Re: Help setting up a PF NAT gateway

After all that I was still doing NAT wrong, I thank you Norman! It works perfectly now and it makes much more sense as NAT must be done from the lo0 too out on the external IF. 2011/10/13 Norman Golisz : > Hi Stefan, > > On Wed Oct 12 2011 14:59, Stefan Midjich wrote: >> I must say that thanks to

Re: Help setting up a PF NAT gateway

Hi Stefan, On Wed Oct 12 2011 14:59, Stefan Midjich wrote: > I must say that thanks to your help on this list I've finally managed > to get it working. I have bought FreeBSD CD sets in the past as a > means to donate and I intend to buy 5.0 sets now because I believe > strongly in open source soft

Re: Help setting up a PF NAT gateway

I must say that thanks to your help on this list I've finally managed to get it working. I have bought FreeBSD CD sets in the past as a means to donate and I intend to buy 5.0 sets now because I believe strongly in open source software. Well it was also thanks to some pf.conf samples I found onlin

Re: Help setting up a PF NAT gateway

2011/10/10 Stefan Midjich : > Simplest of things but I'm failing miserably. > > $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address > inet 50.50.50.59 255.255.255.0 50.50.50.255 > > $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two > machines on same netwo

Re: Help setting up a PF NAT gateway

It works now that I started over from scratch, I have a block in all and a pass out all by default and NAT is working. I can see packets on both in and out-interfaces with tcpdump. Of course ICMP response is not being sent back since I have a block in all but at least NAT is working and it is forwa

Re: Help setting up a PF NAT gateway

___ From: Stefan Midjich To: Stefan N Cc: "misc@openbsd.org" Sent: Tuesday, October 11, 2011 1:25 PM Subject: Re: Help setting up a PF NAT gateway No I was not aware of this. Could you please explain the meaning of an alias address on the external interface for N

Re: Help setting up a PF NAT gateway

gt; !route add 65.65.65.65 10.0.1.13 > up > > I hope it helps. > Regards, > Stefan > > From: Stefan Midjich > To: Mark (obsd) > Cc: misc@openbsd.org > Sent: Tuesday, October 11, 2011 2:06 AM > Subject: Re: Help setting up a PF NAT gatewa

Re: Help setting up a PF NAT gateway

alias fec0::2 64 anycast !route add 65.65.65.65 10.0.1.13 up I hope it helps. Regards, Stefan From: Stefan Midjich To: Mark (obsd) Cc: misc@openbsd.org Sent: Tuesday, October 11, 2011 2:06 AM Subject: Re: Help setting up a PF NAT gateway Yes forwarding is ena

Re: Help setting up a PF NAT gateway

A couple of general comments, "keep state" is the default, no need to specify "from any to any port = " - "to port" does the same thing quick means "if we match this, we do no more evaluation for this one". I suspect your quick rules before the nat-to match rules mean that anything that matche

Re: Help setting up a PF NAT gateway

I have taken away the block all rule, but pfctl -d makes no difference. The gateway itself behaves just like any server connected to multiple vlans. You can reach the world around it, through its default gateway you can reach the internet. The servers connected to its private vlan, vic3, cannot co

Re: Help setting up a PF NAT gateway

match out on egress inet from vic3:network nat-to (egress:0) This is the new rule then, as it appears in pfctl -v match out on egress inet from 10.221.181.0/24 to any nat-to (egress:0) round-robin vic2 is only NIC in egress group in ifconfig. nc -vv cvs.openbsd.org 25 from 10.221.181.20 does no

Re: Help setting up a PF NAT gateway

Stefan Midjich writes: > Not sure what you mean but they're both in switched vlans, two > different vlans. Point to Point is a crossover cable right? I'm not > sure what it means in English. This is all a virtual environment I use > for training so there are no cables as such. take a step back.

Re: Help setting up a PF NAT gateway

On 10 October 2011 15:05, Stefan Midjich wrote: > That was from the output of pfctl -vf /etc/pf.conf so it expands the > rules and adds all that is implied, like keep state for example. > I think that is not what you want: match in on vic3 inet from 10.221.181.0/24 to any label "NATOut" nat-to (v

Re: Help setting up a PF NAT gateway

Not sure what you mean but they're both in switched vlans, two different vlans. Point to Point is a crossover cable right? I'm not sure what it means in English. This is all a virtual environment I use for training so there are no cables as such. 2011/10/10 Peter N. M. Hansteen : > Stefan Midjich

Re: Help setting up a PF NAT gateway

Stefan Midjich writes: > $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address > inet 50.50.50.59 255.255.255.0 50.50.50.255 > $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines > on same network > inet 10.221.181.10 255.255.255.0 10.221.181.255

Re: Help setting up a PF NAT gateway

$ sudo pfctl -sr |grep nat-to match in on vic3 inet from 10.221.181.0/24 to any label "NATOut" nat-to (vic2) round-robin pfctl -vsl shows only evaluated packets for all my rules, which worries me, it never increments the counter of packets gone through any of the nat rules. Only the first rules fo

Re: Help setting up a PF NAT gateway

ManagementIF = "vic0" PFsyncIF = "vic1" LocalIF = "lo0" ManagementPorts = "{ 1022, 22 }" UDPManagementPorts = "{ domain }" ICMPTypes = "{ echorep, echoreq, unreach }" set skip on { lo0 vic1 } OutIF = "vic2" InIF = "vic3" pass quick on vic0 inet proto tcp from any to any port = 1022 flags S/SA keep

Re: Help setting up a PF NAT gateway

That was from the output of pfctl -vf /etc/pf.conf so it expands the rules and adds all that is implied, like keep state for example. 2011/10/10 pavel pocheptsov : > match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin > in what reason you paste "round-robin"? > also you ne

Re: Help setting up a PF NAT gateway

Yes forwarding is enabled. I have followed the Book of PF 2nd Edition so far. 2011/10/10 Mark (obsd) : > Hi Stefan, > > On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich wrote: >> >> Simplest of things but I'm failing miserably. >> >> ... >> >> With tcpdump I can see packets going to vic3, but no

Re: Help setting up a PF NAT gateway

Hi, see my sample, it is well explained. http://mouedine.net/ruleset49.aspx All the best, Wesley MOUEDINE ASSABY www.mouedine.net On Mon, 10 Oct 2011 17:38:26 +0200, Stefan Midjich wrote: > Simplest of things but I'm failing miserably. > > $ sudo cat /etc/hostname.vic2 # External NIC with st

Re: Help setting up a PF NAT gateway

Hi Stefan, On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich wrote: > Simplest of things but I'm failing miserably. > > ... > > With tcpdump I can see packets going to vic3, but no further. > > Do you definitely have forwarding enabled? # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 I

Re: Help setting up a PF NAT gateway

match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin in what reason you paste "round-robin"? also you need pass in on $local_if from $localnet to any pass out on $ext_if from $localnet to any 10 P>P:QQP1QQ 2011, 19:42 P>Q Stefan Midjich : Simplest of things b

Re: Help setting up a PF NAT gateway

On 10 October 2011 12:38, Stefan Midjich wrote: > Simplest of things but I'm failing miserably. > > $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address > inet 50.50.50.59 255.255.255.0 50.50.50.255 > > $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two > m