Thread: pf.conf and nat
View Single Post
  #4   (View Single Post)  
Old 25th November 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,505
Default

Your specification:
  • An OBSD firewall box with 4 interfaces.
    For sake of completeness I just randomly choose the unknown LAN's and netmasks.
    Code:
                           I N T E R N E T
                                  |
                                  |
                                  |
                                  |
                 +----------------|---------------+
                 |          11.11.11.11/30        |
                 |        external interface      |
                 |                                |
                 |   10.                  E 192.  | 
                 |    1.  M               X 168.  | 
      MGT LAN ------  0.  G               T  50. --------- EXTRA LAN
                 |  254   T               R 254   |
                 |  /24                   A /24   |
                 |                                |
                 |        internal interface      |
                 |            10.20.30.1/24       | 
                 +----------------|---------------+
                                  |
                                  |
                                  |
                                  |
                            INTERNAL  LAN
                            10.20.30.0/24
  • I have to realise a NAT between 2 networks: mgt_if and extra_if.
    Code:
    #macros:
    mgt_if="10.1.0.254"
    extra_if="192.168.50.254"
    
    #host on extra_if
    host1="192.168.50.100"
    
    # clients on mgt_if
    table <client> const {10.1.0.11, 10.1.0.12, 10.1.0.21, 10.1.0.31}
  • No host from "EXTRA" should communicate with hosts on "MGT"
    Only "host1" is allowed to communicate with the clients defined in the "<client>" table, for ssh, vnc, and snmtp (monitoring).

What does 'host1' (192.168.50.100) on the EXTRA network need to communicate with the 10.1.0.x hosts listed in your client table?

That host needs a route and no NAT is needed. It should know that in order to send packets for the MGT network it should send them through 192.168.50.254 on the firewall. In other words: for 'host1' 192.168.50.254 is the gateway to the 10.1.0.0/24 network.

Three options for the routing on 'host1' (192.168.50.100):
  • Add a default route:
    Code:
    route add default 192.168.50.254
  • Add a route to the 10.1.0.0/24 network
    Code:
    route add 10.1.0.0/24 192.168.50.254
  • Add routes for each individual host
    Code:
    route add 10.1.0.11 192.168.50.254
    route add 10.1.0.12 192.168.50.254
    route add 10.1.0.21 192.168.50.254
    route add 10.1.0.31 192.168.50.254

The three routing options for the 10.1.0.11, 10.1.0.12, 10.1.0.21, and 10.1.0.31 hosts on the MGT network:
  • Add a default route:
    Code:
    route add default 10.1.0.254
  • Add a route to the 192.168.50.254 network:
    Code:
    route add 192.168.50.0/24 10.1.0.254
  • Only add a route to 'host1' (192.168.50.100):
    Code:
    route add 192.168.50.100 10.1.0.254

You can change the pf.conf till you weigh an ounce, but if you do not have the routing configured correctly, those hosts will never be able to communicate with each other.

Please remember that you only need NAT on the external interface because the 10.x.x.x and 192.168.x.x network addresses are not routable on the internet. But on your internal networks these addresses are routable.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote