View Single Post
  #1   (View Single Post)  
Old 18th May 2011
lcxpics lcxpics is offline
New User
 
Join Date: May 2011
Posts: 1
Question Help: NAT doesn't work on OpenBSD 4.9

Hi All,

I was doing the NAT testing(redirection) to access internal webserver from notebook with the diagram below:

notebook--->----em0[OpenBSD 4.9 PF]em1--->---webserver(TCP/443)

em0(external) is 192.168.1.218/24
notebook is 192.168.1.21/24
em1(internal) is 192.168.2.218/24
internal webserver is 192.168.2.80/24
Webserver gateway is em1(192.168.2.218)
Firewall default gateway is 192.168.1.1
notebook gateway is em0(192.168.1.218)
IP alias for NAT on em0 is 192.168.1.232/32 (for redirecting the incoming traffic from 192.168.1.232 to 192.168.2.80)

net.inet.ip.forwarding=1

My rule is:
# Tables: (1)
table <tbl.r0.d> { 192.168.1.218 , 192.168.1.232 , 192.168.2.218 }

#
# Rule 0 (NAT)
match in on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.1.232 rdr-to 192.168.2.80

# SSH mgmt rule
pass in quick inet proto tcp from 192.168.1.21 to <tbl.r0.d> port 22

# Rule 0 (em0,em1) permit notebook to access https on internal webserver
pass log quick on { em0 em1 } inet proto tcp from 192.168.1.21 to 192.168.1.232 port 443

# Deny all
block quick inet from any to any no state

IP alias (192.168.1.232) was configured on em0(external)

But the traffic can't pass through the internal webserver.
I was doing tcpdump on both interfaces:

tcpdump on em0(external):

Code:
# tcpdump -npi em0 host 192.168.1.232
tcpdump: listening on em0, link-type EN10MB
21:36:37.611311 arp who-has 192.168.1.232 tell 192.168.1.21
21:36:37.611369 arp reply 192.168.1.232 is-at 00:0c:29:97:2a:44
tcpdump: WARNING: compensating for unaligned libpcap packets
21:36:37.611708 192.168.1.21.4963 > 192.168.1.232.443: S 4176778738:4176778738(0                                                                             ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF)
21:36:37.611789 192.168.1.232.443 > 192.168.1.21.4963: R 0:0(0) ack 4176778739 w                                                                             in 0 (DF)
21:36:38.063449 192.168.1.21.4963 > 192.168.1.232.443: S 4176778738:4176778738(0                                                                             ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF)
21:36:38.063598 192.168.1.232.443 > 192.168.1.21.4963: R 0:0(0) ack 1 win 0 (DF)
21:36:38.566376 192.168.1.21.4963 > 192.168.1.232.443: S 4176778738:4176778738(0                                                                             ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF)
21:36:38.566453 192.168.1.232.443 > 192.168.1.21.4963: R 0:0(0) ack 1 win 0 (DF)
and tcpdump on em1(internal)

Code:
# tcpdump -npi em1 port 443
tcpdump: listening on em1, link-type EN10MB
It seemed that the translation didn't work and the request can't be redirected to internal webserver.

When I was doing the testing from notebook to internal webserver, the notebook was able to access internal webserver port 443. But when I was testing using rdr-to (NAT) it doesn't work.

Is there anything missing/misconfigured in my config?

Regards,
Stefan
Reply With Quote