NAT working, BINAT not working

Tue, 01 Oct 2002 11:16:43 -0700

Title: NAT working, BINAT not working

Hello all,

I'm using OpenBSD 3.1-stable to provide NAT via pfctl and /etc/nat.conf. In addition, there are a number of hosts that I want to provide 1-to-1 IP address translation for things like WINS, registered IP addresses, etc.

Thanks to previous suggestions, simple NAT works fine by setting the
client(s) gateway address to the private interface on the firewall and using the following rule:

nat on $ext_if from $private_ip_range to any -> $NAT_public_ip

However, when I add this binat rule to get 1-to-1 translation from $bdc_private_ip to $bdc_public_ip:

binat on $ext_if from $bdc_private_ip to any -> $bdc_public_ip

This client (an NT4 BDC/WINS/DHCP server) loses network connectivity outside. Even browsing without DNS (the errors below show DNS queries failing). Setting pfctl -x m and looking at pfctl -sss yields:

gateway# pfctl -x m
debug level set to 'misc'
gateway# pfctl -sss
tcp $private_ip_range.44:1431 -> $NAT_public_ip:59910 -> $PDC:1046       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.72:1093 -> $NAT_public_ip:63053 -> $PDC:1046       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.39:1580 -> $NAT_public_ip:61022 -> $PDC:1046       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.62:1223 -> $NAT_public_ip:62815 -> $PDC:1046       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.39:1572 -> $NAT_public_ip:54736 -> $PDC:1046       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.62:1219 -> $NAT_public_ip:60733 -> $PDC:1059       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.44:1220 -> $NAT_public_ip:64393 -> $PDC:1059       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.62:1224 -> $NAT_public_ip:52897 -> $PDC:1059       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.72:1111 -> $NAT_public_ip:62371 -> $PDC:1059       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.39:1576 -> $NAT_public_ip:65198 -> $PDC:1059       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.39:1584 -> $NAT_public_ip:64949 -> $PDC:1059       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.62:2283 -> $NAT_public_ip:52254 -> $fileserver:60037       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.44:1150 -> $NAT_public_ip:60437 -> $fileserver:139       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.44:1459 -> $NAT_public_ip:65315 -> $fileserver:139       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.62:1213 -> $NAT_public_ip:54639 -> $fileserver:139       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.44:1145 -> $NAT_public_ip:50834 -> $fileserver:139       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.39:1603 -> $NAT_public_ip:55774 -> $fileserver:139       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.72:1043 -> $NAT_public_ip:64808 -> $fileserver:445       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.44:1442 -> $NAT_public_ip:50223 -> 169.237.105.24:143       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.44:1468 -> $NAT_public_ip:50255 -> 62.65.145.30:80       FIN_WAIT_2:FIN_WAIT_2
gateway# pfctl -sss
tcp $private_ip_range.44:1431 -> $NAT_public_ip:59910 -> $PDC:1046       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.72:1093 -> $NAT_public_ip:63053 -> $PDC:1046       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.39:1580 -> $NAT_public_ip:61022 -> $PDC:1046       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.62:1223 -> $NAT_public_ip:62815 -> $PDC:1046       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.39:1572 -> $NAT_public_ip:54736 -> $PDC:1046       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.62:1219 -> $NAT_public_ip:60733 -> $PDC:1059       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.44:1220 -> $NAT_public_ip:64393 -> $PDC:1059       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.62:1224 -> $NAT_public_ip:52897 -> $PDC:1059       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.72:1111 -> $NAT_public_ip:62371 -> $PDC:1059       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.39:1576 -> $NAT_public_ip:65198 -> $PDC:1059       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.39:1584 -> $NAT_public_ip:64949 -> $PDC:1059       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.62:2283 -> $NAT_public_ip:52254 -> $fileserver:60037       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.44:1150 -> $NAT_public_ip:60437 -> $fileserver:139       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.44:1459 -> $NAT_public_ip:65315 -> $fileserver:139       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.62:1213 -> $NAT_public_ip:54639 -> $fileserver:139       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.44:1145 -> $NAT_public_ip:50834 -> $fileserver:139       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.39:1603 -> $NAT_public_ip:55774 -> $fileserver:139       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.72:1043 -> $NAT_public_ip:64808 -> $fileserver:445       ESTABLISHED:ESTABLISHED
tcp $private_ip_range.44:1442 -> $NAT_public_ip:50223 -> 169.237.105.24:143       ESTABLISHED:ESTABLISHED
udp $bdc_private_ip:1077 -> $bdc_public_ip:1077 -> 169.237.1.250:53       1:0
udp $bdc_private_ip:1077 -> $bdc_public_ip:1077 -> 169.237.250.250:53       1:0
The translation to $bdc_public_ip works, but the network connectivity is lost. As you can see, there are a lot of half-open connections that get rejected.

What am I doing wrong?

***************************    
*       Adam Getchell                                   [EMAIL PROTECTED]
*       System Architect/Programmer                     (530) 752-1584
*       Human Resources Information Systems             http://www.hr.ucdavis.edu/
***************************    
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu



Reply via email to