DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th May 2011
lcxpics lcxpics is offline
New User
 
Join Date: May 2011
Posts: 1
Thanked 0 Times in 0 Posts
Question Help: NAT doesn't work on OpenBSD 4.9

Hi All,

I was doing the NAT testing(redirection) to access internal webserver from notebook with the diagram below:

notebook--->----em0[OpenBSD 4.9 PF]em1--->---webserver(TCP/443)

em0(external) is 192.168.1.218/24
notebook is 192.168.1.21/24
em1(internal) is 192.168.2.218/24
internal webserver is 192.168.2.80/24
Webserver gateway is em1(192.168.2.218)
Firewall default gateway is 192.168.1.1
notebook gateway is em0(192.168.1.218)
IP alias for NAT on em0 is 192.168.1.232/32 (for redirecting the incoming traffic from 192.168.1.232 to 192.168.2.80)

net.inet.ip.forwarding=1

My rule is:
# Tables: (1)
table <tbl.r0.d> { 192.168.1.218 , 192.168.1.232 , 192.168.2.218 }

#
# Rule 0 (NAT)
match in on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.1.232 rdr-to 192.168.2.80

# SSH mgmt rule
pass in quick inet proto tcp from 192.168.1.21 to <tbl.r0.d> port 22

# Rule 0 (em0,em1) permit notebook to access https on internal webserver
pass log quick on { em0 em1 } inet proto tcp from 192.168.1.21 to 192.168.1.232 port 443

# Deny all
block quick inet from any to any no state

IP alias (192.168.1.232) was configured on em0(external)

But the traffic can't pass through the internal webserver.
I was doing tcpdump on both interfaces:

tcpdump on em0(external):

Code:
# tcpdump -npi em0 host 192.168.1.232
tcpdump: listening on em0, link-type EN10MB
21:36:37.611311 arp who-has 192.168.1.232 tell 192.168.1.21
21:36:37.611369 arp reply 192.168.1.232 is-at 00:0c:29:97:2a:44
tcpdump: WARNING: compensating for unaligned libpcap packets
21:36:37.611708 192.168.1.21.4963 > 192.168.1.232.443: S 4176778738:4176778738(0                                                                             ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF)
21:36:37.611789 192.168.1.232.443 > 192.168.1.21.4963: R 0:0(0) ack 4176778739 w                                                                             in 0 (DF)
21:36:38.063449 192.168.1.21.4963 > 192.168.1.232.443: S 4176778738:4176778738(0                                                                             ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF)
21:36:38.063598 192.168.1.232.443 > 192.168.1.21.4963: R 0:0(0) ack 1 win 0 (DF)
21:36:38.566376 192.168.1.21.4963 > 192.168.1.232.443: S 4176778738:4176778738(0                                                                             ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF)
21:36:38.566453 192.168.1.232.443 > 192.168.1.21.4963: R 0:0(0) ack 1 win 0 (DF)
and tcpdump on em1(internal)

Code:
# tcpdump -npi em1 port 443
tcpdump: listening on em1, link-type EN10MB
It seemed that the translation didn't work and the request can't be redirected to internal webserver.

When I was doing the testing from notebook to internal webserver, the notebook was able to access internal webserver port 443. But when I was testing using rdr-to (NAT) it doesn't work.

Is there anything missing/misconfigured in my config?

Regards,
Stefan
Reply With Quote
  #2   (View Single Post)  
Old 18th May 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

I may be wrong, but I think the gotcha's explained in http://openbsd.org/faq/pf/rdr.html#reflect apply to your situation
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Marvell 88E8038 ethernet adaptor doesn't work with NetBSD 5, even with ACPI disabled GullibleJones NetBSD General 2 13th December 2009 10:55 AM
ln -f at boot doesn't work lordyan OpenBSD General 3 19th February 2009 03:50 PM
fluxbox-generate_menu doesn't work nihonto NetBSD General 1 25th January 2009 06:46 PM
New Kernel: "make depend" doesn't work nihonto NetBSD General 9 23rd January 2009 09:02 PM
KDE (X-Server) in FreeBSD 7.0 doesn't work correctly louie FreeBSD General 6 7th May 2008 11:53 PM


All times are GMT. The time now is 05:34 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick