|
openbsd 5.2 nat/dhcp server
hello, im trying to configure a openbsd router for my server network. i have internet access from my clients and the dhcp works in the range 192.168.1.1-> 192.168.1.250, but the port forwarding dosent seem to work, im able to ssh into my external ip into openbsd, but the portforwarding dosent want to forward ssh to my web server, or the other ports, 80, 443 etc.
here are my settings: dhcpd.conf shared-network RUTER-LAN { ############################ # The three lines below are to specify the shared resources # for all the subnets specified below ########################### default-lease-time 604800; option domain-name "ruter.lan"; option domain-name-servers 128.39.105.10, 128.39.114.2; ########################### # Specify the subnet to give ips on and the netmask # given with the ip address ############################ subnet 192.168.1.0 netmask 255.255.255.0 { #specify the subnet again (see below NB***) option subnet-mask 255.255.255.0; #specify the broadcast address for the subnet option broadcast-address 192.168.1.255; #specify the gateway to use option routers 192.168.1.1; range 192.168.1.2 192.168.1.250; } } /etc/mygate: *MY EXTERNAL IP* pf.conf: # Set network interfaces ext_if="em0" #internet int_if="em1" #LAN wwwserver = "192.168.1.2" # Skip all loopback traffic set skip on lo # DEFAULT IS BLOCK IN FROM INTERNET, PASS ALL ELSE block log all pass on $int_if all pass out on $ext_if all # Allow inbound traffic on internal interface pass quick on $int_if # Protect against spoofing antispoof quick for { lo $int_if } # Nat #pass out on $ext_if from $int_if:network to !$int_if:network nat-to ($ext_if) #match out on $ext_if from $lan_ip nat-to ($ext_if) pass out on $ext_if from $int_if:network to any nat-to ($ext_if) pass in on $ext_if proto {tcp, udp} from any to any port 80 rdr-to $wwwserver port 80 ALSO TRIED: #pass in on $ext_if proto tcp from any to any port 80 rdr-to $wwwserver port 80 pfctl -s rules says: pass in on em0 inet proto tcp from any to any port = 80 flags S/SA rdr-to 192.168.1.2 port 80 pass in on em0 inet proto udp from any to any port = 80 rdr-to 192.168.1.2 port 80 please help me to get port forwarding work? and yes, i have 4 virtual guest OS, ubuntu/linux, and they are not getting a ip from openbsd dhcp server, with bridged adapter. |
Quote:
|
that was the first thing i did, forwarding is on
net.inet.ip.forwarding=1 |
Does it work if you change it to the following?
pass in quick on $ext_if proto { tcp } from any to any port { 80 } flags S/SA rdr-to $wwwserver If you tcpdump on the *internal* interface and attempt to connect externally, do you see traffic? If so, do you see *return* traffic if you tcpdump on the external interface and attempt to connect? |
it works! thank you. im completely newbie with openbsd, im familiar with ubuntu. bet when i use the same pass rule with 443 i got pf error out of range.
how could i fix this? thank you |
pf is not iptables. IIRC, iptables is a "first-match" system, where the first rule that matches is the one that ends the ruleset walk. pf is a "best-match" by default, but when you add the word "quick" to the rule *that rule* becomes a "first-match" (i.e. if a packet matches that rule, process that rule and end there, like iptables).
Since state lookups are so incredibly fast in pf, the ruleset should only be referenced with new traffic. It almost sounds like you had state turned off, though I don't see that in your ruleset and you are on a recent enough version of OpenBSD that pf is stateful by default. |
ok, i have a bit more understanding of pf now, but im have some problems on my local network. i cant visit mydomain.com when i am on my local network, but if im on another network it works as it should. what kind of rule do i need for this forwarding?
thank you petter |
| All times are GMT -5. The time now is 07:20 AM. |