|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Need Help setting up NAT (pf.conf)
hi all,
i need help to set up source NAT from my internal network interface "vr1" to a public ip address that obtained from my ISP to interface "vr0" this is my lan settings: interface name: vr1 interface ip: 192.168.1.254/32 network behind interface vr1: 192.168.1.0/24 internal network Default gateway: vr1 interface ip. vr0 represent my public ip address. thanks in advance. |
|
|||
Quote:
Quote:
http://en.wikipedia.org/wiki/Private_network |
|
|||
In addition, The Book of PF started out as an online manuscript. Differences exist between the book & paper, but Hansteen's manuscript is still frequently updated & can be found at the following:
http://home.nuug.no/~peter/pf/ |
|
|||
thank you for your quick answer
but i didn't success to set up NAT after reading PF User's Guide i really appreciate if some one can post a working configuration with the same topology (two network interface one for LAN and the other for WAN) firewall policy not interesting me at this moment i want everything to pass out just the source NAT from my LAN 192.168.1.0/24 (vr1) to my WAN interface vr0 to work ... thanks in advance to helpers. |
|
||||
wlm2,
You and Igor had previously decided on this topology: Code:
{Internet} -- a.b.c.d/xx -- [Linksys router] -- 192.168.1/24 -- [ALIX router] -- e.f.g.h/xx -- [Windows laptop] Your inner subnet on vr1 you have not described. I don't know if you've defined it yet, so I call it e.f.g.h/xx. But it doesn't matter. As long as it is a different subnet and is also within any of the RFC 1918 blocks, that will be fine. I've stated this in your larger "urgently!!" thread, and I will state it here once more. With this two-router topology you decided on, NAT is not necessary between vr0 and vr1. All that is needed is a route added to the Linksys box, so that it can reach the vr1 subnet. For example: if the vr1 subnet e.f.g.h/xx was 10.0.0.0/24, you merely need to add a route on the linksys router, defining a route for the destination network (10.0.0.0/24) via the ALIX router (192.168.1.102). NAT is in use on the Linksys router. All of your local addresses will be translated into your single IP address assigned to you on your ISP's a.b.c.d/xx subnet. It will keep state tables, translate all transiting addresses in and out, and route the packets accordingly. It just needs to be told where to route the "inner" traffic. --- Your description in this thread, however, describes a different topology. Please clarify. |
|
|||
the topology was changed
this is the wanted topology internal network behind interface vr1 192.168.1.0/24 LAN default gateway is vr1 ip address 192.168.1.254 the dhcp server is working and LAN pcs obtaining an ip address successfully and able to rich by ping their default gateway (vr1 interface) cable modem connected to vr0 interface vr0 set to dhcp and obtaining an IP Address from my ISP. i can ping and resolve internet web sites from my alix board directly but not from computers in my lan. i want that all the traffic from internal network to get out to the internet via interface vr0 |
|
|||
Finally its WORKING :)
thank you jggimi For all your help and patience!
now its working but Frankly I'm not so sure how I'd love if you could help me understand The following line: match out on egress inet from !(egress) to any nat-to (egress:0) The part I do not understand is how !(egress) represent my VR1 interface and (egress:0) represent my VR0 Interface ... this is the working configuration: Code:
ext_if = "vr0" int1_if = "vr1" # set block-policy drop set loginterface $ext_if set limit { frags 5000, states 10000 } set state-policy floating set optimization normal set ruleset-optimization basic set timeout interval 10 set timeout frag 30 set skip on lo # match out on egress inet from !(egress) to any nat-to (egress:0) block return #all antispoof for $ext_if inet # pass out quick keep state pass in quick on $int1_if Last edited by ocicat; 22nd October 2011 at 07:31 AM. Reason: *Please* use [code] & [/code] tags when posting screen output! |
|
||||
Start with the word "egress". You can see it appear in your ifconfig output for vr0:
Code:
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:0d:b9:1c:96:80 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::20d:b9ff:fe1c:9680%vr0 prefixlen 64 scopeid 0x1 inet 192.168.1.103 netmask 0xffffff00 broadcast 192.168.1.255 Code:
group group-name Assign the interface to a ``group''. Any interface can be in multiple groups. For instance, such a group could be used to create a hardware independent pf(4) ruleset (i.e. not one based on the names of NICs) using existing (egress, carp, etc.) or user-defined groups. Some interfaces belong to specific groups by default: - All interfaces are members of the all interface group. - Cloned interfaces are members of their interface family group. For example, a PPP interface such as ppp0 is a member of the ppp interface family group. - The interface(s) the default route(s) point to are members of the egress interface group. - IEEE 802.11 wireless interfaces are members of the wlan interface group. - Any interfaces used for network booting are members of the netboot interface group. Quote:
Quote:
Quote:
|
|
|||
I have no words to express my appreciation
You helped me a lot! Thanks again |
|
||||
You are welcome, wlm2, but I am concerned by what I have seen in the pf.conf you have posted. It appears that you have copied and pasted a pf.conf file from some "how-to" you found on the Internet.
Just one example: set block-policy drop is made meaningless by block return. I am guessing that you did not realize this because you copied and pasted from someone else's configuration file, and then hoped things would work for you. Let us quote from Peter Hansteen's The Book of PF: Quote:
|
|
|||
Of course I still have many things to understand
I'm just glad that I have overcome the main problems with the help of the wonderful people in this forum! And i will embrace this Pledge i like it |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
I need help setting up queues. | MarcRiv | OpenBSD Security | 6 | 17th November 2009 11:31 PM |
Setting up nameservers | paran0iaX | OpenBSD General | 11 | 13th March 2009 12:16 PM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |
Setting Up MPD | benjgvps | FreeBSD General | 0 | 21st May 2008 12:20 PM |
thanks for setting this up | DraconianTimes | Off-Topic | 8 | 5th May 2008 08:14 AM |