--- On Mon, 2/1/10, Scott Learmonth <[email protected]> wrote: > From: Scott Learmonth <[email protected]> > Subject: Re: -CURRENT, VLANs, NAT > To: [email protected] > Received: Monday, February 1, 2010, 10:04 PM > On Mon, Feb 01, 2010 at 06:02:07PM > -0800, Scott Learmonth wrote: > > On Mon, Feb 01, 2010 at 04:27:12PM -0800, James > Peltier wrote: > > > Hi All, > > > > > > I'm trying to setup a new router/firewall for > multiple VLANs including one VLAN that must be NAT and I > seem to be running into an odd issue. > > > > > > OS is OpenBSD 4.7-BETA; Jan 27, 2010 snapshot > from ftp.openbsd.org > > > > > > /etc/hostname.em0 > > > ------------------ > > > up > > > > > > /etc/hostname.em0 > > > ------------------ > > > up > > > > > > /etc/hostname.vlan301 > > > ------------------ > > > inet 1.2.3.4 255.255.255.0 vlan 301 vlandev em0 > description "Uplink" > > > > > > /etc/hostname.vlan303 > > > ------------------ > > > inet 10.0.0.254 255.255.255.0 vlan 303 vlandev > em0 description "NAT" > > > > > > > > > /etc/pf.conf > > > -------------- > > > > > > #skip filtering on loopback > > > set skip on lo > > > > > > # NAT VLAN 303 traffic on our Uplink VLAN > > > nat on vlan301 from vlan303:network to any -> > (vlan301) > > > > > > pass # > to establish keep-state > > > > > > So, starting with a very simple rule set, > however, pfctl -nf /etc/pf.conf complains that the "nat on" > line is incorrect. I used the similar example from > > > > > > http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=i386&apro pos=0&manpath=OpenBSD+Current > > > > > > Am I missing something here? It would seem > that this would map all VLAN 303 (10.0.0.0/24) addresses to > VLAN 301 (1.2.3.4) address. Has the syntax changed and > even -current documentation isn't correct? > > > --- > > > James A. Peltier [email protected] > > > > > > > > > > Yes, the syntax has changed. I only briefly looked, > but the faq seems dated. The man page is correct. > > > > You'd want something like pass out on vlan301 from > vlan303:network nat-to vlan301 > > > > Cheers > > > > > I stand somewhat corrected. The link you provided doesn't > seem to jive > with what my system gives me. I'm not going to comment > further on that > though without doing my homework and/or supplying a diff > lest I look > like even more of a fool. > > Nonetheless, > > pass out on vlan301 from vlan303:network to ! vlan301 > nat-to vlan301 > > should work for you. You may want to look at match > instead/as well. > > p.s. my last note was missing the "to" >
I did end up finding that the documentation had changed and match out did correct the problem. match out on vlan301 from vlan303:network nat-to vlan301 as could be found in http://www.openbsd.org/faq/current.html#20090901 Just needed to look harder.. Move along, nothing to see here. ;) __________________________________________________________________ Get a sneak peak at messages with a handy reading pane with All new Yahoo! Mail: http://ca.promos.yahoo.com/newmail/overview2/
