http://www.openbsd.org/faq/pf/example1.html
Follow the above links guidance and you should have no problem. Sent from BlueMail On Jun 22, 2017, 4:56 AM, at 4:56 AM, lu jian <[email protected]> wrote: > >According to the page http://www.openbsd.org/faq/pf/nat.html, NAT is a >way to map an entire network(or networks) to a single IP address. >Ideally, 192.168.0/24 should map to the address of interface which >connects to the uplink ISP. So I put the following line to >/etc/pf.conf: > ># cat /etc/pf.conf ># $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ ># ># See pf.conf(5) and /etc/examples/pf.conf > >set skip on lo > ># block return # block stateless traffic ># pass # establish keep-state > ># By default, do not permit remote connections to X11 ># block return in on ! lo0 proto tcp to port 6000:6010 > ># The line i put here >pass out on fxp0 inet from 192.168.0.0/24 to any nat-to 10.198.1.150 > > >bge0 is the interface broadcasting dhcp on LAN: ># ifconfig bge0 >bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:16:41:3f:56:62 > index 1 priority 0 llprio 3 > media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) > status: active > inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 > >fxp0 is the external interface: ># ifconfig fxp0 >fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:90:27:86:58:9a > index 2 priority 0 llprio 3 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > >It uses pppoe0 to connect to the uplink: ># ifconfig pppoe0 >pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492 > index 5 priority 0 llprio 3 > dev: fxp0 state: session > sid: 0x7208 PADI retries: 0 PADR retries: 0 time: 00:06:01 > sppp: phase network authproto chap authname "701" > groups: pppoe egress > status: active > inet 10.198.1.150 --> 10.198.1.1 netmask 0xffffffff > >And my /etc/dhcpd.conf: > ># cat /etc/dhcpd.conf >subnet 192.168.0.0 netmask 255.255.255.0 { > option routers 192.168.0.1; > option domain-name-servers 192.168.0.1; > range 192.168.0.4 192.168.0.254; > >} > >"pfctl -s state" yields nothing output to the terminal. Is there >something I need to improve? > > >Thanks for hitting my head again. >Lujian > > > >________________________________ >发件人: Alexander Hall <[email protected]> >发送时间: 2017年6月21日 19:19 >收件人: [email protected]; Josh Grosse; lu jian >主题: Re: Openbsd6.1 as firewall can access the internet but the LAN >behind it cannot > > > >On June 21, 2017 6:01:10 PM GMT+02:00, Josh Grosse <[email protected]> >wrote: >>On 2017-06-21 11:36, lu jian wrote: >>> Hi >>> >>> I have an i386 machine with two network interfaces, one of which >>> connect to the uplink ISP via pppoe, the other connects to the WAN >>> port of a wireless router to which all LAN machines and cell phones >>> connect (via wifi). >>> >>> The problem is that this i386 machine (which I intend as a firewall) >>> can access the internet, but all LAN machines cannot. >>> >>> Hint: my wireless router can obtain dhcp address from the i386 >>machine. >>> >>> These two network interfaces on the i386 are bge0 and fxp0. >>> >>> 1) Configuration for fxp0: >>> # cat /etc/hostname.fxp0 >>> up >>> # cat /etc/hostname.pppoe0 >>> inet 0.0.0.0 255.255.255.255 NONE \ >>> pppoedev fxp0 authproto chap \ >>> authname 'account' authkey '123' up >>> dest 0.0.0.1 >>> >>> !/sbin/route add default -if pppoe0 0.0.0.1 >>> >>> 2) Configuration for bge0: >>> # cat /etc/hostname.bge0 >>> inet 192.168.0.1 255.255.255.0 192.168.0.255 >> >>This is a subnet within RFC 1918 - a private network, not >>directly routea-able on the Internet. >> >>You must add Network Address Translation (NAT) to your PF >configuration >> >>in order >>to access the Internet from that subnet. >> >>See the NAT section of the PF User's Guide. >> >>http://www.openbsd.org/faq/pf/nat.html > >That, and we didn't see the dhcpd.conf. > >/Alexander
