----- Original Message -----
From: "Bryan Vyhmeister" <[EMAIL PROTECTED]>
To: "Bray Mailloux" <[EMAIL PROTECTED]>
Cc: <misc@openbsd.org>
Sent: Tuesday, April 17, 2007 9:08 AM
Subject: Re: Static Ip's: Routing and Fowarding
On Apr 17, 2007, at 8:30 AM, Bray Mailloux wrote:
Shouldn't the internet connection be passed around to other hosts
on the network without the use of nat and pf? Ip forwarding is on,
isn't that enough? I'm just trying to get the internet connection
out to other computers, filtering comes afterwards.
No. You can't do that without using all publicly routable IP
addresses (no 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8). NAT is
Network Address Translation and has nothing to do with filtering.
Basically nat takes connections from 192.168.0.0/24 (your internal
network) and sends them out as if they were actually coming from
64.142.102.8 and then keeps track so that when data comes back from
other places, it actually keeps track of who asked for what and then
puts the internal IP address back in the destination. The PF FAQ has
an excellent explanation of how NAT works in more details:
http://www.openbsd.org/faq/pf/nat.html
In any case, you have to use NAT in the scenario. There are some
examples in pf.conf that you can use but the basic idea is:
set ext_if=rl0 and int_if=rl1 at the top of pf.conf and then use the
following nat statement near the examples:
nat on $ext_if from ($int_if) -> ($ext_if:0)
This is basically saying translate at the external interface (rl0)
for anything coming from addresses on the internal interface (rl1)
and use the external interface public IP address.
Add those changes to pf.conf and then run these commands:
pfctl -f /etc/pf.conf
pfctl -e
Don't forget to fix the netmask typo in dhcpd.conf and then you
should be off and running. Sorry if the explanation was too basic and
you already understand most of this. In any case, I hope this answers
the question.
Bryan
Thank you for your help.