|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Help: NAT doesn't work on OpenBSD 4.9
Hi All,
I was doing the NAT testing(redirection) to access internal webserver from notebook with the diagram below: notebook--->----em0[OpenBSD 4.9 PF]em1--->---webserver(TCP/443) em0(external) is 192.168.1.218/24 notebook is 192.168.1.21/24 em1(internal) is 192.168.2.218/24 internal webserver is 192.168.2.80/24 Webserver gateway is em1(192.168.2.218) Firewall default gateway is 192.168.1.1 notebook gateway is em0(192.168.1.218) IP alias for NAT on em0 is 192.168.1.232/32 (for redirecting the incoming traffic from 192.168.1.232 to 192.168.2.80) net.inet.ip.forwarding=1 My rule is: # Tables: (1) table <tbl.r0.d> { 192.168.1.218 , 192.168.1.232 , 192.168.2.218 } # # Rule 0 (NAT) match in on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.1.232 rdr-to 192.168.2.80 # SSH mgmt rule pass in quick inet proto tcp from 192.168.1.21 to <tbl.r0.d> port 22 # Rule 0 (em0,em1) permit notebook to access https on internal webserver pass log quick on { em0 em1 } inet proto tcp from 192.168.1.21 to 192.168.1.232 port 443 # Deny all block quick inet from any to any no state IP alias (192.168.1.232) was configured on em0(external) But the traffic can't pass through the internal webserver. I was doing tcpdump on both interfaces: tcpdump on em0(external): Code:
# tcpdump -npi em0 host 192.168.1.232 tcpdump: listening on em0, link-type EN10MB 21:36:37.611311 arp who-has 192.168.1.232 tell 192.168.1.21 21:36:37.611369 arp reply 192.168.1.232 is-at 00:0c:29:97:2a:44 tcpdump: WARNING: compensating for unaligned libpcap packets 21:36:37.611708 192.168.1.21.4963 > 192.168.1.232.443: S 4176778738:4176778738(0 ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF) 21:36:37.611789 192.168.1.232.443 > 192.168.1.21.4963: R 0:0(0) ack 4176778739 w in 0 (DF) 21:36:38.063449 192.168.1.21.4963 > 192.168.1.232.443: S 4176778738:4176778738(0 ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF) 21:36:38.063598 192.168.1.232.443 > 192.168.1.21.4963: R 0:0(0) ack 1 win 0 (DF) 21:36:38.566376 192.168.1.21.4963 > 192.168.1.232.443: S 4176778738:4176778738(0 ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF) 21:36:38.566453 192.168.1.232.443 > 192.168.1.21.4963: R 0:0(0) ack 1 win 0 (DF) Code:
# tcpdump -npi em1 port 443 tcpdump: listening on em1, link-type EN10MB When I was doing the testing from notebook to internal webserver, the notebook was able to access internal webserver port 443. But when I was testing using rdr-to (NAT) it doesn't work. Is there anything missing/misconfigured in my config? Regards, Stefan |
|
|||
I may be wrong, but I think the gotcha's explained in http://openbsd.org/faq/pf/rdr.html#reflect apply to your situation
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
fluxbox-generate_menu doesn't work | nihonto | NetBSD Package System (pkgsrc) | 4 | 5th April 2022 03:03 PM |
Marvell 88E8038 ethernet adaptor doesn't work with NetBSD 5, even with ACPI disabled | GullibleJones | NetBSD General | 2 | 13th December 2009 10:55 AM |
ln -f at boot doesn't work | lordyan | OpenBSD General | 3 | 19th February 2009 03:50 PM |
New Kernel: "make depend" doesn't work | nihonto | NetBSD General | 9 | 23rd January 2009 09:02 PM |
KDE (X-Server) in FreeBSD 7.0 doesn't work correctly | louie | FreeBSD General | 6 | 7th May 2008 11:53 PM |