Hi All,

I have tried to do some testing using PF Open BSD 4.9.
There are 2 scenarios that I did:
1.without nat (successfull)
2.With source NAT(not successfull)

The diagram is:

notebook----em0[OpenBSD 4.9 PF]em1-----webserver(TCP/443)

Detail:
em0 is 192.168.1.216/24
notebook is 192.168.1.21/24
em1 is 192.168.2.216/24
webserver is 192.168.2.80/24
IP alias for source NAT on em1 is 192.168.2.232/32
ip forwarding on sysctl =1

Notebook's gateway is firewall internal IP: 192.168.1.216
Firewall's gateway is webserver :192.168.2.80
Webserver's gateway is firewall external IP: 192.168.2.216

I have tried to do source NAT testing to allow traffic from notebook to webserver using source NAT on em1.
192.168.1.21-->192.168.2.232-->192.168.2.80

For the routing table,I don't have other static routes. Only default gateway which is pointing to 192.168.2.80(webserver)

Unfortunately it hasn't worked at all. I have tried to monitor the traffic using
1.tcpdump on em1(external int) but there are no packets pass through em1 at all.
2.tcpdump on em0(internal int), there are some packets from 192.168.1.21 to 192.168.2.80 (syn) but no reply at all from webserver.

Below is the rule of the scenario above using NAT:

# Tables: (2)
table <tbl.r0.d> { 192.168.1.216 , 192.168.2.216 }
table <tbl.r0.dx> { 192.168.1.216 , 192.168.2.80 , 192.168.2.216 }

#
# Rule 0 (NAT)
match out on em1 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to 192.168.2.232


#ssh access rule
pass in quick inet proto tcp from 192.168.1.21 to <tbl.r0.d> port 22 label "RULE -1 -- ACCEPT "
#
# Rule 0
pass log quick on { em0 em1 ) inet proto icmp from any to <tbl.r0.dx>

# Rule 1 (em1,em0)
pass log quick on { em0 em1 } inet proto tcp from 192.168.1.21 to 192.168.2.80 port 443

block quick inet from any to any no state

I have tried to make an additional ping test rule from my notebook to webserver and it works well.

Is there any routing issue/lack/missing/misconfiguration in my rule?
My intention is only to test source nat rule from internal to external interface.

Regards,
Stefan

Hi,

Just a minor point, but please format your code etc. correctly with [code] tags, it makes things much easier for people to look at and therefore more likely they'll help you.

Secondly, I don't know if this will actually fix your issue, but the first thing I'd do is take out the default gateway on the firewall of the webserver's IP address. That's just totally bogus, based on your diagram it effectively doesn't need any additional routing table entries or gateways as these are both directly connected networks. It knows where they are by virtue of being connected to them.

Now, I suspect the problem is that when the webserver receives the incoming traffic it is trying to respond via the default gateway and either the traffic is being dropped due to a missing PF rule/PF NAT issue but possibly more likely some network layer issue. Have you configured the source NAT ip address on the em1 interface and made sure it is arping for that IP?

Cheers,
Steve

1 members found this post helpful.

lcxpics

Let me 2nd the suggestion to put code (as well as command line output, config files, etc.) inside [CODE] tags, aka "Code:" blocks.

It will make your posts easier to read, & that will get you more, faster, better answers. -- Help us help you.

BTW, You can edit your post(s) to do this retroactively. (Please do so now -- use the "Edit" button at the lower right corner of your post)

I hope the "Code:" blocks link is helpful.

He never came back to see your answer, too bad -- I'd like to know if it would have worked.
I hope we didn't scare him off w/ the suggestions that he apparently never saw.

i didnt read if he got NAT work at all...
but if he is coming back...
he can CP my pf.conf what had here..
(HAD, i have some stupid strub now to, but not with below config)

spatieman,

Please put code, command line output, config files, etc. inside [CODE] tags, aka "Code:" blocks.
There are 2 ways to generate "Code:" tags:

1. You can simply type them yourself -- "[code] ... [/code]". (They are not case sensitive.)
   
   
2. You can also click on the '#' icon above the text entry window. If you highlight the code, command line output, config files, etc. before you click the '#' icon, your code will get put inside a "Code:" block. The '#' icon is available when you start your post by clicking the "Post Reply" button or use the "Go Advanced" button under the Quick Reply window; it is not currenetly available in the Quick Reply window itself.

The [CODE] tags will make your posts easier to read, & that will get you more, faster, better answers. -- Help us help you.
BTW, You can edit your post(s) to do this retroactively. Please do so soon.

At the very least, please fix the post just above this one & your thread here which has been languishing on the 0-reply list, possibly for this reason. TIA.


A Rarely Spoken Bad Attitude
Some members will not read ill-formatted posts based on the idea that if you don't appreciate & respect their volunteer time enough to bother to make it easy for them read what you write, then why should they waste that time on you? This is a bad attitude, rarely expressed; but that doesn't mean it isn't there. It is easy to fall into when tired, short of time, in a bad mood, etc. It may not be conscious, the thought may be "That looks to difficult, I'll go look at something easier." In any case you are the loser when your posts are ignored.