probably bug in using in combination rdomain + nat-to + specific ip addresses

Fri, 27 May 2016 15:42:24 -0700 

Hi!
I think i stumbed onto a bug related to using in combination rdomain, specific set on ip aadresses and pf doing nat-to. 


I have OpenBSD v. 5.9 installed from .iso, not patches applied and not 
special programs insalled or running


# uname
OpenBSD obsd59.auul 5.9 GENERIC#1761 amd64


In my setup OpenBSD acts as a firwall, it has two network interfaces, 
one faceing internet and another internal network.


vio0 (rdomain 0): 192.168.1.146 and vlan11, internet side
vio1 (rdomain 100): 192.168.1.254 and vlan10, intranet side

in rdomain 0 gateway is 192.168.1.254
in rdomain 100 no gateway is set


computer behind OpenBSD in rdomain 100 (and vlan10) has ip address 
192.168.1.146 and gw 192.168.1.254.


OpenBSD ruleset is essentially

# pfctl -sr

pass in log quick on vio1 inet from 192.168.1.0/24 to any flags S/SA tag 
FROM_INTRANET rtable 0
pass out log quick on vio0 inet all flags S/SA tagged FROM_INTRANET 
nat-to 192.168.1.146

pass all flags S/SA


Now, when sending packets from computer behind this OpenBSD firewall 
thru it tcp connections aint established, for some reason OpenBSD 
rejects incoming syn-ack packets


# tcpdump -ni vio0 port 873
tcpdump: listening on vio0, link-type EN10MB

00:40:34.231363 192.168.1.146.60895 > 10.80.123.154.873: S 
233483646:233483646(0) win 29200 <mss 1460,sackOK,timestamp 7512261 
0,nop,wscale 6> (DF)
00:40:34.240835 10.80.123.154.873 > 192.168.1.146.60895: S 
344980263:344980263(0) ack 233483647 win 28960 <mss 
1460,sackOK,timestamp 174805425 7512261,nop,wscale 7> (DF)
00:40:34.240937 192.168.1.146.60895 > 10.80.123.154.873: R 
233483647:233483647(0) win 0 (DF)



If i change computer's address behind OpenBSD different from the vio0 
address, say 192.168.1.144, then packets get thru OpenBSD. I wonder if 
this is a bug or still i am doing something wrong.



You may wonder why this kind of ugly setup is useful. It is not designed 
from the ground up like this. It is just so to say 'OpenBSD to the 
rescue' to get one legacy system connected to the internet more-or-less 
controlled way. In that legacy system ip config cant be changed so 
OpenBSD is placed in between the legacy system and the rest of the 
network and it is doing this strange mapping.



Best regards,

Imre























					Reply via email to