Your specification:
- An OBSD firewall box with 4 interfaces.
For sake of completeness I just randomly choose the unknown LAN's and netmasks.
Code:
I N T E R N E T
|
|
|
|
+----------------|---------------+
| 11.11.11.11/30 |
| external interface |
| |
| 10. E 192. |
| 1. M X 168. |
MGT LAN ------ 0. G T 50. --------- EXTRA LAN
| 254 T R 254 |
| /24 A /24 |
| |
| internal interface |
| 10.20.30.1/24 |
+----------------|---------------+
|
|
|
|
INTERNAL LAN
10.20.30.0/24
- I have to realise a NAT between 2 networks: mgt_if and extra_if.
Code:
#macros:
mgt_if="10.1.0.254"
extra_if="192.168.50.254"
#host on extra_if
host1="192.168.50.100"
# clients on mgt_if
table <client> const {10.1.0.11, 10.1.0.12, 10.1.0.21, 10.1.0.31}
- No host from "EXTRA" should communicate with hosts on "MGT"
Only "host1" is allowed to communicate with the clients defined in the "<client>" table, for ssh, vnc, and snmtp (monitoring).
What does 'host1' (192.168.50.100) on the EXTRA network need to communicate with the 10.1.0.x hosts listed in your client table?
That host needs a route and no NAT is needed. It should know that in order to send packets for the MGT network it should send them through 192.168.50.254 on the firewall. In other words: for 'host1' 192.168.50.254 is the gateway to the 10.1.0.0/24 network.
Three options for the routing on 'host1' (192.168.50.100):
- Add a default route:
Code:
route add default 192.168.50.254
- Add a route to the 10.1.0.0/24 network
Code:
route add 10.1.0.0/24 192.168.50.254
- Add routes for each individual host
Code:
route add 10.1.0.11 192.168.50.254
route add 10.1.0.12 192.168.50.254
route add 10.1.0.21 192.168.50.254
route add 10.1.0.31 192.168.50.254
The three routing options for the 10.1.0.11, 10.1.0.12, 10.1.0.21, and 10.1.0.31 hosts on the MGT network:
- Add a default route:
Code:
route add default 10.1.0.254
- Add a route to the 192.168.50.254 network:
Code:
route add 192.168.50.0/24 10.1.0.254
- Only add a route to 'host1' (192.168.50.100):
Code:
route add 192.168.50.100 10.1.0.254
You can change the pf.conf till you weigh an ounce, but if you do not have the routing configured correctly, those hosts will never be able to communicate with each other.
Please remember that you only need NAT on the external interface because the 10.x.x.x and 192.168.x.x network addresses are not routable on the internet. But on your internal networks these addresses are routable.