Re: Source NAT using PF on OpenBSD 4.9

Mon, 16 May 2011 08:21:12 -0700 

Hi Rodrigo,

I tried to change the rule
from ---> pass out  log  quick on em0 inet proto tcp  from 192.168.1.21  to 
192.168.2.80
port 443 keep state ( max 10000, max-src-conn 10 )

to --> pass out log quick on em1 all

and still doesn't work

Stefan




________________________________
From: Rodrigo Mosconi <open...@mosconi.mat.br>
To: Stefan N <stefanbsd...@yahoo.com>
Sent: Mon, May 16, 2011 9:25:55 PM
Subject: Re: Source NAT using PF on OpenBSD 4.9

2011/5/16 Stefan N <stefanbsd...@yahoo.com>:
> Hi All,
>
> I have done some testing using PF Open BSD 4.9.
> There are 2 testing:
> 1. without nat (successfull)
> 2.With source NAT(not successfull)
>
> The diagram is
>
> notebook----------em0[OpenBSD 4.9 PF]em1---------webserver(TCP/443)
> em0 is 192.168.1.216/24
> notebook is 192.168.1.21/24
> em1 is 192.168.2.216/24
> webserver is 192.168.2.80/24
> IP alias for NAT on em1 is 192.168.2.232/32
> ip forwarding on sysctl =1
>
> Notebook's gateway is firewall internal IP: 192.168.1.216
> Firewall's gateway is webserver :192.168.2.80
> Webserver's gateway is firewall external IP: 192.168.2.216
>
> I have tried to do source NAT testing to allow traffic from notebook to
> webserver so that the webserver knows that the incoming traffic is coming from
> 192.168.2.232(NAT IP) instead of 192.168.1.21.
> 192.168.1.21-->192.168.2.232-->192.168.2.80
>
> Unfortunately it hasn't worked at all. I have tried to monitor the traffic 
>using
> tcpdump on em1(external int) but there are no packets pass through em1 at all.
>
> Below is the rule of the scenario above using NAT:
>
> # Tables: (1)
> table <tbl.r0.d> { 192.168.1.216 , 192.168.2.216 , 192.168.2.232 , 
>192.168.3.216
> }
>
>
> # Rule  0 (NAT) (192.168.2.232 is NAT IP for notebook/192.168.1.21)
> match out on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to
> 192.168.2.232
>
>
> # Rule  backup ssh access rule
> pass in   quick inet proto tcp  from 192.168.1.21  to <tbl.r0.d> port 22
> #
> # Rule  0 (em0) notebook access webserver
> pass out  log  quick on em0 inet proto tcp  from 192.168.1.21  to 192.168.2.80
> port 443 keep state ( max 10000, max-src-conn 10 )

pass out log quick on em1 all
>
> #
> # Rule  1
> block  log  quick inet  from any  to any no state
> #    block all
> block  quick inet  from any  to any no state
>
> What else is missing or isn't configured correctly? There was no error while I
> reload the rule using pfctl -f /etc/pf.conf
>
> Thanks
>
> Regards,
> Stefan

Reply via email to