Okay, I figured it out. This time around, I did dhcp configuration, then went back and manually configured networking. /etc/mygate didn't exist with my gateway, so my gateway wasn't reachable, hence neither was DNS or any outside locations.
Thanks for listening -- I hope this enables someone else to avoid this simple error. *************************** * Adam Getchell [EMAIL PROTECTED] * System Architect/Programmer (530) 752-1584 * Human Resources Information Systems http://www.hr.ucdavis.edu/ *************************** "Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu -----Original Message----- From: Adam Getchell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: Lost DNS after upgrade to 3.2 Hi all, I upgraded my NAT firewall from OpenBSD 3.1 to OpenBSD 3.2. Everything seems to work except DNS! (I've made macro substitutions for real addresses) The clients are setup to get the NAT firewall as the gateway. Pinging our local DNS server returns: Reply from $NAT_public_ip: Destination host unreachable gateway# cat hostname.fxp0 inet $NAT_public_ip 0xffffff00 NONE inet alias $bdc_public_ip 0xffffff00 NONE inet alias $hapkido_public_ip 0xffffff00 NONE gateway# cat hostname.fxp1 inet $NAT_private_ip 0xffffff00 NONE gateway# pfctl -ss tcp $hapkido_private_ip:1990 -> $hapkido_public_ip:1990 -> server1:1059 ESTABLISHED:ESTABLISHED tcp $hapkido_private_ip:2020 -> $hapkido_public_ip:2020 -> server2:22 ESTABLISHED:ESTABLISHED tcp $hapkido_private_ip:1995 -> $hapkido_public_ip:1995 -> server3:139 ESTABLISHED:ESTABLISHED I set no filter rules, just defined nat and two binats (with aliases on the external addresses for replies) for fixed addresses. /etc/pf.conf ext_if = "fxp0" int_if = "fxp1" (other macros) nat on $ext_if from $private_ip_range to any -> $NAT_public_ip binat on $ext_if from $bdc_private_ip to any -> $bdc_public_ip binat on $ext_if from $hapkido_private_ip to any -> $hapkido_public_ip # filter rules # the implicit first two rules are # pass in all # pass out all # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state # log blocked packets # block in log all # pass in on ext0 proto tcp from any to ext0 port 22 keep state # pass out on ext0 proto { tcp, udp } all keep state It's mostly working, so it's something subtle ... *************************** * Adam Getchell [EMAIL PROTECTED] * System Architect/Programmer (530) 752-1584 * Human Resources Information Systems http://www.hr.ucdavis.edu/ *************************** "Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu
