LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices

Reply
 
LinkBack Search this Thread
Old 02-23-2013, 07:37 AM   #1
p3tter
LQ Newbie
 
Registered: Feb 2013
Posts: 4

Rep: Reputation: Disabled
openbsd 5.2 nat/dhcp server


hello, im trying to configure a openbsd router for my server network. i have internet access from my clients and the dhcp works in the range 192.168.1.1-> 192.168.1.250, but the port forwarding dosent seem to work, im able to ssh into my external ip into openbsd, but the portforwarding dosent want to forward ssh to my web server, or the other ports, 80, 443 etc.

here are my settings:

dhcpd.conf

shared-network RUTER-LAN {

############################
# The three lines below are to specify the shared resources

# for all the subnets specified below

###########################
default-lease-time 604800;

option domain-name "ruter.lan";

option domain-name-servers 128.39.105.10, 128.39.114.2;
###########################

# Specify the subnet to give ips on and the netmask

# given with the ip address

############################

subnet 192.168.1.0 netmask 255.255.255.0 {

#specify the subnet again (see below NB***)

option subnet-mask 255.255.255.0;

#specify the broadcast address for the subnet

option broadcast-address 192.168.1.255;

#specify the gateway to use

option routers 192.168.1.1;


range 192.168.1.2 192.168.1.250;

}

}



/etc/mygate:
*MY EXTERNAL IP*

pf.conf:

# Set network interfaces
ext_if="em0" #internet
int_if="em1" #LAN

wwwserver = "192.168.1.2"

# Skip all loopback traffic
set skip on lo

# DEFAULT IS BLOCK IN FROM INTERNET, PASS ALL ELSE
block log all
pass on $int_if all
pass out on $ext_if all

# Allow inbound traffic on internal interface
pass quick on $int_if


# Protect against spoofing
antispoof quick for { lo $int_if }

# Nat
#pass out on $ext_if from $int_if:network to !$int_if:network nat-to ($ext_if)
#match out on $ext_if from $lan_ip nat-to ($ext_if)
pass out on $ext_if from $int_if:network to any nat-to ($ext_if)

pass in on $ext_if proto {tcp, udp} from any to any port 80 rdr-to $wwwserver port 80
ALSO TRIED:
#pass in on $ext_if proto tcp from any to any port 80 rdr-to $wwwserver port 80

pfctl -s rules says:
pass in on em0 inet proto tcp from any to any port = 80 flags S/SA rdr-to 192.168.1.2 port 80
pass in on em0 inet proto udp from any to any port = 80 rdr-to 192.168.1.2 port 80


please help me to get port forwarding work?
and yes, i have 4 virtual guest OS, ubuntu/linux, and they are not getting a ip from openbsd dhcp server, with bridged adapter.

Last edited by p3tter; 02-24-2013 at 10:27 AM.
 
Old 02-24-2013, 08:05 PM   #2
ocicat
Member
 
Registered: May 2007
Posts: 207

Rep: Reputation: 46
Quote:
Originally Posted by p3tter View Post
please help me to get port forwarding work?
Read Section 6.2.7 of the official FAQ.
 
Old 02-25-2013, 04:48 AM   #3
p3tter
LQ Newbie
 
Registered: Feb 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
that was the first thing i did, forwarding is on
net.inet.ip.forwarding=1
 
Old 02-26-2013, 01:07 AM   #4
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 474
Blog Entries: 100

Rep: Reputation: 74
Does it work if you change it to the following?

pass in quick on $ext_if proto { tcp } from any to any port { 80 } flags S/SA rdr-to $wwwserver

If you tcpdump on the *internal* interface and attempt to connect externally, do you see traffic? If so, do you see *return* traffic if you tcpdump on the external interface and attempt to connect?
 
Old 02-26-2013, 07:12 AM   #5
p3tter
LQ Newbie
 
Registered: Feb 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
it works! thank you. im completely newbie with openbsd, im familiar with ubuntu. bet when i use the same pass rule with 443 i got pf error out of range.
how could i fix this? thank you
 
Old 02-26-2013, 10:22 AM   #6
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 474
Blog Entries: 100

Rep: Reputation: 74
pf is not iptables. IIRC, iptables is a "first-match" system, where the first rule that matches is the one that ends the ruleset walk. pf is a "best-match" by default, but when you add the word "quick" to the rule *that rule* becomes a "first-match" (i.e. if a packet matches that rule, process that rule and end there, like iptables).

Since state lookups are so incredibly fast in pf, the ruleset should only be referenced with new traffic. It almost sounds like you had state turned off, though I don't see that in your ruleset and you are on a recent enough version of OpenBSD that pf is stateful by default.
 
Old 02-26-2013, 03:59 PM   #7
p3tter
LQ Newbie
 
Registered: Feb 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
ok, i have a bit more understanding of pf now, but im have some problems on my local network. i cant visit mydomain.com when i am on my local network, but if im on another network it works as it should. what kind of rule do i need for this forwarding?
thank you petter
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT, DHCP, Firewall Server Troubleshooting Nightmarefall Linux - Newbie 2 04-21-2012 08:40 AM
OpenBSD 4.9 PF and NAT do not work lcxpics *BSD 5 09-20-2011 07:49 AM
DHCP server on OpenBSD cake81 *BSD 0 05-13-2010 02:08 PM
Static IP with linux DHCP NAT Server fuze Linux - Networking 1 04-26-2009 04:44 AM
help with mandrake 10.0 server, two ethernetcards, dhcp, dns, nat sjoerdvvu Linux - Networking 1 11-05-2005 07:54 AM


All times are GMT -5. The time now is 08:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration