Scenario:
DSL -> DSL "modem" -> OpenBSD Firewall -> LAN
Firewall has three legs:
bge0 - External Interface, 206.124.14.98
bge1 - Internal Interface, 192.168.0.1
sk0 - Management Interface, 192.168.0.36
Desired goal:
Perform multiple static NAT translations along with a fairly
standard rule set, using bge1 as the default gateway for the LAN and
bge0 as the public interface.
Current functionality:
Overload NAT to a single IP through the DSL modem, using the OpenBSD
firewall in bridge mode.
Problem:
When I reconfigure the OpenBSD firewall to take it out of bridge
mode and run in full NAT mode, it mucks with the IP's assigned to
the two inside interfaces, which causes packets to go nowhere.
Relevant (hopefully) data:
Current bridge mode pf.conf:
ext_if = "bge0"
int_if = "bge1"
set skip on lo0
0_ns = "192.168.0.17"
1_ns = "192.168.0.19"
megarea = "192.168.0.32"
clotho = "192.168.0.33"
pheme = "192.168.0.35"
heimdall = "192.168.0.36"
0_mx = "192.168.0.34"
dns = "{" $0_ns $1_ns "}"
external = "{ 192.168.0.1, 192.168.0.5 }"
internal = "{ 192.168.0.32, 192.168.0.34 }"
table <eq2_tcp> { 64.37.156.7, 64.37.129.41, 199.108.194.76,
199.108.194.75, 64.37.129.42 }
table <eq2_udp> { 64.37.148.142, 64.37.148.144, 64.37.158.0/24,
199.108.2.0/24, 199.108.12.0/24, 199.108.202.0/24, 199.108.203.0/24,
195.33.135.0/24 }
table <eq2_icmp> { 64.37.158.0/24, 199.108.2.0/24, 199.108.12.0/24,
199.108.202.0/24, 199.108.203.0/24, 195.33.135.0/24 }
scrub in on $int_if all no-df random-id
scrub in on $ext_if all no-df fragment reassemble
scrub on $ext_if reassemble tcp
rdr on $ext_if proto tcp from any to $0_mx port 109 -> $0_mx port 25
pass in quick on $int_if all
pass out quick on $int_if all
block in log (all) on $ext_if all
pass out quick \
on $ext_if \
proto tcp \
from $clotho \
to <eq2_tcp> \
modulate state
pass out quick \
on $ext_if \
proto udp \
from $clotho \
to <eq2_udp>
pass out quick \
on $ext_if \
inet proto icmp \
from $clotho \
to <eq2_icmp>
pass out \
on $ext_if \
inet proto icmp \
all \
keep state
pass out \
on $ext_if \
proto tcp \
all \
modulate state
pass out \
on $ext_if \
proto udp \
all \
keep state
pass in quick \
on $ext_if \
proto tcp \
from <eq2_tcp> \
to $clotho \
modulate state
pass in quick \
on $ext_if \
proto udp \
from <eq2_udp> \
to $clotho
pass in quick \
on $ext_if \
inet proto icmp \
from <eq2_icmp> \
to $clotho
pass in \
on $ext_if \
proto tcp \
from any \
to $pheme \
port { https } \
modulate state
pass in \
on $ext_if \
proto tcp \
from any \
to $0_mx \
port { smtp, imap, imaps } \
modulate state
pass in log (all) \
on $ext_if \
proto tcp \
from any \
to $dns \
port { 53 } \
modulate state
pass in \
on $ext_if \
proto udp \
from any \
to $dns \
port { 53 } \
keep state
pass in \
on $ext_if \
proto tcp \
from $external \
to $internal \
port { 68, 69, 123, 514 } \
modulate state
pass in \
on $ext_if \
proto udp \
from $external \
to $internal \
port { 68, 69, 123, 514 } \
keep state
pass in \
on $ext_if \
proto tcp \
from $external \
to { 192.168.0.16, 192.168.0.18 } \
port { 53 } \
modulate state
pass in \
on $ext_if \
proto udp \
from $external \
to { 192.168.0.16, 192.168.0.18 } \
port { 53 } \
keep state
pass in \
on $ext_if \
proto 24 \
from $external \
to $internal
pass in \
on $ext_if \
proto tcp \
from $external \
to { 192.168.0.36 } \
port { 123 } \
modulate state
pass in \
on $ext_if \
proto udp \
from $external \
to { 192.168.0.36 } \
port { 123 } \
keep state
pass in log (all) \
on $ext_if \
proto tcp \
from { 205.156.51.200 } \
port { ftp-data } \
to any \
modulate state
pass in log (all) \
on $ext_if \
proto tcp \
from any \
to any \
port { ftp-data, ftp, ssh } \
modulate state
Current hostname /bridgename files:
# cat /etc/hostname.bge0
up
# cat /etc/hostname.bge1
up
# cat /etc/hostname.sk0
dhcp NONE NONE NONE description "Internal Firewall"
# cat /etc/bridgename.bridge0
add bge0 add bge1 up
# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
lladdr 00:e0:ed:07:eb:ec
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::2e0:edff:fe07:ebec%bge0 prefixlen 64 scopeid 0x1
bge1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
lladdr 00:e0:ed:07:eb:ed
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::2e0:edff:fe07:ebed%bge1 prefixlen 64 scopeid 0x2
sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5a:9c:df:86
description: Internal Firewall
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:5aff:fe9c:df86%sk0 prefixlen 64 scopeid 0x3
inet 192.168.0.36 netmask 0xffffffc0 broadcast 192.168.0.63
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1460
enc0: flags=0<> mtu 1536
bridge0: flags=41<UP,RUNNING> mtu 1500
groups: bridge
When attempting to move to NAT, the files are:
pf.conf:
ext_if = "bge0"
int_if = "bge1"
set skip on lo0
i_hermes = "192.168.0.5"
i_0_ns = "192.168.0.17"
i_1_ns = "192.168.0.19"
i_megarea = "192.168.0.32"
i_clotho = "192.168.0.33"
i_0_mx = "192.168.0.34"
i_pheme = "192.168.0.35"
i_heimdall = "192.168.0.36"
e_heimdall = "206.124.14.98"
e_hermes = "206.124.14.99"
e_pheme = "206.124.14.105"
e_0_ns = "206.124.14.106"
e_megarea = "206.124.14.107"
e_clotho = "206.124.14.108"
e_0_mx = "206.124.14.109"
e_1_ns = "206.124.14.110"
i_dns = "{" $i_0_ns $i_1_ns "}"
e_dns = "{" $e_0_ns $e_1_ns "}"
external = "{ 206.124.14.97 }"
internal = "{ 192.168.0.32, 192.168.0.34 }"
voipports = "{ 5060, 5061, 16384:32767 }"
table <eq2_tcp> { 64.37.156.7, 64.37.129.41, 199.108.194.76,
199.108.194.75, 64.37.129.42 }
table <eq2_udp> { 64.37.148.142, 64.37.148.144, 64.37.158.0/24,
199.108.2.0/24, 199.108.12.0/24, 199.108.202.0/24, 199.108.203.0/24,
195.33.135.0/24 }
table <eq2_icmp> { 64.37.158.0/24, 199.108.2.0/24, 199.108.12.0/24,
199.108.202.0/24, 199.108.203.0/24, 195.33.135.0/24 }
table <bogon> { 0.0.0.0/7, 2.0.0.0/8, 5.0.0.0/8, 7.0.0.0/8,
10.0.0.0/8, 23.0.0.0/8, 27.0.0.0/8, 31.0.0.0/8, 36.0.0.0/7,
39.0.0.0/8, 42.0.0.0/8, 49.0.0.0/8, 50.0.0.0/8, 92.0.0.0/6,
100.0.0.0/6, 104.0.0.0/5, 112.0.0.0/5, 120.0.0.0/8, 127.0.0.0/8,
169.254.0.0/16, 172.16.0.0/12, 173.0.0.0/8, 174.0.0.0/7,
176.0.0.0/5, 184.0.0.0/6, 192.0.2.0/24, 192.168.0.0/16, 197.0.0.0/8,
198.18.0.0/15, 223.0.0.0/8, 224.0.0.0/3 }
scrub in on $int_if all no-df random-id
scrub in on $ext_if all no-df fragment reassemble
scrub on $ext_if reassemble tcp
altq on $ext_if priq bandwidth 350Kb queue { std, voip, tcpack }
queue std priq(red default)
queue voip priority 10 priq(red)
queue tcpack priority 15 priq(red)
no nat on $ext_if from 192.168.0.16 to $external
no nat on $ext_if from 192.168.0.18 to $external
binat on $ext_if from $i_hermes to any -> $e_hermes
binat on $ext_if from $i_0_ns to any -> $e_0_ns
binat on $ext_if from $i_1_ns to any -> $e_1_ns
binat on $ext_if from $i_megarea to any -> $e_megarea
binat on $ext_if from $i_clotho to any -> $e_clotho
binat on $ext_if from $i_0_mx to any -> $e_0_mx
binat on $ext_if from $i_pheme to any -> $e_pheme
binat on $ext_if from $i_heimdall to any -> $e_heimdall
nat on $ext_if from 192.168.0.0/16 to any -> 206.124.14.100
rdr on $ext_if proto tcp from any to $e_0_mx port 109 -> $e_0_mx
port 25
# block log (all) all
block drop in quick on $ext_if from <bogon> to any
block drop out quick on $ext_if from any to <bogon>
pass in quick \
on $int_if \
proto udp \
from $i_hermes \
to any \
port $voipports \
tag QVOICE_OUT \
keep state
pass in quick \
on $int_if \
proto tcp \
from $i_hermes \
to any \
port { 5060, 5061 } \
tag QVOICE_OUT \
keep state
pass in \
on $int_if \
from { 192.168.0.0/16 } \
to any \
modulate state
pass out \
on $ext_if \
tagged QVOICE_OUT \
keep state \
queue(voip, tcpack)
pass out quick \
on $ext_if \
proto tcp \
from $i_clotho \
to <eq2_tcp> \
modulate state
pass out quick \
on $ext_if \
proto udp \
from $i_clotho \
to <eq2_udp>
pass out quick \
on $ext_if \
inet proto icmp \
from $i_clotho \
to <eq2_icmp>
pass out \
on $ext_if \
inet proto icmp \
all \
keep state
pass out \
on $ext_if \
proto tcp \
all \
modulate state
pass out \
on $ext_if \
proto udp \
all \
keep state
pass in quick \
on $ext_if \
proto tcp \
from <eq2_tcp> \
to $e_clotho \
modulate state
pass in quick \
on $ext_if \
proto udp \
from <eq2_udp> \
to $e_clotho
pass in quick \
on $ext_if \
inet proto icmp \
from <eq2_icmp> \
to $e_clotho
pass in \
on $ext_if \
proto tcp \
from any \
to $e_pheme \
port { https } \
modulate state
pass in \
on $ext_if \
proto tcp \
from any \
to $e_0_mx \
port { smtp, imap, imaps } \
modulate state
pass in log (all) \
on $ext_if \
proto tcp \
from any \
to $e_dns \
port { 53 } \
modulate state
pass in \
on $ext_if \
proto udp \
from any \
to $e_dns \
port { 53 } \
keep state
pass in \
on $ext_if \
proto tcp \
from $external \
to $internal \
port { 68, 69, 123, 514 } \
modulate state
pass in \
on $ext_if \
proto udp \
from $external \
to $internal \
port { 68, 69, 123, 514 } \
keep state
pass in \
on $ext_if \
proto tcp \
from $external \
to { 192.168.0.16, 192.168.0.18 } \
port { 53 } \
modulate state
pass in \
on $ext_if \
proto udp \
from $external \
to { 192.168.0.16, 192.168.0.18 } \
port { 53 } \
keep state
pass in \
on $ext_if \
proto tcp \
from $external \
to { 192.168.0.36 } \
port { 123 } \
modulate state
pass in \
on $ext_if \
proto udp \
from $external \
to { 192.168.0.36 } \
port { 123 } \
keep state
pass in log (all) \
on $ext_if \
proto tcp \
from { 205.156.51.200 } \
port { ftp-data } \
to any \
modulate state
pass in log (all) \
on $ext_if \
proto tcp \
from any \
to any \
port { ftp-data, ftp, ssh } \
modulate state
hostname files:
# cat /etc/hostname.bge0
inet 206.124.14.98 255.255.255.240 NONE
# cat /etc/hostname.bge1
inet 192.168.0.1 255.255.0.0 NONE
# cat /etc/hostname.sk0
dhcp NONE NONE NONE description "Internal Firewall Mgt"
# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:e0:ed:07:eb:ec
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 206.124.14.98 netmask 0xfffffff0 broadcast 206.124.14.111
inet6 fe80::2e0:edff:fe07:ebec%bge0 prefixlen 64 scopeid 0x1
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:e0:ed:07:eb:ed
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.0.1 netmask 0xffff0000 broadcast 192.168.255.255
inet6 fe80::2e0:edff:fe07:ebed%bge1 prefixlen 64 scopeid 0x2
sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5a:9c:df:86
description: Internal Firewall
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:5aff:fe9c:df86%sk0 prefixlen 64 scopeid 0x3
inet 192.168.0.36 netmask 0xffffffc0 broadcast 192.168.0.63
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1460
enc0: flags=0<> mtu 1536
Just to make sure, I delete and then re-add the default gateway:
# route delete default 192.168.0.1
delete net default: gateway 192.168.0.1
# route add default 192.168.0.1
add net default: gateway 192.168.0.1
# route -n show -inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default 192.168.0.1 UGS 0 0 -
bge1
127/8 127.0.0.1 UGRS 0 0 33224
lo0
127.0.0.1 127.0.0.1 UH 0 0 33224
lo0
192.168.0.0/26 link#3 UC 0 0 -
sk0
192.168/16 link#2 UC 0 0 -
bge1
192.168.0.1 00:e0:ed:07:eb:ed UHLc 0 0 -
sk0
192.168.0.32 00:50:8d:52:ae:b4 UHLc 0 5482 -
sk0
192.168.0.33 00:00:d1:7a:1e:63 UHLc 0 69472 -
sk0
192.168.0.34 00:00:d1:6a:f7:bb UHLc 0 6312 -
sk0
192.168.0.36 127.0.0.1 UGHS 0 40 33224
lo0
192.168.0.97 link#2 UHLc 0 1 -
bge1
206.124.14.96/28 link#1 UC 0 0 -
bge0
206.124.14.97 00:30:da:91:95:8a UHLc 0 7 -
bge0
224/4 127.0.0.1 URS 0 0 33224
lo0
However, once I run:
pfctl -F rules
pfctl -gf /etc/pf.conf
I get:
# route -n show -inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default 192.168.0.1 UGS 0 2159 -
sk0
127/8 127.0.0.1 UGRS 0 0 33224
lo0
127.0.0.1 127.0.0.1 UH 0 0 33224
lo0
192.168.0.0/26 link#3 UC 0 0 -
sk0
192.168/16 link#2 UC 0 0 -
bge1
192.168.0.1 00:e0:ed:07:eb:ed UHLc 0 0 -
sk0
192.168.0.16 00:00:d1:6a:f7:bb UHLc 0 13 -
sk0
192.168.0.18 00:50:8d:52:ae:b4 UHLc 0 3 -
sk0
192.168.0.32 00:50:8d:52:ae:b4 UHLc 0 5026 -
sk0
192.168.0.33 00:00:d1:7a:1e:63 UHLc 0 69368 -
sk0
192.168.0.34 00:00:d1:6a:f7:bb UHLc 0 5600 -
sk0
192.168.0.36 127.0.0.1 UGHS 0 40 33224
lo0
206.124.14.96/28 link#1 UC 0 0 -
bge0
206.124.14.97 00:30:da:91:95:8a UHLc 0 4 -
bge0
despite the static assignment of the .1 address to bge1 above.
I have to have hosed something up myself, but I can't spot it. Can
anyone help?
Thank you,
--
Ed V.
26 December 2006 21:27:38
IBM: Invented By Maladroits
[demime 1.01d removed an attachment of type application/pgp-
signature which had a name of signature.asc]
