Need help with NAT setup

[Quaxo]

Hello!

Im having trouble getting internet access from a laptop to the internet. I can connect to the server (ie. my router) via WLAN with DHCP without any problem, but when I try to read a web page nothing happens.

The server handling this routing is using OpenBSD v4.4. The laptop is connecting to the server via the ral0 interface and the server should redirect the trafic to nfe0 (connected to the intenet).

At this point I have three things to verify before I try something else. So my questions are...

Question 1) Should this PF-rule work for me?:

Code:

nat pass log on nfe0 from ral0:network to any -> (nfe0)

Question 2) In order to do this NAT, is it required to also create a bridge? Like:

Code:

ifconfig bridge0 create
brconfig bridge0 add ral0 add nfe0 up

Question 3) Should the domain-name-servers setting in dhcpd.conf point to my DNS given by my ISP? I mean, I must change the default settings in dhcpd.conf to:

Code:

option domain-name-servers <MY-DNS1-IP>, <MY-DNS2-IP>;

...right?


-Cheers!
/Quaxo

[jggimi]

Quote:

Originally Posted by Quaxo

I can connect to the server (ie. my router) via WLAN with DHCP without any problem, but when I try to read a web page nothing happens.

Before examining PF rules in detail, check first to see if sysctl net.inet.ip.forwarding is set to 1. IPv4 packets will not be routed without this.

Quote:

Should this PF-rule work for me?

It looks fine, except that the "pass" may not do what you expect it to, and there may be additional filter rules needed. The NAT section of the PF User's Guide reminds us (highlight mine):

...since translation occurs before filtering, the filter engine will see the translated packet with the translated IP address and port...

Quote:

In order to do this NAT, is it required to also create a bridge?

No.

Quote:

Should the domain-name-servers setting in dhcpd.conf point to my DNS given by my ISP?

This is unrelated to NAT. You will want to provide DHCP users with the appropriate configuration. At minimum, this is an IP address, a netmask, a default route. While DNS servers may be optional in a private network with no Internet access, they aren't optional for Internet use.

I strongly recommend you add the log keyword to every PF rule that permits it, so that you can see exactly what rules pass and block. You do this with tcpdump(8) and the pflog(4) pseudo device.

[Quaxo]

Thanks a lot for your help so far

Quote:

Originally Posted by jggimi

Before examining PF rules in detail, check first to see if sysctl net.inet.ip.forwarding is set to 1. IPv4 packets will not be routed without this.

Oh right!, the sysctl. Sorry but I forgot to mention that I did set it to 1 using "sysctl net.inet.ip.forwarding=1" (or something like that) and the output from sysctl confirmed the change. I have also changed the configuration file in /etc/sysctl.conf.

Quote:

Originally Posted by jggimi

It looks fine, except that the "pass" may not do what you expect it to, and there may be additional filter rules needed. ...

About the PF-rule. Hmm...then im not following here. I thought "pass" ment that I didnt need to set any other rules. For the case of testing I added "pass log quick all" but I got nothing in the log. Any ideas here?

Quote:

Originally Posted by jggimi

No.

Ok, so I wont need a bridge here. Then ill remove it.

Quote:

Originally Posted by jggimi

This is unrelated to NAT. You will want to provide DHCP users with the appropriate configuration. At minimum, this is an IP address, a netmask, a default route. While DNS servers may be optional in a private network with no Internet access, they aren't optional for Internet use.

Hehe, true. The reason I mentioned it was that I thought that maybe the server (router) must act like a "DNS proxy" or something. So my dhcpd should be ok as it is then.


(EDIT)
This is weird...When using "pass log quick all" and doing a ssh from the laptop to the server I get a connection but nothing is shown in the PF-log.


/Quaxo

[jggimi]

Quote:

Originally Posted by Quaxo

...I did set it to 1 using "sysctl net.inet.ip.forwarding=1" (or something like that) and the output from sysctl confirmed the change. I have also changed the configuration file in /etc/sysctl.conf.

You can confirm it, if you like, with something similar to:

• $ sysctl -a | grep forward

Quote:

...I thought "pass" ment that I didnt need to set any other rules.

You won't know, for sure, what is happening, until you log all rules and test the results. Some people only log block rules, but when diagnosing PF, I prefer to log all rules, so I can determine which rules are effective in which circumstance.

Quote:

...I thought that maybe the server (router) must act like a "DNS proxy" or something...

Only if you set up a local DNS server on it. And then, you'd update your dhcpd.conf accordingly.

If you are interested in caching DNS locally, and managing your local hosts via DNS, note that BIND v9 is built-in to OpenBSD. The daemon is named(8). It has a fairly complex configuration. You will want more documentation than just the man page. (There are other DNS engines available, too.)

Quote:

This is weird...When using "pass log quick all" and doing a ssh from the laptop to the server I get a connection but nothing is shown in the PF-log.

"Sounds" like one of three things is happening:

1. Perhaps an unlogged rule is in effect (such as your "nat pass") I'll guess this is the reaon. This is my third hint to LOG ALL RULES.
2. Perhaps you are not using tcpdump correctly
3. Perhaps pflog0 is not configured properly

[Quaxo]

This is now my set up...

Code:

/root# pfctl -sn
nat on nfe0 from ! (nfe0) to any -> (nfe0) round-robin
/etc# pfctl -sr
block return log all
pass out log quick on nfe0 inet proto udp from 192.168.0.154 to <hidden-ip> port = ntp keep state
pass out log quick on nfe0 inet proto udp from 192.168.0.154 to <hidden-ip> port = ntp keep state
pass out log quick on nfe0 inet proto udp from 192.168.0.154 to <hidden-ip> port = ntp keep state
pass out log quick on nfe0 inet proto udp from 192.168.0.154 to <hidden-ip> port = domain keep state
pass in log quick on nfe0 inet proto udp from <hidden-ip> port = domain to 192.168.0.154 keep state
pass in log on nfe0 inet proto tcp from 192.168.0.102 to 192.168.0.154 port = ssh flags S/SA modulate state

If I try to open a web page on my laptop I see nothing in the log (tcpdump -n -e -ttt -i pflog0). "pfctl -ss" ouput shows only my three SSH connections from my workstation to the server and nothing about the laptop doing DNS or whatever. pflog0 seems to be working for other stuff anyway (I can see incomming connection attempts from random people).

Any more ideas? Would it help to see ifconfig and stuff?

/Quaxo

[jggimi]

I don't see any ral0 NIC/network rules. But then, you're showing output from pfctl, not pf.conf.

I can tell two things from this pfctl output:

1. You are not logging your nat rules, so you are missing seeing that activity.
2. All rules, except the block all, are nfe0 specific. I dont' see any rules for ral0. Your block all should kick in, unless you are still running an unseen nat pass. I don't know if pfctl -sn shows nat pass, as I do not run it and cannot test it at the moment.

[Quaxo]

...I figured "block return log all" would add notes to the pflog no matter what so therefore no need for more PF-rules.

However I found the problem!

It was actually in dhcpd.conf. I didnt set the "option routers" correctly. It was still on the default setting (192.168.1.1) while the ral0 was on IP 192.168.1.34. So now it works great! This was ofcourse impossible for you to see since I have never posted these data


Thanks alot for your time anyway
/Quaxo