Re: Help setting up a PF NAT gateway

I must say that thanks to your help on this list I've finally managed to get it working. I have bought FreeBSD CD sets in the past as a means to donate and I intend to buy 5.0 sets now because I believe strongly in open source software. Well it was also thanks to some pf.conf samples I found

Re: Help setting up a PF NAT gateway

Hi Stefan, On Wed Oct 12 2011 14:59, Stefan Midjich wrote: I must say that thanks to your help on this list I've finally managed to get it working. I have bought FreeBSD CD sets in the past as a means to donate and I intend to buy 5.0 sets now because I believe strongly in open source

Re: Help setting up a PF NAT gateway

After all that I was still doing NAT wrong, I thank you Norman! It works perfectly now and it makes much more sense as NAT must be done from the lo0 too out on the external IF. 2011/10/13 Norman Golisz li...@zcat.de: Hi Stefan, On Wed Oct 12 2011 14:59, Stefan Midjich wrote: I must say that

Re: Help setting up a PF NAT gateway

...@gmail.com To: Stefan N stefanbsd...@yahoo.com Cc: misc@openbsd.org misc@openbsd.org Sent: Tuesday, October 11, 2011 1:25 PM Subject: Re: Help setting up a PF NAT gateway No I was not aware of this. Could you please explain the meaning of an alias address on the external interface for NAT

Re: Help setting up a PF NAT gateway

It works now that I started over from scratch, I have a block in all and a pass out all by default and NAT is working. I can see packets on both in and out-interfaces with tcpdump. Of course ICMP response is not being sent back since I have a block in all but at least NAT is working and it is

Re: Help setting up a PF NAT gateway

2011/10/10 Stefan Midjich sweh...@gmail.com: Simplest of things but I'm failing miserably. $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address inet 50.50.50.59 255.255.255.0 50.50.50.255 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines on

Re: Help setting up a PF NAT gateway

On 10 October 2011 12:38, Stefan Midjich sweh...@gmail.com wrote: Simplest of things but I'm failing miserably. $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address inet 50.50.50.59 255.255.255.0 50.50.50.255 $ sudo cat /etc/hostname.vic3 # Internal NIC used as

Re: Help setting up a PF NAT gateway

match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin in what reason you paste round-robin? also you need pass in on $local_if from $localnet to any pass out on $ext_if from $localnet to any 10 PP:QQP1QQ 2011, 19:42 PQ Stefan Midjich sweh...@gmail.com:

Re: Help setting up a PF NAT gateway

Hi Stefan, On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com wrote: Simplest of things but I'm failing miserably. ... With tcpdump I can see packets going to vic3, but no further. Do you definitely have forwarding enabled? # sysctl net.inet.ip.forwarding

Re: Help setting up a PF NAT gateway

Hi, see my sample, it is well explained. http://mouedine.net/ruleset49.aspx All the best, Wesley MOUEDINE ASSABY www.mouedine.net On Mon, 10 Oct 2011 17:38:26 +0200, Stefan Midjich sweh...@gmail.com wrote: Simplest of things but I'm failing miserably. $ sudo cat /etc/hostname.vic2 #

Re: Help setting up a PF NAT gateway

Yes forwarding is enabled. I have followed the Book of PF 2nd Edition so far. 2011/10/10 Mark (obsd) openbsd-l...@nerdish.us: Hi Stefan, On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com wrote: Simplest of things but I'm failing miserably. ... With tcpdump I can see

Re: Help setting up a PF NAT gateway

That was from the output of pfctl -vf /etc/pf.conf so it expands the rules and adds all that is implied, like keep state for example. 2011/10/10 pavel pocheptsov lilit-aibo...@mail.ru: match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin in what reason you paste

Re: Help setting up a PF NAT gateway

ManagementIF = vic0 PFsyncIF = vic1 LocalIF = lo0 ManagementPorts = { 1022, 22 } UDPManagementPorts = { domain } ICMPTypes = { echorep, echoreq, unreach } set skip on { lo0 vic1 } OutIF = vic2 InIF = vic3 pass quick on vic0 inet proto tcp from any to any port = 1022 flags S/SA keep state label

Re: Help setting up a PF NAT gateway

$ sudo pfctl -sr |grep nat-to match in on vic3 inet from 10.221.181.0/24 to any label NATOut nat-to (vic2) round-robin pfctl -vsl shows only evaluated packets for all my rules, which worries me, it never increments the counter of packets gone through any of the nat rules. Only the first rules for

Re: Help setting up a PF NAT gateway

Stefan Midjich sweh...@gmail.com writes: $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address inet 50.50.50.59 255.255.255.0 50.50.50.255 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two machines on same network inet 10.221.181.10 255.255.255.0

Re: Help setting up a PF NAT gateway

Not sure what you mean but they're both in switched vlans, two different vlans. Point to Point is a crossover cable right? I'm not sure what it means in English. This is all a virtual environment I use for training so there are no cables as such. 2011/10/10 Peter N. M. Hansteen pe...@bsdly.net:

Re: Help setting up a PF NAT gateway

On 10 October 2011 15:05, Stefan Midjich sweh...@gmail.com wrote: That was from the output of pfctl -vf /etc/pf.conf so it expands the rules and adds all that is implied, like keep state for example. I think that is not what you want: match in on vic3 inet from 10.221.181.0/24 to any label

Re: Help setting up a PF NAT gateway

Stefan Midjich sweh...@gmail.com writes: Not sure what you mean but they're both in switched vlans, two different vlans. Point to Point is a crossover cable right? I'm not sure what it means in English. This is all a virtual environment I use for training so there are no cables as such. take

Re: Help setting up a PF NAT gateway

match out on egress inet from vic3:network nat-to (egress:0) This is the new rule then, as it appears in pfctl -v match out on egress inet from 10.221.181.0/24 to any nat-to (egress:0) round-robin vic2 is only NIC in egress group in ifconfig. nc -vv cvs.openbsd.org 25 from 10.221.181.20 does

Re: Help setting up a PF NAT gateway

I have taken away the block all rule, but pfctl -d makes no difference. The gateway itself behaves just like any server connected to multiple vlans. You can reach the world around it, through its default gateway you can reach the internet. The servers connected to its private vlan, vic3, cannot

Re: Help setting up a PF NAT gateway

A couple of general comments, keep state is the default, no need to specify from any to any port = - to port does the same thing quick means if we match this, we do no more evaluation for this one. I suspect your quick rules before the nat-to match rules mean that anything that matches the

Re: Help setting up a PF NAT gateway

add 65.65.65.65 10.0.1.13 up I hope it helps. Regards, Stefan From: Stefan Midjich sweh...@gmail.com To: Mark (obsd) openbsd-l...@nerdish.us Cc: misc@openbsd.org Sent: Tuesday, October 11, 2011 2:06 AM Subject: Re: Help setting up a PF NAT gateway Yes forwarding

Re: Help setting up a PF NAT gateway

From: Stefan Midjich sweh...@gmail.com To: Mark (obsd) openbsd-l...@nerdish.us Cc: misc@openbsd.org Sent: Tuesday, October 11, 2011 2:06 AM Subject: Re: Help setting up a PF NAT gateway Yes forwarding is enabled. I have followed the Book of PF 2nd Edition so far. 2011/10/10 Mark (obsd