Hi Hwei Woo,
I tried using em1 and it doesn't work.
I have tried to create ping test rules, pinging from em0 --> em1 and em1
---->em0, both without NAT and it works perfectly. When I implement simple NAT,
it doesn't work.
Regards,
Stefan
________________________________
From: Han Hwei Woo <h...@pce-net.com>
To: misc@openbsd.org
Cc: Stefan N <stefanbsd...@yahoo.com>
Sent: Tue, May 17, 2011 3:34:32 AM
Subject: Re: Source NAT using PF on OpenBSD 4.9
On 5/16/2011 3:29 AM, Stefan N wrote:
> Hi All,
>
> I have done some testing using PF Open BSD 4.9.
> There are 2 testing:
> 1. without nat (successfull)
> 2.With source NAT(not successfull)
>
> The diagram is
>
> notebook----------em0[OpenBSD 4.9 PF]em1---------webserver(TCP/443)
> em0 is 192.168.1.216/24
> notebook is 192.168.1.21/24
> em1 is 192.168.2.216/24
> webserver is 192.168.2.80/24
> IP alias for NAT on em1 is 192.168.2.232/32
> ip forwarding on sysctl =1
>
> Notebook's gateway is firewall internal IP: 192.168.1.216
> Firewall's gateway is webserver :192.168.2.80
> Webserver's gateway is firewall external IP: 192.168.2.216
>
> I have tried to do source NAT testing to allow traffic from notebook to
> webserver so that the webserver knows that the incoming traffic is coming from
> 192.168.2.232(NAT IP) instead of 192.168.1.21.
> 192.168.1.21-->192.168.2.232-->192.168.2.80
>
> Unfortunately it hasn't worked at all. I have tried to monitor the traffic
>using
> tcpdump on em1(external int) but there are no packets pass through em1 at all.
>
> Below is the rule of the scenario above using NAT:
>
> # Tables: (1)
> table<tbl.r0.d> { 192.168.1.216 , 192.168.2.216 , 192.168.2.232 ,
>192.168.3.216
> }
>
>
> # Rule 0 (NAT) (192.168.2.232 is NAT IP for notebook/192.168.1.21)
> match out on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to
> 192.168.2.232
>
>
> # Rule backup ssh access rule
> pass in quick inet proto tcp from 192.168.1.21 to<tbl.r0.d> port 22
> #
> # Rule 0 (em0) notebook access webserver
> pass out log quick on em0 inet proto tcp from 192.168.1.21 to 192.168.2.80
> port 443 keep state ( max 10000, max-src-conn 10 )
>
> #
> # Rule 1
> block log quick inet from any to any no state
> # block all
> block quick inet from any to any no state
>
> What else is missing or isn't configured correctly? There was no error while I
> reload the rule using pfctl -f /etc/pf.conf
>
> Thanks
>
> Regards,
> Stefan
>
Based on your diagram, your outbound traffic and nat rule should be on
em1 instead of em0. Outbound traffic on em0 would be traffic from the
webserver going to the notebook.
Han
