On Mon, Feb 01, 2010 at 06:02:07PM -0800, Scott Learmonth wrote: > On Mon, Feb 01, 2010 at 04:27:12PM -0800, James Peltier wrote: > > Hi All, > > > > I'm trying to setup a new router/firewall for multiple VLANs including one > > VLAN that must be NAT and I seem to be running into an odd issue. > > > > OS is OpenBSD 4.7-BETA; Jan 27, 2010 snapshot from ftp.openbsd.org > > > > /etc/hostname.em0 > > ------------------ > > up > > > > /etc/hostname.em0 > > ------------------ > > up > > > > /etc/hostname.vlan301 > > ------------------ > > inet 1.2.3.4 255.255.255.0 vlan 301 vlandev em0 description "Uplink" > > > > /etc/hostname.vlan303 > > ------------------ > > inet 10.0.0.254 255.255.255.0 vlan 303 vlandev em0 description "NAT" > > > > > > /etc/pf.conf > > -------------- > > > > #skip filtering on loopback > > set skip on lo > > > > # NAT VLAN 303 traffic on our Uplink VLAN > > nat on vlan301 from vlan303:network to any -> (vlan301) > > > > pass # to establish keep-state > > > > So, starting with a very simple rule set, however, pfctl -nf /etc/pf.conf > > complains that the "nat on" line is incorrect. I used the similar example > > from > > > > http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=i386&apropos=0&manpath=OpenBSD+Current > > > > Am I missing something here? It would seem that this would map all VLAN > > 303 (10.0.0.0/24) addresses to VLAN 301 (1.2.3.4) address. Has the syntax > > changed and even -current documentation isn't correct? > > --- > > James A. Peltier [email protected] > > > > > > Yes, the syntax has changed. I only briefly looked, but the faq seems dated. > The man page is correct. > > You'd want something like pass out on vlan301 from vlan303:network nat-to > vlan301 > > Cheers > > I stand somewhat corrected. The link you provided doesn't seem to jive with what my system gives me. I'm not going to comment further on that though without doing my homework and/or supplying a diff lest I look like even more of a fool.
Nonetheless, pass out on vlan301 from vlan303:network to ! vlan301 nat-to vlan301 should work for you. You may want to look at match instead/as well. p.s. my last note was missing the "to"
