On Mon, Feb 01, 2010 at 04:27:12PM -0800, James Peltier wrote: > Hi All, > > I'm trying to setup a new router/firewall for multiple VLANs including one > VLAN that must be NAT and I seem to be running into an odd issue. > > OS is OpenBSD 4.7-BETA; Jan 27, 2010 snapshot from ftp.openbsd.org > > /etc/hostname.em0 > ------------------ > up > > /etc/hostname.em0 > ------------------ > up > > /etc/hostname.vlan301 > ------------------ > inet 1.2.3.4 255.255.255.0 vlan 301 vlandev em0 description "Uplink" > > /etc/hostname.vlan303 > ------------------ > inet 10.0.0.254 255.255.255.0 vlan 303 vlandev em0 description "NAT" > > > /etc/pf.conf > -------------- > > #skip filtering on loopback > set skip on lo > > # NAT VLAN 303 traffic on our Uplink VLAN > nat on vlan301 from vlan303:network to any -> (vlan301) > > pass # to establish keep-state > > So, starting with a very simple rule set, however, pfctl -nf /etc/pf.conf > complains that the "nat on" line is incorrect. I used the similar example > from > > http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=i386&apropos=0&manpath=OpenBSD+Current > > Am I missing something here? It would seem that this would map all VLAN 303 > (10.0.0.0/24) addresses to VLAN 301 (1.2.3.4) address. Has the syntax > changed and even -current documentation isn't correct? > --- > James A. Peltier [email protected] > >
Yes, the syntax has changed. I only briefly looked, but the faq seems dated. The man page is correct. You'd want something like pass out on vlan301 from vlan303:network nat-to vlan301 Cheers
