Re: Routing private networks
Perfect! I got it working Here is the rule Do I need the 2nd no nat rule or is it just extra and in the way? WAN = xl0 LAN = xl1 LAN2 = xl2 no nat from $LAN to $LAN2 no nat from $LAN2 to $LAN nat on $WAN inet from 192.168.0.0/24 to any - ($WAN) nat on $WAN inet from 10.0.0.0/16 to any - ($WAN) Thanks! --Bryan - Original Message - From: Srebrenko Sehic [EMAIL PROTECTED] To: Bryan Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, March 20, 2003 12:59 PM Subject: Re: Routing private networks On Thu, Mar 20, 2003 at 11:02:03AM -0800, Bryan Irvine wrote: no nat on $WAN from $LAN to $DMZ no nat on $WAN from $DMZ to $LAN nat on $WAN inet from $LAN to any - ($WAN) nat on $WAN inet from $DMZ to any - ($WAN) Packets from $LAN to $DMZ and vice versa, never go across $WAN interface. Hence, no nat on $WAN from $LAN to $DMZ is bogus. It does nothing. Try, no nat from $LAN to $DMZ // haver
Re: Routing private networks
On Friday, Mar 21, 2003, at 10:54 US/Pacific, Bryan Irvine wrote: Do I need the 2nd no nat rule or is it just extra and in the way? WAN = xl0 LAN = xl1 LAN2 = xl2 no nat from $LAN to $LAN2 no nat from $LAN2 to $LAN nat on $WAN inet from 192.168.0.0/24 to any - ($WAN) nat on $WAN inet from 10.0.0.0/16 to any - ($WAN) Unless I am missing something, you do not need any of the no nat rules. You are, after all, only doing nat on $WAN, and packets moving between $LAN and $LAN2 never touch $WAN.
Re: Routing private networks
Not according to the manpages In the example below, fxp1 is the outside interface; the machine sits be-tween a fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100. The no nat rule excludes protocol AH from being translated. # NO NAT no nat on fxp1 proto ah from 144.19.74.0/24 to any nat on fxp1 from 144.19.74.0/24 to any - 204.92.77.100 :-/ hmmm On Thu, 2003-03-20 at 12:23, Jacek Artymiak wrote: On Thu, Mar 20, 2003 at 11:02:03AM -0800, Bryan Irvine wrote: I read the rules on no nat and thought I had it configured correctly. ... no nat on $WAN from $LAN to $DMZ no nat on $WAN from $DMZ to $LAN nat on $WAN inet from $LAN to any - ($WAN) nat on $WAN inet from $DMZ to any - ($WAN) since the last matching rule wins, shouldn't this be nat on $WAN inet from $LAN to any - ($WAN) nat on $WAN inet from $DMZ to any - ($WAN) no nat on $WAN from $LAN to $DMZ no nat on $WAN from $DMZ to $LAN ??? Best regards, Jacek Artymiak
Re: Routing private networks
On Wed, Mar 19, 2003 at 01:37:35PM -0800, Bryan Irvine wrote: What I want is for the 192.168.0.* and 10.0.*.* networks to see each other just fine. Which is possible to do with routing, but then for these networks to get onto the internet I have to turn on NAT (or do I?) which makes the 2 networks invisible to each other except via rdr rules, which won't work for this scenario. Look at 'no nat ...' in pf.conf(5). You can define a rule saying, if 192.168.0.* and 10.0.*.* need to talk to public addresses, nat them, otherwise, don't.
Re: Routing private networks
So would I need to turn on RIP at all? Or would it just know because it's a directly connected interface? --Bryan On Wed, 2003-03-19 at 14:07, Srebrenko Sehic wrote: On Wed, Mar 19, 2003 at 01:37:35PM -0800, Bryan Irvine wrote: What I want is for the 192.168.0.* and 10.0.*.* networks to see each other just fine. Which is possible to do with routing, but then for these networks to get onto the internet I have to turn on NAT (or do I?) which makes the 2 networks invisible to each other except via rdr rules, which won't work for this scenario. Look at 'no nat ...' in pf.conf(5). You can define a rule saying, if 192.168.0.* and 10.0.*.* need to talk to public addresses, nat them, otherwise, don't.