DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st October 2011
wlm2 wlm2 is offline
Port Guard
 
Join Date: Jun 2011
Posts: 32
Thanked 0 Times in 0 Posts
Default Need Help setting up NAT (pf.conf)

hi all,

i need help to set up source NAT from my internal network interface "vr1"
to a public ip address that obtained from my ISP to interface "vr0"

this is my lan settings:
interface name: vr1
interface ip: 192.168.1.254/32

network behind interface vr1: 192.168.1.0/24
internal network Default gateway: vr1 interface ip.

vr0 represent my public ip address.

thanks in advance.
Reply With Quote
  #2   (View Single Post)  
Old 21st October 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,834
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by wlm2 View Post
i need help to set up source NAT from my internal network interface "vr1"
to a public ip address that obtained from my ISP to interface "vr0"
One of the first sources you should study is the PF User's Guide. NAT is specifically covered here.
Quote:
vr0 represent my public ip address.
Technically, the address assigned by your ISP is probably not a publicly accessible IP address. More than likely, it will be private RFC1918 address. If you need more information, Wikipedia has an article which covers the basics:

http://en.wikipedia.org/wiki/Private_network
Reply With Quote
  #3   (View Single Post)  
Old 21st October 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,834
Thanked 190 Times in 160 Posts
Default

In addition, The Book of PF started out as an online manuscript. Differences exist between the book & paper, but Hansteen's manuscript is still frequently updated & can be found at the following:

http://home.nuug.no/~peter/pf/
Reply With Quote
  #4   (View Single Post)  
Old 21st October 2011
wlm2 wlm2 is offline
Port Guard
 
Join Date: Jun 2011
Posts: 32
Thanked 0 Times in 0 Posts
Default

thank you for your quick answer
but i didn't success to set up NAT after reading PF User's Guide

i really appreciate if some one can post a working configuration with the same topology (two network interface one for LAN and the other for WAN)

firewall policy not interesting me at this moment
i want everything to pass out

just the source NAT from my LAN 192.168.1.0/24 (vr1) to my WAN interface vr0
to work ...

thanks in advance to helpers.
Reply With Quote
  #5   (View Single Post)  
Old 21st October 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

wlm2,

You and Igor had previously decided on this topology:
Code:
{Internet} -- a.b.c.d/xx -- [Linksys router] -- 192.168.1/24 -- [ALIX router] -- e.f.g.h/xx -- [Windows laptop]
Where a.b.c.d/xx is the CIDR address you have on your ISP's subnet. The subnet between the Linksys router and the ALIX router is 192.168.1.0/24, with the ALIX at 192.168.1.102, and the Linksys device at 192.168.1.1, if I recall their specific addresses correctly.

Your inner subnet on vr1 you have not described. I don't know if you've defined it yet, so I call it e.f.g.h/xx. But it doesn't matter. As long as it is a different subnet and is also within any of the RFC 1918 blocks, that will be fine.

I've stated this in your larger "urgently!!" thread, and I will state it here once more. With this two-router topology you decided on, NAT is not necessary between vr0 and vr1. All that is needed is a route added to the Linksys box, so that it can reach the vr1 subnet.

For example: if the vr1 subnet e.f.g.h/xx was 10.0.0.0/24, you merely need to add a route on the linksys router, defining a route for the destination network (10.0.0.0/24) via the ALIX router (192.168.1.102).

NAT is in use on the Linksys router. All of your local addresses will be translated into your single IP address assigned to you on your ISP's a.b.c.d/xx subnet. It will keep state tables, translate all transiting addresses in and out, and route the packets accordingly. It just needs to be told where to route the "inner" traffic.

---

Your description in this thread, however, describes a different topology. Please clarify.
Reply With Quote
  #6   (View Single Post)  
Old 21st October 2011
wlm2 wlm2 is offline
Port Guard
 
Join Date: Jun 2011
Posts: 32
Thanked 0 Times in 0 Posts
Default

the topology was changed
this is the wanted topology

internal network behind interface vr1
192.168.1.0/24
LAN default gateway is vr1 ip address 192.168.1.254
the dhcp server is working and LAN pcs obtaining an ip address successfully
and able to rich by ping their default gateway (vr1 interface)

cable modem connected to vr0 interface
vr0 set to dhcp
and obtaining an IP Address from my ISP.
i can ping and resolve internet web sites from my alix board directly
but not from computers in my lan.

i want that all the traffic from internal network to get out to the internet via interface vr0
Reply With Quote
  #7   (View Single Post)  
Old 21st October 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Here is a two line pf.conf. It has not been tested.

Line #1 performs Network Address Translation for packets destined for your gateway network (the network with your default route). This is the network on your vr0 interface, though that name is not needed if one uses the "egress" interface group.

Line #2 passes all packets, making this a Default Allow ruleset.
Code:
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass all
Reply With Quote
  #8   (View Single Post)  
Old 22nd October 2011
wlm2 wlm2 is offline
Port Guard
 
Join Date: Jun 2011
Posts: 32
Thanked 0 Times in 0 Posts
Default Finally its WORKING :)

thank you jggimi For all your help and patience!
now its working but Frankly I'm not so sure how
I'd love if you could help me understand The following line:

match out on egress inet from !(egress) to any nat-to (egress:0)

The part I do not understand is how !(egress) represent my VR1 interface
and (egress:0) represent my VR0 Interface ...

this is the working configuration:
Code:
ext_if = "vr0"
int1_if = "vr1"
#
set block-policy drop
set loginterface $ext_if
set limit { frags 5000, states 10000 }
set state-policy floating
set optimization normal
set ruleset-optimization basic
set timeout interval 10
set timeout frag 30
set skip on lo
#
match out on egress inet from !(egress) to any nat-to (egress:0)
block return #all
antispoof for $ext_if inet
#
pass out quick keep state
pass in  quick on $int1_if

Last edited by ocicat; 22nd October 2011 at 07:31 AM. Reason: *Please* use [code] & [/code] tags when posting screen output!
Reply With Quote
  #9   (View Single Post)  
Old 22nd October 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Start with the word "egress". You can see it appear in your ifconfig output for vr0:
Code:
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0d:b9:1c:96:80
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::20d:b9ff:fe1c:9680%vr0 prefixlen 64 scopeid 0x1
        inet 192.168.1.103 netmask 0xffffff00 broadcast 192.168.1.255
The ifconfig man page says:
Code:
     group group-name
                     Assign the interface to a ``group''.  Any interface can
                     be in multiple groups.

                     For instance, such a group could be used to create a
                     hardware independent pf(4) ruleset (i.e. not one based on
                     the names of NICs) using existing (egress, carp, etc.) or
                     user-defined groups.

                     Some interfaces belong to specific groups by default:

                     -       All interfaces are members of the all interface
                             group.
                     -       Cloned interfaces are members of their interface
                             family group.  For example, a PPP interface such
                             as ppp0 is a member of the ppp interface family
                             group.
                     -       The interface(s) the default route(s) point to
                             are members of the egress interface group.
                     -       IEEE 802.11 wireless interfaces are members of
                             the wlan interface group.
                     -       Any interfaces used for network booting are
                             members of the netboot interface group.
The PF User's Guide chapter on Network Address Translation describes the use of !, () and of :0. I will not quote the entire chapter, just the relevant discussions. For src_addr, the use of !:
Quote:
Any of the above but negated using the ! ("not") modifier.
The use of ():
Quote:
The name of the external network interface in parentheses ( ). This tells PF to update the rule if the IP address(es) on the named interface changes. This is highly useful when the external interface gets its IP address via DHCP or dial-up as the ruleset doesn't have to be reloaded each time the address changes.
And lastly, :0 appended to an interface:
Quote:
...the :0 modifier can be appended to either an interface name or to any of the above modifiers to indicate that PF should not include aliased IP addresses in the substitution.
Well, what do you know? The official documentation answered your questions.
Reply With Quote
Old 22nd October 2011
wlm2 wlm2 is offline
Port Guard
 
Join Date: Jun 2011
Posts: 32
Thanked 0 Times in 0 Posts
Default

I have no words to express my appreciation
You helped me a lot!
Thanks again
Reply With Quote
Old 22nd October 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

You are welcome, wlm2, but I am concerned by what I have seen in the pf.conf you have posted. It appears that you have copied and pasted a pf.conf file from some "how-to" you found on the Internet.

Just one example: set block-policy drop is made meaningless by block return. I am guessing that you did not realize this because you copied and pasted from someone else's configuration file, and then hoped things would work for you. Let us quote from Peter Hansteen's The Book of PF:
Quote:
Just to hammer this in, please repeat after me:

The Pledge of the Network Admin


"This is my network.
It is mine
or technically my employer’s,
it is my responsibility
and I care for it with all my heart
there are many other networks a lot like mine,
but none are just like it.

I solemnly swear
that I will not mindlessly paste from HOWTOs."
If you are unable to understand and explain a configuration change you are making, then you are doing something wrong.
Reply With Quote
Old 22nd October 2011
wlm2 wlm2 is offline
Port Guard
 
Join Date: Jun 2011
Posts: 32
Thanked 0 Times in 0 Posts
Default

Of course I still have many things to understand
I'm just glad that I have overcome the main problems
with the help of the wonderful people in this forum!

And i will embrace this Pledge i like it
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
I need help setting up queues. MarcRiv OpenBSD Security 6 17th November 2009 11:31 PM
Setting up nameservers paran0iaX OpenBSD General 11 13th March 2009 12:16 PM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
Setting Up MPD benjgvps FreeBSD General 0 21st May 2008 12:20 PM
thanks for setting this up DraconianTimes Off-Topic 8 5th May 2008 08:14 AM


All times are GMT. The time now is 04:50 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick