On 5/16/2011 3:29 AM, Stefan N wrote:
Hi All,I have done some testing using PF Open BSD 4.9. There are 2 testing: 1. without nat (successfull) 2.With source NAT(not successfull) The diagram is notebook----------em0[OpenBSD 4.9 PF]em1---------webserver(TCP/443) em0 is 192.168.1.216/24 notebook is 192.168.1.21/24 em1 is 192.168.2.216/24 webserver is 192.168.2.80/24 IP alias for NAT on em1 is 192.168.2.232/32 ip forwarding on sysctl =1 Notebook's gateway is firewall internal IP: 192.168.1.216 Firewall's gateway is webserver :192.168.2.80 Webserver's gateway is firewall external IP: 192.168.2.216 I have tried to do source NAT testing to allow traffic from notebook to webserver so that the webserver knows that the incoming traffic is coming from 192.168.2.232(NAT IP) instead of 192.168.1.21. 192.168.1.21-->192.168.2.232-->192.168.2.80 Unfortunately it hasn't worked at all. I have tried to monitor the traffic using tcpdump on em1(external int) but there are no packets pass through em1 at all. Below is the rule of the scenario above using NAT: # Tables: (1) table<tbl.r0.d> { 192.168.1.216 , 192.168.2.216 , 192.168.2.232 , 192.168.3.216 } # Rule 0 (NAT) (192.168.2.232 is NAT IP for notebook/192.168.1.21) match out on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to 192.168.2.232 # Rule backup ssh access rule pass in quick inet proto tcp from 192.168.1.21 to<tbl.r0.d> port 22 # # Rule 0 (em0) notebook access webserver pass out log quick on em0 inet proto tcp from 192.168.1.21 to 192.168.2.80 port 443 keep state ( max 10000, max-src-conn 10 ) # # Rule 1 block log quick inet from any to any no state # block all block quick inet from any to any no state What else is missing or isn't configured correctly? There was no error while I reload the rule using pfctl -f /etc/pf.conf Thanks Regards, Stefan
Based on your diagram, your outbound traffic and nat rule should be on em1 instead of em0. Outbound traffic on em0 would be traffic from the webserver going to the notebook.
Han
