Re: nat or routing problem? SOLVED
Rod.. Whitworth wrote: On Sat, 09 Dec 2006 14:34:04 +0100, Mitja wrote: Mikael Fridh wrote: # pfctl -s all TRANSLATION RULES: nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 If bge0 is your external interface that nat line now looks correct. If your internal hosts on the 192.168.1.0/24 net have default gateway 192.168.1.1 it should be nating properly. Yes and it is nating, but I am trying to set my source IP to 193.189.180.193 (em1). Translating a bit from what I use should get you there: lan_ip=192.168.1.0/24 ext_if=bge0 fw_global-ip=193.189.180.193 nat on $ext_if inet from $lan_ip to any - $fw_global_ip I discovered this by (1) needing it, and (2) reading man 5 pf.conf and checking the BNF grammar near the end, and (3) trying it. It saved me from half-bridging (messy) or renting a /32 (waste of $$). Without the quality of OpenBSD docs it may never have happened. Actually it works. Thank you! Regards, Mitja
Re: nat or routing problem?
Mikael Fridh wrote: # pfctl -s all TRANSLATION RULES: nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 If bge0 is your external interface that nat line now looks correct. If your internal hosts on the 192.168.1.0/24 net have default gateway 192.168.1.1 it should be nating properly. Yes and it is nating, but I am trying to set my source IP to 193.189.180.193 (em1). Sounds like you want traffic to traverse: 192.168.1.0/24 - 192.168.1.1 - 193.189.180.193 - 193.77.12.154 - 0/0 I don't yet fully get what you're trying to accomplish. You got it right. That's what I am trying to accomplish: em0 em1 bge0 192.168.1.0/24 - 192.168.1.1 - 193.189.180.193 - 193.77.12.154 - 0/0 # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:49:16.377482 192.168.1.95 209.85.129.147: icmp: echo request 14:49:17.387437 192.168.1.95 209.85.129.147: icmp: echo request 14:49:18.397398 192.168.1.95 209.85.129.147: icmp: echo request icmp packets are going out, but it looks like NAT is not working (it should change my source IP address). That's because now you are dumping traffic on the internal interface where the packets hasn't traversed the NAT yet. The nat rule you made above has the internal interface where it should have the external: nat on em1:0 from int_net to - em1:0. bge0 is my external interface (it routes to 0/0). em1 is a network with a range of pubblic IPs. I am trying to use one of those IPs, to NAT traffic from. # This is a proper simple nat example (that works): ext_if=rl0 # (or whatever is your external interface) nat on $ext_if inet from ! ($ext_if) - ($ext_if:0) This means NAT from all interfaces but not from the external one. It is correct to use this statement? # pfctl -s all TRANSLATION RULES: nat on em1 inet from ! (em1) to any - (em1:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 I tested with suggested configuration. tcpdump on my external (bge0) interface shows gateway private IP (192.168.1.1). So the packets did not traverse NAT yet. # ping -I 192.168.1.1 72.14.221.104 # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:29:50.077139 192.168.1.1 72.14.221.147: icmp: echo request 14:29:51.086365 192.168.1.1 72.14.221.147: icmp: echo request 14:29:52.096350 192.168.1.1 72.14.221.147: icmp: echo request Other ideas? Regards, Mitja
Re: nat or routing problem?
Joel Goguen wrote: On Fri, 08 Dec 2006 17:01:10 +0100, Mitja [EMAIL PROTECTED] wrote: Joel Goguen wrote: On Fri, 08 Dec 2006 15:16:50 +0100, Mitja [EMAIL PROTECTED] wrote: [snip] # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) If em1 is only serving the one IP address, try changing em1:0 to em1 and see if that works. Checked that option. It is the same...not working. Upon closer review, I realize that I'm an idiot for even suggesting it :) You have a route that goes from your internal LAN (192.168.1.0/24) to em1 (193.189.180.193). You have another route that goes from 192.168.1.0/24 to your closest ISP interface (193.77.12.154). Correct. When you set up NAT from LAN to em1 and then ping an address that the routing table says is accessible from bge0, you skip NAT since you're not going out on em1. You're going out on bge0, which means that no translation is done. I'm not sure if it's possible to ping from LAN and have Correct again. This is the point of the problem. It is actually possible to set NAT or remove a route from LAN to bge0? your source IP be that of em1, but I think you can just add a second NAT rule to allow NAT on bge0. Someone beat me with a cluestick if I'm wrong :) So you'd end up with your NAT section being: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0) Actually natting from bge0 works so I think it will also work your idea, but the source IP will not be that from em1. Again, I don't know if that would actually work, but that's the only other idea I have now. Let's try this. It works, but the source IP is from bge0 my external interface (193.77.12.154). Regards, Mitja
Re: nat or routing problem?
Let's try this. It works, but the source IP is from bge0 my external interface (193.77.12.154). Then use address from em1 in nat rule for bge0. nat on bge0 inet from 192.168.1.0/24 to any - (em1:0) No one said that translated source address must be the same as the address of nat external (outside) interface. Pozdrav, Aleksandar
Re: nat or routing problem?
On Sat, 09 Dec 2006 14:34:04 +0100, Mitja wrote: Mikael Fridh wrote: # pfctl -s all TRANSLATION RULES: nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 If bge0 is your external interface that nat line now looks correct. If your internal hosts on the 192.168.1.0/24 net have default gateway 192.168.1.1 it should be nating properly. Yes and it is nating, but I am trying to set my source IP to 193.189.180.193 (em1). Translating a bit from what I use should get you there: lan_ip=192.168.1.0/24 ext_if=bge0 fw_global-ip=193.189.180.193 nat on $ext_if inet from $lan_ip to any - $fw_global_ip I discovered this by (1) needing it, and (2) reading man 5 pf.conf and checking the BNF grammar near the end, and (3) trying it. It saved me from half-bridging (messy) or renting a /32 (waste of $$). Without the quality of OpenBSD docs it may never have happened. From the land down under: Australia. Do we look umop apisdn from up over?
Re: nat or routing problem?
Andreas Bihlmaier wrote: On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote: Hello, I am trying to configure nat from internal network 192.168.1.0/24 to external nat gateway address 193.189.180.193. The problem is that packets are not passing from nat gateway to the interface 193.77.12.154 to the internet. ISP - 193.77.12.154 -- hostA -- 192.168.1.1 | 193.189.180.193 (em1) | /27 network All hosts on 193.189.180.192/27 are routed correctly through 193.77.12.154 to internet. My pf.conf is practically empty: # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use What I am doing wrong? Any suggestions? #grep forwarding /etc/sysctl.conf Enabled... net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4 packets #net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets #net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets #net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0) For additional info: # netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface default193.77.12.153 UGS 963486 - bge0 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 1 92 33224 lo0 172.16.15.4/30 link#4 UC 10 - bge1 172.16.15.500:05:85:86:84:7e UHLc10 - bge1 172.16.16.6172.16.15.5UGHS218739 - bge1 192.168.1/24 link#1 UC 20 - em0 192.168.1.20 00:0f:1f:02:44:1f UHLc0 10 - em0 192.168.1.111 00:60:97:82:73:ce UHLc00 - em0 193.77.12.152/30 link#3 UC 10 - bge0 193.77.12.153 00:05:85:86:84:7e UHLc10 - bge0 193.189.180.192/27 link#2 UC 50 - em1 224/4 127.0.0.1 URS 00 33224 lo0 Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.1.1/24 0 192.168.1/24 0 0 172.16.16.6/esp/use/in 192.168.1/24 0 10.1.1/24 0 0 172.16.16.6/esp/require/out 172.16.16.6/32 0 172.16.15.6/32 0 0 172.16.16.6/esp/use/in 172.16.15.6/32 0 172.16.16.6/32 0 0 172.16.16.6/esp/require/out 193.189.180.128/27 0 default0 0 172.16.16.6/esp/use/in default0 193.189.180.128/27 0 0 172.16.16.6/esp/require/out Regards, Mitja
Re: nat or routing problem?
Mitja wrote: Andreas Bihlmaier wrote: On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote: Hello, I am trying to configure nat from internal network 192.168.1.0/24 to external nat gateway address 193.189.180.193. The problem is that packets are not passing from nat gateway to the interface 193.77.12.154 to the internet. ISP - 193.77.12.154 -- hostA -- 192.168.1.1 | 193.189.180.193 (em1) | /27 network More testing: I changed my pf.conf to: # pfctl -s all TRANSLATION RULES: nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use Now I am doing translation from 192.168.1.0/24 to bge0 (193.77.12.154), the closest interface to my ISP. Test: # ping -I 192.168.1.95 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes 64 bytes from 209.85.129.147: icmp_seq=0 ttl=242 time=45.439 ms 64 bytes from 209.85.129.147: icmp_seq=1 ttl=242 time=45.307 ms --- 209.85.129.147 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 45.307/45.373/45.439/0.066 ms # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:46:10.614558 193.77.12.154 209.85.129.147: icmp: echo request 14:46:10.659932 209.85.129.147 193.77.12.154: icmp: echo reply 14:46:11.624513 193.77.12.154 209.85.129.147: icmp: echo request 14:46:11.669838 209.85.129.147 193.77.12.154: icmp: echo reply It looks like NAT is working. The same test with changed configuration in pf.conf to: # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use The same test, with tcpdump on the last interface (bge0;193.77.12.154). # ping -I 192.168.1.95 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes --- 209.85.129.147 ping statistics --- 15 packets transmitted, 0 packets received, 100.0% packet loss # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:49:16.377482 192.168.1.95 209.85.129.147: icmp: echo request 14:49:17.387437 192.168.1.95 209.85.129.147: icmp: echo request 14:49:18.397398 192.168.1.95 209.85.129.147: icmp: echo request icmp packets are going out, but it looks like NAT is not working (it should change my source IP address). I checked with google, http://www.openbsd.org/faq/pf/nat.html, http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confsektion=5arch=apropos=0manpath=OpenBSD+4.0 and did not found anything usefull. I'm stuck. Any ideas? Regards, Mitja
Re: nat or routing problem?
On Fri, 08 Dec 2006 15:16:50 +0100, Mitja [EMAIL PROTECTED] wrote: [snip] # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) If em1 is only serving the one IP address, try changing em1:0 to em1 and see if that works. -- Joel Goguen http://iapetus.dyndns.org/
Re: nat or routing problem?
Joel Goguen wrote: On Fri, 08 Dec 2006 15:16:50 +0100, Mitja [EMAIL PROTECTED] wrote: [snip] # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) If em1 is only serving the one IP address, try changing em1:0 to em1 and see if that works. Checked that option. It is the same...not working. Regards, Mitja
Re: nat or routing problem?
Mitja wrote: Mitja wrote: Andreas Bihlmaier wrote: On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote: Hello, I am trying to configure nat from internal network 192.168.1.0/24 to external nat gateway address 193.189.180.193. The problem is that packets are not passing from nat gateway to the interface 193.77.12.154 to the internet. ISP - 193.77.12.154 -- hostA -- 192.168.1.1 | 193.189.180.193 (em1) | /27 network More testing: I changed my pf.conf to: # pfctl -s all TRANSLATION RULES: nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use Now I am doing translation from 192.168.1.0/24 to bge0 (193.77.12.154), the closest interface to my ISP. Test: # ping -I 192.168.1.95 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes 64 bytes from 209.85.129.147: icmp_seq=0 ttl=242 time=45.439 ms 64 bytes from 209.85.129.147: icmp_seq=1 ttl=242 time=45.307 ms --- 209.85.129.147 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 45.307/45.373/45.439/0.066 ms # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:46:10.614558 193.77.12.154 209.85.129.147: icmp: echo request 14:46:10.659932 209.85.129.147 193.77.12.154: icmp: echo reply 14:46:11.624513 193.77.12.154 209.85.129.147: icmp: echo request 14:46:11.669838 209.85.129.147 193.77.12.154: icmp: echo reply It looks like NAT is working. The same test with changed configuration in pf.conf to: # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use The same test, with tcpdump on the last interface (bge0;193.77.12.154). # ping -I 192.168.1.95 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes --- 209.85.129.147 ping statistics --- 15 packets transmitted, 0 packets received, 100.0% packet loss # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:49:16.377482 192.168.1.95 209.85.129.147: icmp: echo request 14:49:17.387437 192.168.1.95 209.85.129.147: icmp: echo request 14:49:18.397398 192.168.1.95 209.85.129.147: icmp: echo request icmp packets are going out, but it looks like NAT is not working (it should change my source IP address). Maybe, you should try somthing like this. nat on bge0 inet from 192.168.1.0/24 to any - (em1:0) nat on em1 inet from 192.168.1.0/24 to any - (em1:0) rdr ... I might work. Pozdrav, Aleksandar
Re: nat or routing problem?
Mitja wrote: Mitja wrote: Andreas Bihlmaier wrote: On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote: Hello, I am trying to configure nat from internal network 192.168.1.0/24 to external nat gateway address 193.189.180.193. The problem is that packets are not passing from nat gateway to the interface 193.77.12.154 to the internet. ISP - 193.77.12.154 -- hostA -- 192.168.1.1 | 193.189.180.193 (em1) | /27 network More testing: I changed my pf.conf to: # pfctl -s all TRANSLATION RULES: nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 If bge0 is your external interface that nat line now looks correct. If your internal hosts on the 192.168.1.0/24 net have default gateway 192.168.1.1 it should be nating properly. Sounds like you want traffic to traverse: 192.168.1.0/24 - 192.168.1.1 - 193.189.180.193 - 193.77.12.154 - 0/0 I don't yet fully get what you're trying to accomplish. # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use The same test, with tcpdump on the last interface (bge0;193.77.12.154). # ping -I 192.168.1.95 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes --- 209.85.129.147 ping statistics --- 15 packets transmitted, 0 packets received, 100.0% packet loss # tcpdump -i bge0 icmp tcpdump: listening on bge0, link-type EN10MB 14:49:16.377482 192.168.1.95 209.85.129.147: icmp: echo request 14:49:17.387437 192.168.1.95 209.85.129.147: icmp: echo request 14:49:18.397398 192.168.1.95 209.85.129.147: icmp: echo request icmp packets are going out, but it looks like NAT is not working (it should change my source IP address). That's because now you are dumping traffic on the internal interface where the packets hasn't traversed the NAT yet. The nat rule you made above has the internal interface where it should have the external: nat on em1:0 from int_net to - em1:0. # This is a proper simple nat example (that works): ext_if=rl0 # (or whatever is your external interface) nat on $ext_if inet from ! ($ext_if) - ($ext_if:0) -- Fridh
Re: nat or routing problem?
On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote: Hello, I am trying to configure nat from internal network 192.168.1.0/24 to external nat gateway address 193.189.180.193. The problem is that packets are not passing from nat gateway to the interface 193.77.12.154 to the internet. ISP - 193.77.12.154 -- hostA -- 192.168.1.1 | 193.189.180.193 (em1) | /27 network All hosts on 193.189.180.192/27 are routed correctly through 193.77.12.154 to internet. My pf.conf is practically empty: # pfctl -s all TRANSLATION RULES: nat on em1 inet from 192.168.1.0/24 to any - (em1:0) rdr pass on em1 inet proto tcp from any to any port = 5900 - 192.168.1.111 port 5900 FILTER RULES: pass in all keep state pass out all keep state No queue in use What I am doing wrong? Any suggestions? #grep forwarding /etc/sysctl.conf DMESG: snip Regards, ahb
