According to the page http://www.openbsd.org/faq/pf/nat.html, NAT is a way to
map an entire network(or networks) to a single IP address. Ideally,
192.168.0/24 should map to the address of interface which connects to the
uplink ISP. So I put the following line to /etc/pf.conf:
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
# block return # block stateless traffic
# pass # establish keep-state
# By default, do not permit remote connections to X11
# block return in on ! lo0 proto tcp to port 6000:6010
# The line i put here
pass out on fxp0 inet from 192.168.0.0/24 to any nat-to 10.198.1.150
bge0 is the interface broadcasting dhcp on LAN:
# ifconfig bge0
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:16:41:3f:56:62
index 1 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
fxp0 is the external interface:
# ifconfig fxp0
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:90:27:86:58:9a
index 2 priority 0 llprio 3
media: Ethernet autoselect (100baseTX full-duplex)
status: active
It uses pppoe0 to connect to the uplink:
# ifconfig pppoe0
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
index 5 priority 0 llprio 3
dev: fxp0 state: session
sid: 0x7208 PADI retries: 0 PADR retries: 0 time: 00:06:01
sppp: phase network authproto chap authname "701"
groups: pppoe egress
status: active
inet 10.198.1.150 --> 10.198.1.1 netmask 0xffffffff
And my /etc/dhcpd.conf:
# cat /etc/dhcpd.conf
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1;
range 192.168.0.4 192.168.0.254;
}
"pfctl -s state" yields nothing output to the terminal. Is there something I
need to improve?
Thanks for hitting my head again.
Lujian
________________________________
发件人: Alexander Hall <[email protected]>
发送时间: 2017年6月21日 19:19
收件人: [email protected]; Josh Grosse; lu jian
主题: Re: Openbsd6.1 as firewall can access the internet but the LAN behind it
cannot
On June 21, 2017 6:01:10 PM GMT+02:00, Josh Grosse <[email protected]> wrote:
>On 2017-06-21 11:36, lu jian wrote:
>> Hi
>>
>> I have an i386 machine with two network interfaces, one of which
>> connect to the uplink ISP via pppoe, the other connects to the WAN
>> port of a wireless router to which all LAN machines and cell phones
>> connect (via wifi).
>>
>> The problem is that this i386 machine (which I intend as a firewall)
>> can access the internet, but all LAN machines cannot.
>>
>> Hint: my wireless router can obtain dhcp address from the i386
>machine.
>>
>> These two network interfaces on the i386 are bge0 and fxp0.
>>
>> 1) Configuration for fxp0:
>> # cat /etc/hostname.fxp0
>> up
>> # cat /etc/hostname.pppoe0
>> inet 0.0.0.0 255.255.255.255 NONE \
>> pppoedev fxp0 authproto chap \
>> authname 'account' authkey '123' up
>> dest 0.0.0.1
>>
>> !/sbin/route add default -if pppoe0 0.0.0.1
>>
>> 2) Configuration for bge0:
>> # cat /etc/hostname.bge0
>> inet 192.168.0.1 255.255.255.0 192.168.0.255
>
>This is a subnet within RFC 1918 - a private network, not
>directly routea-able on the Internet.
>
>You must add Network Address Translation (NAT) to your PF configuration
>
>in order
>to access the Internet from that subnet.
>
>See the NAT section of the PF User's Guide.
>
>http://www.openbsd.org/faq/pf/nat.html
That, and we didn't see the dhcpd.conf.
/Alexander
