Re: Static Ip's: Routing and Fowarding

[Bray Mailloux]

BradenM - Sonoma Computer wrote:
----- Original Message ----- From: "Bryan Vyhmeister" 
<[EMAIL PROTECTED]>
To: "Bray Mailloux" <[EMAIL PROTECTED]>
Cc: <misc@openbsd.org>
Sent: Tuesday, April 17, 2007 9:08 AM
Subject: Re: Static Ip's: Routing and Fowarding

On Apr 17, 2007, at 8:30 AM, Bray Mailloux wrote:
Shouldn't the internet connection be passed around to other hosts  
on the network without the use of nat and pf? Ip forwarding is on,  
isn't that enough? I'm just trying to get the internet connection  
out to other computers, filtering comes afterwards.

No. You can't do that without using all publicly routable IP  
addresses (no 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8). NAT is  
Network Address Translation and has nothing to do with filtering.

Basically nat takes connections from 192.168.0.0/24 (your internal  
network) and sends them out as if they were actually coming from  
64.142.102.8 and then keeps track so that when data comes back from  
other places, it actually keeps track of who asked for what and then  
puts the internal IP address back in the destination. The PF FAQ has  
an excellent explanation of how NAT works in more details:

http://www.openbsd.org/faq/pf/nat.html

In any case, you have to use NAT in the scenario. There are some  
examples in pf.conf that you can use but the basic idea is:

set ext_if=rl0 and int_if=rl1 at the top of pf.conf and then use the  
following nat statement near the examples:

nat on $ext_if from ($int_if) -> ($ext_if:0)

This is basically saying translate at the external interface (rl0)  
for anything coming from addresses on the internal interface (rl1)  
and use the external interface public IP address.

Add those changes to pf.conf and then run these commands:

pfctl -f /etc/pf.conf
pfctl -e

Don't forget to fix the netmask typo in dhcpd.conf and then you  
should be off and running. Sorry if the explanation was too basic 
and  you already understand most of this. In any case, I hope this 
answers  the question.

Bryan

Thank you for your help.


OK, I've tried your nat rule and am using a completely open pass rule to 
allow in all traffic but cannot ping the internet. Any other ideas? What 
are some trouble shooting techniques I could try?