A NAT question - BSD

This is a discussion on A NAT question - BSD ; Hi, I've got a basic but quite important question about NAT: our OpenBSD PF Firewall will have 2 different class C subnets behind our firewall assigned by our provider (one per interface) then behind our firewall we will also use ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: A NAT question

  1. A NAT question

    Hi,

    I've got a basic but quite important question about NAT: our OpenBSD PF
    Firewall will have 2 different class C subnets behind our firewall
    assigned by our provider (one per interface) then behind our firewall we
    will also use a private C subnet (192.168.X.X). In front of our firewall
    there will be the WAN subnet (also called transit subnet) which connects
    us directly to the router of the ISP. The ISP routes the two class C
    subnets directly to our OpenBSD firewall on it's WAN IP address.

    Now I would like to use NAT only for the whole private C subnet
    (192.168.X.X) and map it to one of the public class C subnet. So if I
    understand everything correctly the only single NAT entry in my pf.conf
    file I will need is the following:

    nat on $dmz1_if from ($int_if:network) -> ($dmz1_if:0)

    $dmz1_if is the network interface connected to one of our two public
    class C subnet. $int_if is the interface connected to our private subnet
    (192.168.X.X) and $dmz1_if:0 should map to the IP address of our
    firewall's IP address on that public class C.

    Am I correct here ? Because I tested this setup today with our ISP and
    unfortunately it didn't work. Internal machines on the private subnet
    couldn't reach the internet. On the firewall itself no problem, I could
    ping any host on the internet.

    Best regards

  2. Re: A NAT question

    syn_nospam_uw wrote:
    > Hi,
    >
    > I've got a basic but quite important question about NAT: our OpenBSD PF
    > Firewall will have 2 different class C subnets behind our firewall
    > assigned by our provider (one per interface) then behind our firewall we
    > will also use a private C subnet (192.168.X.X). In front of our firewall
    > there will be the WAN subnet (also called transit subnet) which connects
    > us directly to the router of the ISP. The ISP routes the two class C
    > subnets directly to our OpenBSD firewall on it's WAN IP address.
    >
    > Now I would like to use NAT only for the whole private C subnet
    > (192.168.X.X) and map it to one of the public class C subnet. So if I
    > understand everything correctly the only single NAT entry in my pf.conf
    > file I will need is the following:
    >
    > nat on $dmz1_if from ($int_if:network) -> ($dmz1_if:0)
    >
    > $dmz1_if is the network interface connected to one of our two public
    > class C subnet. $int_if is the interface connected to our private subnet
    > (192.168.X.X) and $dmz1_if:0 should map to the IP address of our
    > firewall's IP address on that public class C.
    >
    > Am I correct here ? Because I tested this setup today with our ISP and
    > unfortunately it didn't work. Internal machines on the private subnet
    > couldn't reach the internet. On the firewall itself no problem, I could
    > ping any host on the internet.


    If I understand you correctly, you want to map 192.168.X.15 to
    pub.lic.ip.15, 192.168.X.153 to pub.lic.ip.153, and so on?

    In that case, you'll want 'binat'. See pf.conf(5).

    Joachim

  3. Re: A NAT question

    Joachim Schipper wrote:

    > If I understand you correctly, you want to map 192.168.X.15 to
    > pub.lic.ip.15, 192.168.X.153 to pub.lic.ip.153, and so on?


    Well actually it's a bit more complex, there are a few servers which
    will have their own IP addresses mapped 1 to 1 but for all the rest it
    will simply map to the firewall's IP address.

    Regards

  4. Re: A NAT question

    syn_nospam_uw wrote:
    > Joachim Schipper wrote:
    >
    >> If I understand you correctly, you want to map 192.168.X.15 to
    >> pub.lic.ip.15, 192.168.X.153 to pub.lic.ip.153, and so on?

    >
    > Well actually it's a bit more complex, there are a few servers which
    > will have their own IP addresses mapped 1 to 1 but for all the rest it
    > will simply map to the firewall's IP address.


    So, if I understand correctly, there are two classes of machines:

    - say 192.168.X.15 and 192.168.X.153, which should appear to be
    pub.lic.ip.2 and pub.lic.ip.3 for all intents and purposes?
    - and everything else in 192.168.X.0/24, which do not need to be
    externally accessible. Any traffic originating here should appear to
    come from the firewall

    I'm pretty certain you can do this by combining binat and nat - see
    pf.conf(5), specifically this part, under TRANSLATION, about the order
    in which rules are evaluated:

    Evaluation order of the translation rules is dependent on the
    type of the translation rules and of the direction of a packet.
    binat rules are al ways evaluated first. Then either the rdr
    rules are evaluated on an inbound packet or the nat rules on an
    outbound packet. Rules of the same type are evaluated in the
    same order in which they appear in the ruleset. The first
    matching rule decides what action is taken.

    Thus, I would expect you to end up with something like

    binat on $ext_if 192.168.X.15 to any -> pub.lic.ip.2
    binat on $ext_if 192.168.X.163 to any -> pub.lic.ip.3

    nat on $ext_if from $int_if:network to any -> $ext_if:0

    See pf.conf(5), particularly TRANSLATION and TRANSLATION EXAMPLES, for
    more details.

    Joachim

  5. Re: A NAT question

    Joachim Schipper wrote:

    > So, if I understand correctly, there are two classes of machines:
    >
    > - say 192.168.X.15 and 192.168.X.153, which should appear to be
    > pub.lic.ip.2 and pub.lic.ip.3 for all intents and purposes?
    > - and everything else in 192.168.X.0/24, which do not need to be
    > externally accessible. Any traffic originating here should appear to
    > come from the firewall


    That's exactly what I am doing, correct.

    > Thus, I would expect you to end up with something like
    >
    > binat on $ext_if 192.168.X.15 to any -> pub.lic.ip.2
    > binat on $ext_if 192.168.X.163 to any -> pub.lic.ip.3
    >
    > nat on $ext_if from $int_if:network to any -> $ext_if:0



    Acutally what I have right now is the following:

    nat on $ext_if from 192.168.X.15 -> pub.lic.ip.15
    nat on $ext_if from 192.168.X.40 -> pub.lic.ip.40

    nat on $ext_if from ($int_if:network) -> $ext_ip_firewall


    This works fine in our current configuration with the $ext_if being the
    interface connected to our provider (with the CPE on this network). We
    don't even need binat. But where this configuration doesn't work anymore
    is as described in my first post. Then this doesn't work at all.

    I can't think of this being an issue of using binat and it wasn't just
    the two servers mentioned up here it was any internal machine on the
    internal network which couldn't access the internet...

    Regards

  6. Re: A NAT question

    syn_nospam_uw wrote:
    > Joachim Schipper wrote:
    >
    >> So, if I understand correctly, there are two classes of machines:
    >>
    >> - say 192.168.X.15 and 192.168.X.153, which should appear to be
    >> pub.lic.ip.2 and pub.lic.ip.3 for all intents and purposes?
    >> - and everything else in 192.168.X.0/24, which do not need to be
    >> externally accessible. Any traffic originating here should appear to
    >> come from the firewall

    >
    > That's exactly what I am doing, correct.
    >
    >> Thus, I would expect you to end up with something like
    >>
    >> binat on $ext_if 192.168.X.15 to any -> pub.lic.ip.2
    >> binat on $ext_if 192.168.X.163 to any -> pub.lic.ip.3
    >>
    >> nat on $ext_if from $int_if:network to any -> $ext_if:0

    >
    > Acutally what I have right now is the following:
    >
    > nat on $ext_if from 192.168.X.15 -> pub.lic.ip.15
    > nat on $ext_if from 192.168.X.40 -> pub.lic.ip.40
    >
    > nat on $ext_if from ($int_if:network) -> $ext_ip_firewall
    >
    >
    > This works fine in our current configuration with the $ext_if being the
    > interface connected to our provider (with the CPE on this network). We
    > don't even need binat. But where this configuration doesn't work anymore
    > is as described in my first post. Then this doesn't work at all.
    >
    > I can't think of this being an issue of using binat and it wasn't just
    > the two servers mentioned up here it was any internal machine on the
    > internal network which couldn't access the internet...


    (Sorry for the slow response, I am somewhat busy with my exams.)

    If I am getting anything wrong, please correct me. For some reason I
    can't really wrap my head around your configuration...

    If I understand correctly, your old setup is


    |
    |
    $ext_if at pub.lic.ip.1

    $int_if at 192.168.X.1
    |
    |
    192.168.X.0/24

    Or something very close. And this does, in fact, work. Furthermore,
    traffic from 192.168.X.{15,40} appears to come from pub.lic.ip.{15,40}.
    (Traffic to pub.lic.ip.{15,40} is not necessarily sent to
    192.168.X.{15,40}.)

    Also, if I understand you correctly, you want to have


    |
    |
    $ext_if at pub.lic.ip.1
    $dmz1_if at pub.lic.ip2.1 -- pub.lic.ip2.0/24
    $int_if at 192.168.X.1
    |
    |
    192.168.X.0/24

    where you have two public class C subnets, pub.lic.ip.0/24 and
    pub.lic.ip2.0/24. Is what I call $dmz1_if indeed what you meant in your
    first post?

    Am I also correct that you didn't set up any special things for
    pub.lic.ip2.0/24 - that is just routed - and that that subnet has no
    problems accessing the internet or being accessed by the internet? That
    is, can I ignore this subnet, because it works?

    Finally, am I correct in thinking that traffic from 192.168.X.0/24
    should appear to come from $ext_if (pub.lic.ip.1), except for traffic
    from 192.168.X.{15,40} which should appear to come from
    pub.lic.ip.{15,40}?

    Because if all this is correct, I would fully expect your configuration
    to work (in fact, it didn't materially change). It will not necessarily
    allow pub.lic.ip.{15,40} to be accessed from the internet, but that is
    not your problem, is it?

    Could you post a diagram, and perhaps the output of 'route show'? I have
    the feeling I don't understand what you are trying to do...

    Joachim

+ Reply to Thread