Re: nat problems when using address pool
Just an update. It seems source-hash, for whatever reason, simply doesn't work for me. I did find an older post that exhibits a similar issue: http://www.monkey.org/openbsd/archive/bugs/0403/msg00211.html Round-robin works fine, but source-hash will always leave some systems blind to the Internet; they can ping the gateway's internal interface but not the external interface. On a more upbeat note, I discovered sticky-address which, if it doesn't cause the problems that source-hash did, will be a very good solution, ameliorating the issues caused by round-robin alone; plus, as an added bonus, will allow me to use a table instead of a CIDR block. I have implemented it, so far, so good. My fingers are crossed that the same side effect caused by source-hash doesn't appear. Chris
nat problems when using address pool
OpenBSD 3.7
Some hosts will experience poor to seemingly no Internet access when
using NAT address pools - web sites time out, even pings to remote
addresses fail.
Using:
nat on $ext_if from !$ext_if - $ext_if:0
works fine.
Using:
nat on $ext_if from !$ext_if - $ext_if
or
nat on $ext_if from !$ext_if - ext_net
does not.
Configuration:
T1-(cisco)-eth0 ---fxp0-(openBSD)-em0
|
em1
fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:07:e9:93:2b:50
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 66.100.28.130 netmask 0xfff0 broadcast 66.100.28.143
inet6 fe80::207:e9ff:fe93:2b50%fxp0 prefixlen 64 scopeid 0x3
inet 66.100.28.131 netmask 0x broadcast 66.100.28.131
inet 66.100.28.132 netmask 0x broadcast 66.100.28.132
inet 66.100.28.133 netmask 0x broadcast 66.100.28.133
inet 66.100.28.134 netmask 0x broadcast 66.100.28.134
inet 66.100.28.135 netmask 0x broadcast 66.100.28.135
inet 66.100.28.136 netmask 0x broadcast 66.100.28.136
inet 66.100.28.137 netmask 0x broadcast 66.100.28.137
inet 66.100.28.138 netmask 0x broadcast 66.100.28.138
inet 66.100.28.139 netmask 0x broadcast 66.100.28.139
inet 66.100.28.140 netmask 0x broadcast 66.100.28.140
inet 66.100.28.141 netmask 0x broadcast 66.100.28.141
inet 66.100.28.142 netmask 0x broadcast 66.100.28.142
Alas I realized that the outbound mail server couldn't participate in
such a scheme as it needed to present the same addresses to the world
so that its dns name matched the helo name.
So I tried this:
nat on $ext_if from $server_1 - $ext_ad
nat on $ext_if from sp_net - $ext_ad_sp
nat on $ext_if from kw_net_minus - ext_net_minus
where sp_net is the address block on em1 and kw_net_minus is the
address block on em0 minus ext_ad (66.100.28.130).
Same problem, although mail service was solid again (no bounces from
those MTA's doing reverse lookups).
After examining http://openbsd.org/faq/pf/pools.html, I thought it might
be a round-robin vs. source-hash issue and tried this:
nat on $ext_if from $server_1 - $ext_ad
nat on $ext_if from sp_net - $ext_ad_sp
nat on $ext_if from kw_net_minus - 66.100.28.136/29 source-hash
as it appears, from the doc above that a CIDR block must be used when
specifying source-hash.
But again some clients experience very poor to what seems like no
Internet access.
The minute I revert back to:
nat on $ext_if from !$ext_if - $ext_if:0
or
nat on $ext_if from { kw_net, sp_net } - ext_net
everone works but my translations are limited to just the one address.
Pointers toward resolution? Thanks.
Chris
Re: nat problems when using address pool
Granted I'm running 3.6 but I have a setup very similar to you.
The external NATs of the servers are not in the natpool30 (1.2.3.0/30)
network.
In my experience, any protocols where the server will generate a
separate connection back to the client (like ftp) will not work with NAT
pools.
#Port NATs
rdr pass on $int_if inet proto tcp to port 21 - 127.0.0.1 port 8021
rdr pass on $ext_if inet proto tcp from trusted_users to $server1_nat
port 80 - $server1_int port 8080
#One 2 One Static NATs
binat on $ext_if inet from $server2_int to any - $server2_nat
#Outbound Hide NATs
nat on $ext_if inet from internal-subnets to any port $NATPoolPortsTCP
- $natpool30 source-hash
nat on $ext_if inet from internal-subnets to any - $ext_if
Ryan
On Fri, 2005-09-16 at 15:34 -0400, Chris Smith wrote:
OpenBSD 3.7
Some hosts will experience poor to seemingly no Internet access when
using NAT address pools - web sites time out, even pings to remote
addresses fail.
Using:
nat on $ext_if from !$ext_if - $ext_if:0
works fine.
Using:
nat on $ext_if from !$ext_if - $ext_if
or
nat on $ext_if from !$ext_if - ext_net
does not.
Configuration:
T1-(cisco)-eth0 ---fxp0-(openBSD)-em0
|
em1
fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:07:e9:93:2b:50
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 66.100.28.130 netmask 0xfff0 broadcast 66.100.28.143
inet6 fe80::207:e9ff:fe93:2b50%fxp0 prefixlen 64 scopeid 0x3
inet 66.100.28.131 netmask 0x broadcast 66.100.28.131
inet 66.100.28.132 netmask 0x broadcast 66.100.28.132
inet 66.100.28.133 netmask 0x broadcast 66.100.28.133
inet 66.100.28.134 netmask 0x broadcast 66.100.28.134
inet 66.100.28.135 netmask 0x broadcast 66.100.28.135
inet 66.100.28.136 netmask 0x broadcast 66.100.28.136
inet 66.100.28.137 netmask 0x broadcast 66.100.28.137
inet 66.100.28.138 netmask 0x broadcast 66.100.28.138
inet 66.100.28.139 netmask 0x broadcast 66.100.28.139
inet 66.100.28.140 netmask 0x broadcast 66.100.28.140
inet 66.100.28.141 netmask 0x broadcast 66.100.28.141
inet 66.100.28.142 netmask 0x broadcast 66.100.28.142
Alas I realized that the outbound mail server couldn't participate in
such a scheme as it needed to present the same addresses to the world
so that its dns name matched the helo name.
So I tried this:
nat on $ext_if from $server_1 - $ext_ad
nat on $ext_if from sp_net - $ext_ad_sp
nat on $ext_if from kw_net_minus - ext_net_minus
where sp_net is the address block on em1 and kw_net_minus is the
address block on em0 minus ext_ad (66.100.28.130).
Same problem, although mail service was solid again (no bounces from
those MTA's doing reverse lookups).
After examining http://openbsd.org/faq/pf/pools.html, I thought it might
be a round-robin vs. source-hash issue and tried this:
nat on $ext_if from $server_1 - $ext_ad
nat on $ext_if from sp_net - $ext_ad_sp
nat on $ext_if from kw_net_minus - 66.100.28.136/29 source-hash
as it appears, from the doc above that a CIDR block must be used when
specifying source-hash.
But again some clients experience very poor to what seems like no
Internet access.
The minute I revert back to:
nat on $ext_if from !$ext_if - $ext_if:0
or
nat on $ext_if from { kw_net, sp_net } - ext_net
everone works but my translations are limited to just the one address.
Pointers toward resolution? Thanks.
Chris
Re: nat problems when using address pool
Chris Smith wrote:
OpenBSD 3.7
Some hosts will experience poor to seemingly no Internet access when
using NAT address pools - web sites time out, even pings to remote
addresses fail.
Using:
nat on $ext_if from !$ext_if - $ext_if:0
works fine.
Using:
nat on $ext_if from !$ext_if - $ext_if
or
nat on $ext_if from !$ext_if - ext_net
does not.
Configuration:
T1-(cisco)-eth0 ---fxp0-(openBSD)-em0
|
em1
fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:07:e9:93:2b:50
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 66.100.28.130 netmask 0xfff0 broadcast 66.100.28.143
inet6 fe80::207:e9ff:fe93:2b50%fxp0 prefixlen 64 scopeid 0x3
inet 66.100.28.131 netmask 0x broadcast 66.100.28.131
inet 66.100.28.132 netmask 0x broadcast 66.100.28.132
inet 66.100.28.133 netmask 0x broadcast 66.100.28.133
inet 66.100.28.134 netmask 0x broadcast 66.100.28.134
inet 66.100.28.135 netmask 0x broadcast 66.100.28.135
inet 66.100.28.136 netmask 0x broadcast 66.100.28.136
inet 66.100.28.137 netmask 0x broadcast 66.100.28.137
inet 66.100.28.138 netmask 0x broadcast 66.100.28.138
inet 66.100.28.139 netmask 0x broadcast 66.100.28.139
inet 66.100.28.140 netmask 0x broadcast 66.100.28.140
inet 66.100.28.141 netmask 0x broadcast 66.100.28.141
inet 66.100.28.142 netmask 0x broadcast 66.100.28.142
Alas I realized that the outbound mail server couldn't participate in
such a scheme as it needed to present the same addresses to the world
so that its dns name matched the helo name.
So I tried this:
nat on $ext_if from $server_1 - $ext_ad
nat on $ext_if from sp_net - $ext_ad_sp
nat on $ext_if from kw_net_minus - ext_net_minus
where sp_net is the address block on em1 and kw_net_minus is the
address block on em0 minus ext_ad (66.100.28.130).
Same problem, although mail service was solid again (no bounces from
those MTA's doing reverse lookups).
After examining http://openbsd.org/faq/pf/pools.html, I thought it might
be a round-robin vs. source-hash issue and tried this:
nat on $ext_if from $server_1 - $ext_ad
nat on $ext_if from sp_net - $ext_ad_sp
nat on $ext_if from kw_net_minus - 66.100.28.136/29 source-hash
as it appears, from the doc above that a CIDR block must be used when
specifying source-hash.
But again some clients experience very poor to what seems like no
Internet access.
The minute I revert back to:
nat on $ext_if from !$ext_if - $ext_if:0
or
nat on $ext_if from { kw_net, sp_net } - ext_net
everone works but my translations are limited to just the one address.
Pointers toward resolution? Thanks.
Chris,
First off, it's a bad idea to broadcast your real IP numbers
in a public place.
Secondly, here's what works for me.
nat_pool = { 169.1.2.64/29 }
nat on $ext_if from 10.10.10.0/25 to any - $nat_pool source-hash
At this site, I originally omitted source-hash. Users of
secure web-sites like ADP (a payroll processing company) and
the IRS would get dumped out of secure sessions because the
client was changing IP numbers.
Best,
Ray
Re: nat problems when using address pool
On Friday 16 September 2005 04:20 pm, Raymond Lillard wrote:
First off, it's a bad idea to broadcast your real IP numbers
in a public place.
I had always thought that but then I read this article:
http://homepages.tesco.net/~J.deBoynePollard/FGA/dont-obscure-your-dns-data.html
It seems to make sense. After all, they are public IP addresses, and by
trying to obscure them I might either create or hide a typo that would
prevent proper assistance.
Maybe Jonathan is wrong but the argument seems logical on the surface.
Secondly, here's what works for me.
nat_pool = { 169.1.2.64/29 }
nat on $ext_if from 10.10.10.0/25 to any - $nat_pool source-hash
Unfortunately I don't see where this is effectively different from:
nat on $ext_if from kw_net_minus - 66.100.28.136/29 source-hash
Except I'm using a table and the to any isn't specified, but it isn't
necessary when the form is:
nat on $ext_if from !$ext_if - $ext_if:0
But I do like using the macro for the nat pool.
But I'll certainly try to change things around, just in case.
Thanks.
Chris
Re: nat problems when using address pool
On Friday 16 September 2005 04:13 pm, Ryan Puckett wrote: In my experience, any protocols where the server will generate a separate connection back to the client (like ftp) will not work with NAT pools. Even passive ftp? nat on $ext_if inet from internal-subnets to any port $NATPoolPortsTCP - $natpool30 source-hash Hmm...you may have something there. I didn't have the inet keyword, which according to Jacek's book is required if the target address expands to more than one address family. As posted earlier: --- fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:07:e9:93:2b:50 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 66.100.28.130 netmask 0xfff0 broadcast 66.100.28.143 inet6 fe80::207:e9ff:fe93:2b50%fxp0 prefixlen 64 scopeid 0x3 inet 66.100.28.131 netmask 0x broadcast 66.100.28.131 inet 66.100.28.132 netmask 0x broadcast 66.100.28.132 inet 66.100.28.132 netmask 0x broadcast 66.100.28.133 ... inet 66.100.28.132 netmask 0x broadcast 66.100.28.142 --- Does the inet6 component, seemingly only tied to the primary address, apply to the aliases (the upper half of the aliases form the pool) as well? Also what happens to the other component? IOW if the nat rule contains inet does ipv6 get dropped or just not natted? Or vice versa (if the nat rule contains inet6)? Thanks. Chris
