*BSDThis forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have tried to do some testing using PF Open BSD 4.9.
There are 2 scenarios that I did:
1.without nat (successfull)
2.With source NAT(not successfull)
Detail:
em0 is 192.168.1.216/24
notebook is 192.168.1.21/24
em1 is 192.168.2.216/24
webserver is 192.168.2.80/24
IP alias for source NAT on em1 is 192.168.2.232/32
ip forwarding on sysctl =1
Notebook's gateway is firewall internal IP: 192.168.1.216
Firewall's gateway is webserver :192.168.2.80
Webserver's gateway is firewall external IP: 192.168.2.216
I have tried to do source NAT testing to allow traffic from notebook to webserver using source NAT on em1.
192.168.1.21-->192.168.2.232-->192.168.2.80
For the routing table,I don't have other static routes. Only default gateway which is pointing to 192.168.2.80(webserver)
Unfortunately it hasn't worked at all. I have tried to monitor the traffic using
1.tcpdump on em1(external int) but there are no packets pass through em1 at all.
2.tcpdump on em0(internal int), there are some packets from 192.168.1.21 to 192.168.2.80 (syn) but no reply at all from webserver.
Below is the rule of the scenario above using NAT:
#
# Rule 0 (NAT)
match out on em1 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to 192.168.2.232
#ssh access rule
pass in quick inet proto tcp from 192.168.1.21 to <tbl.r0.d> port 22 label "RULE -1 -- ACCEPT "
#
# Rule 0
pass log quick on { em0 em1 ) inet proto icmp from any to <tbl.r0.dx>
# Rule 1 (em1,em0)
pass log quick on { em0 em1 } inet proto tcp from 192.168.1.21 to 192.168.2.80 port 443
block quick inet from any to any no state
I have tried to make an additional ping test rule from my notebook to webserver and it works well.
Is there any routing issue/lack/missing/misconfiguration in my rule?
My intention is only to test source nat rule from internal to external interface.
Distribution: RHEL, Ubuntu, Solaris 11, NetBSD, OpenBSD
Posts: 225
Rep:
Hi,
Just a minor point, but please format your code etc. correctly with [code] tags, it makes things much easier for people to look at and therefore more likely they'll help you.
Secondly, I don't know if this will actually fix your issue, but the first thing I'd do is take out the default gateway on the firewall of the webserver's IP address. That's just totally bogus, based on your diagram it effectively doesn't need any additional routing table entries or gateways as these are both directly connected networks. It knows where they are by virtue of being connected to them.
Now, I suspect the problem is that when the webserver receives the incoming traffic it is trying to respond via the default gateway and either the traffic is being dropped due to a missing PF rule/PF NAT issue but possibly more likely some network layer issue. Have you configured the source NAT ip address on the em1 interface and made sure it is arping for that IP?
Location: netherlands, europe, in a crapy house. xD
Distribution: openBSD
Posts: 73
Rep:
i didnt read if he got NAT work at all...
but if he is coming back...
he can CP my pf.conf what had here..
(HAD, i have some stupid strub now to, but not with below config)
Code:
######## START CONFIG ##########
#
ext_if = "dc0" # Change to YOUR type eth name
int1_if = "sk0" # Change to YOUR type eth name
#
set block-policy drop
set loginterface $ext_if
set limit { frags 5000, states 10000 }
set state-policy floating
set optimization normal
set ruleset-optimization basic
set timeout interval 10
set timeout frag 30
set skip on lo
#
match out on egress inet from !(egress) to any nat-to (egress:0)
block return #all
antispoof for $ext_if inet
#
## Example port forward rule for FTP # pass in on $ext_if inet proto tcp from any to $ext_if port 21 rdr-to 192.168.0.254
## Example port forward rule for HTTP # pass in on $ext_if inet proto tcp from any to $ext_if port 80 rdr-to 192.168.0.253
## Example port forward rule for MAIL # pass in on $ext_if inet proto tcp from any to $ext_if port { 25,110 } rdr-to 192.168.0.252
pass out quick keep state
pass in quick on $int1_if
#
########## END CONFIG ############
Please put code, command line output, config files, etc. inside [CODE] tags, aka "Code:" blocks.
There are 2 ways to generate "Code:" tags:
You can simply type them yourself -- "[code] ... [/code]". (They are not case sensitive.)
You can also click on the '#' icon above the text entry window. If you highlight the code, command line output, config files, etc. before you click the '#' icon, your code will get put inside a "Code:" block. The '#' icon is available when you start your post by clicking the "Post Reply" button or use the "Go Advanced" button under the Quick Reply window; it is not currenetly available in the Quick Reply window itself.
The [CODE] tags will make your posts easier to read, & that will get you more, faster, better answers. -- Help us help you.
BTW, You can edit your post(s) to do this retroactively. Please do so soon.
At the very least, please fix the post just above this one & your thread here which has been languishing on the 0-reply list, possibly for this reason. TIA.
A Rarely Spoken Bad Attitude
Some members will not read ill-formatted posts based on the idea that if you don't appreciate & respect their volunteer time enough to bother to make it easy for them read what you write, then why should they waste that time on you? This is a bad attitude, rarely expressed; but that doesn't mean it isn't there. It is easy to fall into when tired, short of time, in a bad mood, etc. It may not be conscious, the thought may be "That looks to difficult, I'll go look at something easier." In any case you are the loser when your posts are ignored.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.