Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th May 2011
lcxpics lcxpics is offline
New User
Join Date: May 2011
Posts: 1
Question Help: NAT doesn't work on OpenBSD 4.9

Hi All,

I was doing the NAT testing(redirection) to access internal webserver from notebook with the diagram below:

notebook--->----em0[OpenBSD 4.9 PF]em1--->---webserver(TCP/443)

em0(external) is
notebook is
em1(internal) is
internal webserver is
Webserver gateway is em1(
Firewall default gateway is
notebook gateway is em0(
IP alias for NAT on em0 is (for redirecting the incoming traffic from to


My rule is:
# Tables: (1)
table <tbl.r0.d> { , , }

# Rule 0 (NAT)
match in on em0 proto {tcp udp icmp} from to rdr-to

# SSH mgmt rule
pass in quick inet proto tcp from to <tbl.r0.d> port 22

# Rule 0 (em0,em1) permit notebook to access https on internal webserver
pass log quick on { em0 em1 } inet proto tcp from to port 443

# Deny all
block quick inet from any to any no state

IP alias ( was configured on em0(external)

But the traffic can't pass through the internal webserver.
I was doing tcpdump on both interfaces:

tcpdump on em0(external):

# tcpdump -npi em0 host
tcpdump: listening on em0, link-type EN10MB
21:36:37.611311 arp who-has tell
21:36:37.611369 arp reply is-at 00:0c:29:97:2a:44
tcpdump: WARNING: compensating for unaligned libpcap packets
21:36:37.611708 > S 4176778738:4176778738(0                                                                             ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF)
21:36:37.611789 > R 0:0(0) ack 4176778739 w                                                                             in 0 (DF)
21:36:38.063449 > S 4176778738:4176778738(0                                                                             ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF)
21:36:38.063598 > R 0:0(0) ack 1 win 0 (DF)
21:36:38.566376 > S 4176778738:4176778738(0                                                                             ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF)
21:36:38.566453 > R 0:0(0) ack 1 win 0 (DF)
and tcpdump on em1(internal)

# tcpdump -npi em1 port 443
tcpdump: listening on em1, link-type EN10MB
It seemed that the translation didn't work and the request can't be redirected to internal webserver.

When I was doing the testing from notebook to internal webserver, the notebook was able to access internal webserver port 443. But when I was testing using rdr-to (NAT) it doesn't work.

Is there anything missing/misconfigured in my config?

Reply With Quote
  #2   (View Single Post)  
Old 18th May 2011
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,503

I may be wrong, but I think the gotcha's explained in http://openbsd.org/faq/pf/rdr.html#reflect apply to your situation
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Marvell 88E8038 ethernet adaptor doesn't work with NetBSD 5, even with ACPI disabled GullibleJones NetBSD General 2 13th December 2009 10:55 AM
ln -f at boot doesn't work lordyan OpenBSD General 3 19th February 2009 03:50 PM
fluxbox-generate_menu doesn't work nihonto NetBSD General 1 25th January 2009 06:46 PM
New Kernel: "make depend" doesn't work nihonto NetBSD General 9 23rd January 2009 09:02 PM
KDE (X-Server) in FreeBSD 7.0 doesn't work correctly louie FreeBSD General 6 7th May 2008 11:53 PM

All times are GMT. The time now is 06:45 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick