Okay. If you're going to give access to internet users to be able to access your system inside your LAN/DMZ(eg webserver), you will need to do NAT. If you want the server which is configured by private ip address is reachable from internet users, you will need NAT.
The way you do NAT might depend on your network infra setup and how you design and plan the traffic flow. IP aliasing is associating more than one IP address to a network interface. With this, one node on a network can have multiple connections to a network, each serving a different purpose.Now I will explain you with an example so that you can visualize it in a better way: I have web server with IP address 192.168.1.100 My firewall has 2 NICs, one internal(192.168.1.1) and one external using public IP(50.50.50.59). I would like to allow users from the internet to access my webserver. Since I configured webserver using private IP, internet users can not access my webserver directly, that is why NAT is needed. For this example I have 2 scenarios doing NAT. 1.If I have limited public IP address assigned to me by ISP any http traffic from internet accessing to firewallexternalIPaddress will be redirected to my webserver internet user port 80 ---> FW ext IP address --> Web server In this case I don't need to use additional IP address as an alias, because internet users will access my website via: http://50.50.50.59 and the traffic will be redirected to the webserver which is located inside LAN(192.168.1.100) 2.If I have spare public IP address. this where IP alias can play the role. I have another public IP (let say 50.50.50.58) and I would like to assign it to webserver. The webserver is still located inside my LAN with IP 192.168.1.100. But I want to assign the IP 50.50.50.58 only for application server services purpose, because I don't want to mix it up with firewall service. So the same concept applies here. any http traffic from internet accessing IP 50.50.50.58 will be redirected to my webserver internet user port 80 ---> 50.50.50.58 --> Web server As the 50.50.50.58 and 50.50.50.59 are within the same subnet ( and also assigned for my business from ISP), then I need to assign it on the external firewall interface. If I didn't assign it on the external firewall interface, the http incoming traffic will not be able to pass through because neither router nor firewall know how and where to redirect the incoming packet and also neither router nor firewall take the ownership of 50.50.50.58 although 50.50.50.58 is assigned for my business by ISP. By assigning 50.50.50.58 on the external firewall interface as an IP alias, the firewall will know how and where to redirect the incoming traffic.When the http traffic on 50.50.50.58 is coming in, firewall will take the ownership,check the routing table and then PF engine will check from the rule list whether the incoming traffic to the webserver is alllowed or not. Once the rule is matched, then the packet will be redirected to the destination. You can do the same by creating the rule for email server etc.internet user port 25 ---> 50.50.50.58 --> my email server. The same IP alias concept also applies if you want to implement many to one NAT. For example to alllow your LAN users to access internet access. You can use IP alias or use firewall ext int IP as a NAT IP. All depends on how your infra is configured and planned. In which scenario your setup is? If you're using 1st scenario, you don't need to use IP alias, because the external ip addr for firewall which is accessed by the public users for http traffic is belong to firewall. If you used 2nd scenario, you will need to use IP alias configured on ext firewall interface. Please also check the routing table in the router and the default gateway on your destination node. I hope it helps. Regards, Stefan ________________________________ From: Stefan Midjich <sweh...@gmail.com> To: Stefan N <stefanbsd...@yahoo.com> Cc: "misc@openbsd.org" <misc@openbsd.org> Sent: Tuesday, October 11, 2011 1:25 PM Subject: Re: Help setting up a PF NAT gateway No I was not aware of this. Could you please explain the meaning of an alias address on the external interface for NAT? There is no mention of using an alias for NAT in this document for example http://www.openbsd.org/faq/pf/nat.html Just to be clear, I already have an external and internal physical interface to work with, so I am unclear as to why I need an alias. 2011/10/11 Stefan N <stefanbsd...@yahoo.com>: > Hi Stefan, > As you mentioned that the IP forwarding is already enabled on your system. > Have you configured the IP alias on the network interface for the NAT > purpose? > If the NAT is done on external interface then you'll need to add in the IP > alias on /etc/hostname.vic2 > Please read the guide from openbsd url below: > http://www.openbsd.org/cgi-bin/man.cgi?query=hostname.if&apropos=0&sektion=0&; manpath=OpenBSD+4.9&arch=i386&format=html > Sample of hostname.if config with IP alias: > > A typical file contains only one line, but more extensive files are > possible, for example: > > inet 10.0.1.12 255.255.255.0 10.0.1.255 media 100baseTX description > Uplink > inet alias 10.0.1.13 255.255.255.255 10.0.1.13 > inet alias 10.0.1.14 255.255.255.255 NONE > inet alias 10.0.1.15 255.255.255.255 > inet alias 10.0.1.16 0xffffffff > # This is an example comment line. > inet6 alias fec0::1 64 > inet6 alias fec0::2 64 anycast > !route add 65.65.65.65 10.0.1.13 > up > > I hope it helps. > Regards, > Stefan > ________________________________ > From: Stefan Midjich <sweh...@gmail.com> > To: Mark (obsd) <openbsd-l...@nerdish.us> > Cc: misc@openbsd.org > Sent: Tuesday, October 11, 2011 2:06 AM > Subject: Re: Help setting up a PF NAT gateway > > Yes forwarding is enabled. I have followed the Book of PF 2nd Edition so > far. > > 2011/10/10 Mark (obsd) <openbsd-l...@nerdish.us>: >> Hi Stefan, >> >> On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich <sweh...@gmail.com> >> wrote: >>> >>> Simplest of things but I'm failing miserably. >>> >>> ... >>> >>> With tcpdump I can see packets going to vic3, but no further. >>> >> >> Do you definitely have forwarding enabled? >> # sysctl net.inet.ip.forwarding >> net.inet.ip.forwarding=1 >> It that were 0 instead of 1, you'd get your symptoms. Edit > /etc/sysctl.conf >> to enable forwarding if you haven't. >> Regards, >> Mark > > > > -- > > > Med vdnliga hdlsningar / With kind regards > > Stefan Midjich > > > > -- Med vdnliga hdlsningar / With kind regards Stefan Midjich
