tcpdump I can see packets going to vic3, but no further.

 With block all commented out I can fully test the network around and
 everything is working just fine, I can nc -kl 50.50.50.59 65535 and
 connect to that port from anywhere on the internet. I just can't
 connect out from the private network through the gateway. The systems
 in the private network have 10.221.181.10 as their default gateway.

 I even have the Book of PF 2nd edition here but it's of no use, the
 rules are mostly from there. Just for troubleshooting I can also nc
 -kl 10.221.181.10 65535 on the gateway and connect to that port from
 the private network machines without issues.

 So please tell me, what am I missing in this nat-to rule?


Hi, can you paste your pf.conf ?
The output of ifconfig would be good too.

Re: Help setting up a PF NAT gateway

2011-10-10 Thread pavel pocheptsov 
match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin
in what reason you paste round-robin?
also you need
pass in on $local_if from $localnet to any
pass out on $ext_if from $localnet to any


10 PP:QQP1QQ 2011, 19:42 PQ Stefan Midjich sweh...@gmail.com:
 
 
  
  
Simplest of things but I'm failing miserably.

$ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address
inet 50.50.50.59 255.255.255.0 50.50.50.255

$ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
machines on same network
inet 10.221.181.10 255.255.255.0 10.221.181.255

For troubleshooting I have removed the block all rule, to confirm that
it is in fact my NAT related rules that don't work.

These are my first and only NAT rules. The other rules work fine and
are just to allow SSH to my management interface and ICMP response
from the external IP and from the internal gateway IP. Besides I've
removed the block all so the other rules don't matter much now.

match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin
pass inet from 10.221.181.0/24 to any flags S/SA keep state

With tcpdump I can see packets going to vic3, but no further.

With block all commented out I can fully test the network around and
everything is working just fine, I can nc -kl 50.50.50.59 65535 and
connect to that port from anywhere on the internet. I just can't
connect out from the private network through the gateway. The systems
in the private network have 10.221.181.10 as their default gateway.

I even have the Book of PF 2nd edition here but it's of no use, the
rules are mostly from there. Just for troubleshooting I can also nc
-kl 10.221.181.10 65535 on the gateway and connect to that port from
the private network machines without issues.

So please tell me, what am I missing in this nat-to rule?

--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Mark (obsd) 
Hi Stefan,

On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com wrote:

 Simplest of things but I'm failing miserably.

 ...

 With tcpdump I can see packets going to vic3, but no further.


Do you definitely have forwarding enabled?

# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1

It that were 0 instead of 1, you'd get your symptoms.  Edit /etc/sysctl.conf
to enable forwarding if you haven't.

Regards,
Mark

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Wesley M. 
Hi,

see my sample, it is well explained.
http://mouedine.net/ruleset49.aspx

All the best,

Wesley MOUEDINE ASSABY
www.mouedine.net


On Mon, 10 Oct 2011 17:38:26 +0200, Stefan Midjich sweh...@gmail.com
wrote:
 Simplest of things but I'm failing miserably.
 
 $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4
 address
 inet 50.50.50.59 255.255.255.0 50.50.50.255
 
 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
 machines on same network
 inet 10.221.181.10 255.255.255.0 10.221.181.255
 
 For troubleshooting I have removed the block all rule, to confirm that
 it is in fact my NAT related rules that don't work.
 
 These are my first and only NAT rules. The other rules work fine and
 are just to allow SSH to my management interface and ICMP response
 from the external IP and from the internal gateway IP. Besides I've
 removed the block all so the other rules don't matter much now.
 
 match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2)
 round-robin
 pass inet from 10.221.181.0/24 to any flags S/SA keep state
 
 With tcpdump I can see packets going to vic3, but no further.
 
 With block all commented out I can fully test the network around and
 everything is working just fine, I can nc -kl 50.50.50.59 65535 and
 connect to that port from anywhere on the internet. I just can't
 connect out from the private network through the gateway. The systems
 in the private network have 10.221.181.10 as their default gateway.
 
 I even have the Book of PF 2nd edition here but it's of no use, the
 rules are mostly from there. Just for troubleshooting I can also nc
 -kl 10.221.181.10 65535 on the gateway and connect to that port from
 the private network machines without issues.
 
 So please tell me, what am I missing in this nat-to rule?
 
 --
 
 
 Med vdnliga hdlsningar / With kind regards
 
 Stefan Midjich

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Stefan Midjich 
Yes forwarding is enabled. I have followed the Book of PF 2nd Edition so far.

2011/10/10 Mark (obsd) openbsd-l...@nerdish.us:
 Hi Stefan,

 On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com wrote:

 Simplest of things but I'm failing miserably.

 ...

 With tcpdump I can see packets going to vic3, but no further.


 Do you definitely have forwarding enabled?
 # sysctl net.inet.ip.forwarding
 net.inet.ip.forwarding=1
 It that were 0 instead of 1, you'd get your symptoms.  Edit
/etc/sysctl.conf
 to enable forwarding if you haven't.
 Regards,
 Mark



--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Stefan Midjich 
That was from the output of pfctl -vf /etc/pf.conf so it expands the
rules and adds all that is implied, like keep state for example.

2011/10/10 pavel pocheptsov lilit-aibo...@mail.ru:
 match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2)
round-robin
 in what reason you paste round-robin?
 also you need
 pass in on $local_if from $localnet to any
 pass out on $ext_if from $localnet to any


 10 PP:QQP1QQ 2011, 19:42 PQ Stefan Midjich sweh...@gmail.com:

 Simplest of things but I'm failing miserably.

 $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4
address
 inet 50.50.50.59 255.255.255.0 50.50.50.255

 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
 machines on same network
 inet 10.221.181.10 255.255.255.0 10.221.181.255

 For troubleshooting I have removed the block all rule, to confirm that
 it is in fact my NAT related rules that don't work.

 These are my first and only NAT rules. The other rules work fine and
 are just to allow SSH to my management interface and ICMP response
 from the external IP and from the internal gateway IP. Besides I've
 removed the block all so the other rules don't matter much now.

 match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2)
round-robin
 pass inet from 10.221.181.0/24 to any flags S/SA keep state

 With tcpdump I can see packets going to vic3, but no further.

 With block all commented out I can fully test the network around and
 everything is working just fine, I can nc -kl 50.50.50.59 65535 and
 connect to that port from anywhere on the internet. I just can't
 connect out from the private network through the gateway. The systems
 in the private network have 10.221.181.10 as their default gateway.

 I even have the Book of PF 2nd edition here but it's of no use, the
 rules are mostly from there. Just for troubleshooting I can also nc
 -kl 10.221.181.10 65535 on the gateway and connect to that port from
 the private network machines without issues.

 So please tell me, what am I missing in this nat-to rule?

 --


 Med vdnliga hdlsningar / With kind regards

 Stefan Midjich





--


Med vC$nliga hC$lsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Stefan Midjich 
ManagementIF = vic0
PFsyncIF = vic1
LocalIF = lo0
ManagementPorts = { 1022, 22 }
UDPManagementPorts = { domain }
ICMPTypes = { echorep, echoreq, unreach }
set skip on { lo0 vic1 }
OutIF = vic2
InIF = vic3
pass quick on vic0 inet proto tcp from any to any port = 1022 flags
S/SA keep state label PassMGMTSSH
pass quick on vic0 inet proto tcp from any to any port = ssh flags
S/SA keep state label PassMGMTSSH
pass on vic0 proto udp from any to any port = domain keep state label
PassMGMTDNS
pass on vic0 inet proto icmp all icmp-type echorep keep state label
PassMGMTICMP
pass on vic0 inet proto icmp all icmp-type echoreq keep state label
PassMGMTICMP
pass on vic0 inet proto icmp all icmp-type unreach keep state label
PassMGMTICMP
pass quick on vic2 proto carp all keep state label PassCarp
pass quick on vic3 proto carp all keep state label PassCarp
pass quick inet proto icmp from any to 50.50.50.0/24 icmp-type echoreq
keep state label PingOut
pass quick inet proto icmp from any to 50.50.50.0/24 icmp-type echorep
keep state label PingOut
pass quick inet proto icmp from any to 50.50.50.0/24 icmp-type unreach
keep state label PingOut
pass quick inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type echoreq keep state label PingIn
pass quick inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type echorep keep state label PingIn
pass quick inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type unreach keep state label PingIn
match in on vic3 inet from 10.221.181.0/24 to any label NATOut
nat-to (vic2) round-robin
pass inet from 10.221.181.0/24 to any flags S/SA keep state

vic2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:50X
priority: 0
groups: egress
media: Ethernet autoselect
status: active
inet 50.50.50.59 netmask 0xff00 broadcast 50.50.50.255
inet6 fe80::250:56ff:fe8e:63%vic2 prefixlen 64 scopeid 0x3
vic3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:50:X
priority: 0
media: Ethernet autoselect
status: active
inet 10.221.181.10 netmask 0xff00 broadcast 10.221.181.255
inet6 fe80::250:56ff:fe8e:64%vic3 prefixlen 64 scopeid 0x4

Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default50.50.50.1  UGS0   80 - 8 vic2
10/8   10.220.100.1   UGS2 2869 - 8 vic0
10.90.100/24   link#2 UC 10 - 4 vic1
10.90.100.10   X:00:62  UHLc   02 - 4 lo0
10.220.100/24  link#1 UC 30 - 4 vic0
10.220.100.1   X07:ac:00  UHLc   10 - 4 vic0
10.220.100.10  X:49:16  UHLc   0  489 - 4 vic0
10.220.100.209 X:26:05  UHLc   1 5010 - 4 vic0
10.221.181/24  link#4 UC 00 - 4 vic3
127/8  127.0.0.1  UGRS   00 33160 8 lo0
127.0.0.1  127.0.0.1  UH 10 33160 4 lo0
50.50.50/24 link#3 UC 30 - 4 vic2
50.50.50.1  Xf:d4:20  UHLc   10 - 4 vic2
50.50.50.6  X81:86:b6  UHLc   00 - 4 vic2
50.50.50.7  XX:50:87:14  UHLc   00 - 4 vic2
224/4  127.0.0.1  URS00 33160 8 lo0

Please note that I have removed public ip-address and other private details.

2011/10/10 Christiano F. Haesbaert haesba...@haesbaert.org:
 On 10 October 2011 12:38, Stefan Midjich sweh...@gmail.com wrote:
 Simplest of things but I'm failing miserably.

 $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4
address
 inet 50.50.50.59 255.255.255.0 50.50.50.255

 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
 machines on same network
 inet 10.221.181.10 255.255.255.0 10.221.181.255

 For troubleshooting I have removed the block all rule, to confirm that
 it is in fact my NAT related rules that don't work.

 These are my first and only NAT rules. The other rules work fine and
 are just to allow SSH to my management interface and ICMP response
 from the external IP and from the internal gateway IP. Besides I've
 removed the block all so the other rules don't matter much now.

 match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2)
round-robin
 pass inet from 10.221.181.0/24 to any flags S/SA keep state

 With tcpdump I can see packets going to vic3, but no further.

 With block all commented out I can fully test the network around and
 everything is working just fine, I can nc -kl 50.50.50.59 65535 and
 connect to that port from anywhere on the internet. I just can't
 connect out from the private network through the gateway. The systems
 in the private network have 10.221.181.10 as their default

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Stefan Midjich 
$ sudo pfctl -sr |grep nat-to
match in on vic3 inet from 10.221.181.0/24 to any label NATOut
nat-to (vic2) round-robin

pfctl -vsl shows only evaluated packets for all my rules, which
worries me, it never increments the counter of packets gone through
any of the nat rules. Only the first rules for management network and
of course the block rule when it was in place.

2011/10/10 James Shupe jsh...@osre.org:
 What does `pfctl -sr | grep nat-to` say?

 On 10/10/11 10:38 AM, Stefan Midjich wrote:
 Simplest of things but I'm failing miserably.

 $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4
address
 inet 50.50.50.59 255.255.255.0 50.50.50.255

 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
 machines on same network
 inet 10.221.181.10 255.255.255.0 10.221.181.255

 For troubleshooting I have removed the block all rule, to confirm that
 it is in fact my NAT related rules that don't work.

 These are my first and only NAT rules. The other rules work fine and
 are just to allow SSH to my management interface and ICMP response
 from the external IP and from the internal gateway IP. Besides I've
 removed the block all so the other rules don't matter much now.

 match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2)
round-robin
 pass inet from 10.221.181.0/24 to any flags S/SA keep state

 With tcpdump I can see packets going to vic3, but no further.

 With block all commented out I can fully test the network around and
 everything is working just fine, I can nc -kl 50.50.50.59 65535 and
 connect to that port from anywhere on the internet. I just can't
 connect out from the private network through the gateway. The systems
 in the private network have 10.221.181.10 as their default gateway.

 I even have the Book of PF 2nd edition here but it's of no use, the
 rules are mostly from there. Just for troubleshooting I can also nc
 -kl 10.221.181.10 65535 on the gateway and connect to that port from
 the private network machines without issues.

 So please tell me, what am I missing in this nat-to rule?

 --


 Med vdnliga hdlsningar / With kind regards

 Stefan Midjich



 --
 James Shupe, OSRE
 developer/ engineer
 jsh...@osre.org | 866.235.1288
 BSD/ Linux Support | Metro Ethernet | Hosting
 check out our site at www.osre.org





--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Peter N. M. Hansteen 
Stefan Midjich sweh...@gmail.com writes:

 $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address
 inet 50.50.50.59 255.255.255.0 50.50.50.255
 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines 
 on same network
 inet 10.221.181.10 255.255.255.0 10.221.181.255

Are both of those those point to point links? I have a feeling this is
the source of your problem, see man ifconfig


-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Stefan Midjich 
Not sure what you mean but they're both in switched vlans, two
different vlans. Point to Point is a crossover cable right? I'm not
sure what it means in English. This is all a virtual environment I use
for training so there are no cables as such.

2011/10/10 Peter N. M. Hansteen pe...@bsdly.net:
 Stefan Midjich sweh...@gmail.com writes:

 $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4
address
 inet 50.50.50.59 255.255.255.0 50.50.50.255
 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
machines on same network
 inet 10.221.181.10 255.255.255.0 10.221.181.255

 Are both of those those point to point links? I have a feeling this is
 the source of your problem, see man ifconfig


 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.




--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Christiano F. Haesbaert 
On 10 October 2011 15:05, Stefan Midjich sweh...@gmail.com wrote:
 That was from the output of pfctl -vf /etc/pf.conf so it expands the
 rules and adds all that is implied, like keep state for example.


I think that is not what you want:
match in on vic3 inet from 10.221.181.0/24 to any label NATOut
nat-to (vic2) round-robin

You want to match packets going out your external interface, and then
nat-to the external interface address, so try something like:

match out on vic2 inet from 10.221/181.0/24 nat-to (vic2)

Considering vic2 as your external interface.

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Peter N. M. Hansteen 
Stefan Midjich sweh...@gmail.com writes:

 Not sure what you mean but they're both in switched vlans, two
 different vlans. Point to Point is a crossover cable right? I'm not
 sure what it means in English. This is all a virtual environment I use
 for training so there are no cables as such.

take a step back. with PF disabled (pfctl -d), do you
have connectivity, does traffic pass where you want it to?

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Stefan Midjich 
match out on egress inet from vic3:network nat-to (egress:0)

This is the new rule then, as it appears in pfctl -v

match out on egress inet from 10.221.181.0/24 to any nat-to (egress:0)
round-robin

vic2 is only NIC in egress group in ifconfig.

nc -vv cvs.openbsd.org 25 from 10.221.181.20 does not connect even
though there is no block rule now.

2011/10/10 Christiano F. Haesbaert haesba...@haesbaert.org:
 On 10 October 2011 15:05, Stefan Midjich sweh...@gmail.com wrote:
 That was from the output of pfctl -vf /etc/pf.conf so it expands the
 rules and adds all that is implied, like keep state for example.


 I think that is not what you want:
 match in on vic3 inet from 10.221.181.0/24 to any label NATOut
 nat-to (vic2) round-robin

 You want to match packets going out your external interface, and then
 nat-to the external interface address, so try something like:

 match out on vic2 inet from 10.221/181.0/24 nat-to (vic2)

 Considering vic2 as your external interface.




--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Stefan Midjich 
I have taken away the block all rule, but pfctl -d makes no
difference. The gateway itself behaves just like any server connected
to multiple vlans. You can reach the world around it, through its
default gateway you can reach the internet.

The servers connected to its private vlan, vic3, cannot connect to
anything but themselves and the gateway ip 10.221.181.10. They cannot
go further. The gateway can ping them and connect to them just like on
a vlan.

2011/10/10 Peter N. M. Hansteen pe...@bsdly.net:
 Stefan Midjich sweh...@gmail.com writes:

 Not sure what you mean but they're both in switched vlans, two
 different vlans. Point to Point is a crossover cable right? I'm not
 sure what it means in English. This is all a virtual environment I use
 for training so there are no cables as such.

 take a step back. with PF disabled (pfctl -d), do you
 have connectivity, does traffic pass where you want it to?

 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.




--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Peter N. M. Hansteen 
A couple of general comments, 

keep state is the default, no need to specify 

from any to any port =  - to port does the same thing

quick means if we match this, we do no more evaluation for this one.
I suspect your quick rules before the nat-to match rules mean that
anything that matches the quicks pass without hitting the match with the
nat-to. fine if it's your intention, if not, check what really happens
(tcpdump is your friend).

But again, please check that you have a basic network config and
connectivity to eliminate.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Stefan N 
Hi Stefan,

As you mentioned that the IP forwarding is already enabled on your
system.
Have you configured the IP alias on the network interface for the NAT
purpose?
If the NAT is done on external interface then you'll need to add in
the IP alias on /etc/hostname.vic2

Please read the guide from openbsd url
below:http://www.openbsd.org/cgi-bin/man.cgi?query=hostname.ifapropos=0sekt
ion=0manpath=OpenBSD+4.9arch=i386format=html

Sample of hostname.if config
with IP alias: 

A typical file contains only one line, but more extensive
files are possible, for example: inet 10.0.1.12 255.255.255.0 10.0.1.255 media
100baseTX description Uplink inet alias 10.0.1.13 255.255.255.255 10.0.1.13
inet alias 10.0.1.14 255.255.255.255 NONE inet alias 10.0.1.15 255.255.255.255
inet alias 10.0.1.16 0x # This is an example comment line. inet6 alias
fec0::1 64 inet6 alias fec0::2 64 anycast !route add 65.65.65.65 10.0.1.13 up
I hope it helps.

Regards,
Stefan




From:
Stefan Midjich sweh...@gmail.com
To: Mark (obsd) openbsd-l...@nerdish.us
Cc: misc@openbsd.org
Sent: Tuesday, October 11, 2011 2:06 AM
Subject: Re: Help
setting up a PF NAT gateway

Yes forwarding is enabled. I have followed the
Book of PF 2nd Edition so far.

2011/10/10 Mark (obsd)
openbsd-l...@nerdish.us:
 Hi Stefan,

 On Mon, Oct 10, 2011 at 10:38 AM,
Stefan Midjich sweh...@gmail.com wrote:

 Simplest of things but I'm
failing miserably.

 ...

 With tcpdump I can see packets going to
vic3, but no further.


 Do you definitely have forwarding enabled?
 #
sysctl net.inet.ip.forwarding
 net.inet.ip.forwarding=1
 It that were 0
instead of 1, you'd get your symptoms.  Edit
/etc/sysctl.conf
 to enable
forwarding if you haven't.
 Regards,
 Mark



--


Med vdnliga hdlsningar /
With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

2011-10-10 Thread Stefan Midjich 
No I was not aware of this. Could you please explain the meaning of an
alias address on the external interface for NAT?

There is no mention of using an alias for NAT in this document for
example http://www.openbsd.org/faq/pf/nat.html

Just to be clear, I already have an external and internal physical
interface to work with, so I am unclear as to why I need an alias.

2011/10/11 Stefan N stefanbsd...@yahoo.com:
 Hi Stefan,
 As you mentioned that the IP forwarding is already enabled on your system.
 Have you configured the IP alias on the network interface for the NAT
 purpose?
 If the NAT is done on external interface then you'll need to add in the IP
 alias on /etc/hostname.vic2
 Please read the guide from openbsd url below:

http://www.openbsd.org/cgi-bin/man.cgi?query=hostname.ifapropos=0sektion=0;
manpath=OpenBSD+4.9arch=i386format=html
 Sample of hostname.if config with IP alias:

  A typical file contains only one line, but more extensive files are
  possible, for example:

   inet 10.0.1.12 255.255.255.0 10.0.1.255 media 100baseTX description
 Uplink
   inet alias 10.0.1.13 255.255.255.255 10.0.1.13
   inet alias 10.0.1.14 255.255.255.255 NONE
   inet alias 10.0.1.15 255.255.255.255
   inet alias 10.0.1.16 0x
   # This is an example comment line.
   inet6 alias fec0::1 64
   inet6 alias fec0::2 64 anycast
   !route add 65.65.65.65 10.0.1.13
   up

 I hope it helps.
 Regards,
 Stefan
 
 From: Stefan Midjich sweh...@gmail.com
 To: Mark (obsd) openbsd-l...@nerdish.us
 Cc: misc@openbsd.org
 Sent: Tuesday, October 11, 2011 2:06 AM
 Subject: Re: Help setting up a PF NAT gateway

 Yes forwarding is enabled. I have followed the Book of PF 2nd Edition so
 far.

 2011/10/10 Mark (obsd) openbsd-l...@nerdish.us:
 Hi Stefan,

 On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com
 wrote:

 Simplest of things but I'm failing miserably.

 ...

 With tcpdump I can see packets going to vic3, but no further.


 Do you definitely have forwarding enabled?
 # sysctl net.inet.ip.forwarding
 net.inet.ip.forwarding=1
 It that were 0 instead of 1, you'd get your symptoms.  Edit
 /etc/sysctl.conf
 to enable forwarding if you haven't.
 Regards,
 Mark



 --


 Med vdnliga hdlsningar / With kind regards

 Stefan Midjich







--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich