question about nat and pf behaviour ...

Wed, 13 Sep 2006 05:15:33 -0700 

Hi,

I have a Router/Gateway with:

dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:80:c8:c9:88:95
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::280:c8ff:fec9:8895%dc1 prefixlen 64 scopeid 0x2
        inet 192.168.110.254 netmask 0xffffff00 broadcast
192.168.110.255
        inet 172.22.125.243 netmask 0xffff0000 broadcast 255.255.255.240

dc3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:80:c8:c9:88:97
        media: Ethernet autoselect (10baseT)
        status: active
        inet6 fe80::280:c8ff:fec9:8897%dc3 prefixlen 64 scopeid 0x4
        inet 192.168.8.1 netmask 0xffffff00 broadcast 192.168.8.255
        inet 192.168.7.1 netmask 0xffffff00 broadcast 192.168.7.255
        inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255
        inet 192.168.21.1 netmask 0xffffff00 broadcast 192.168.21.255
        inet 192.168.22.1 netmask 0xffffff00 broadcast 255.255.255.0


pf.conf contains:
--------------------------------------------------
scrub in all fragment reassemble
nat on dc3 from 192.168.110.248/32 to 192.168.22.0/24 -> 192.168.22.1

# Filtering: the implicit first two rules are
pass in all
pass out all
# pass out all keep state

block in on dc3 from any to any

pass in on dc3 from 192.168.22.0/24 to 192.168.22.1
pass in on dc3 from 172.30.64.0/24 to 192.168.22.1

------------------------------------------------

Local lan is 192.168.110.0/24 and the machine 192.168.110.254 ( dc1 ) is
the default gateway.

Now there are two things where I need some suggestiones: 

1. If I replace the rule "pass out all" by "pass out all keep state"
several connections beeing routed through this OpenBSD Machine fail.  
Where is the "error" in thinking that the "keep state" wont do any harm.

2. If I ping to a machine 172.30.64.20 ( the route is known by the
gateway ) I can do this from two machines - and a third machine in the
same lan ( and identical routing setup ) fails by getting a "destiantion
not reachable" from 172.22.125.243 - which is the _alias_ of dc1.

Now I'm wondering why sometimes the alias is used instead the primary
Interfaceaddress of dc1
( the alias was brought up with "ifconfig dc1 inet alias 172.22.125.243"
)

Any Idea why this could happen ?   

Kind regards,

        Stefan

Reply via email to