general question on PF - BSD

This is a discussion on general question on PF - BSD ; I think this might be an easy question but who knows. I been reading up on the PF on openbsd and I don't think I saw anything that dealt with this. to use nat on the a group of computers ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: general question on PF

  1. general question on PF

    I think this might be an easy question but who knows.

    I been reading up on the PF on openbsd and I don't think I saw anything
    that dealt with this.

    to use nat on the a group of computers for one IP is
    nat on tl0 from 192.168.0.0/16 to any -> 24.5.0.5

    how do you get it to use a range of ip's instead of one? for ie. Say
    I have 200 computers and I would like to assign a legal IP address
    range from 210.1.2.3 thru 210.1.2.203?

    I would be guessing using this?
    nat on tl0 from 192.168.0.0/16 to any -> (210.1.2.3 - 210.1.2.203)

    any help would be great!!


  2. Re: general question on PF

    "Samir" writes:

    > to use nat on the a group of computers for one IP is
    > nat on tl0 from 192.168.0.0/16 to any -> 24.5.0.5
    >
    > how do you get it to use a range of ip's instead of one? for ie. Say
    > I have 200 computers and I would like to assign a legal IP address
    > range from 210.1.2.3 thru 210.1.2.203?


    Each computer doing nat has it's own pf.conf and that pf.conf has
    a nat statement that looks something like

    nat on $pub_if from $priv_ip to any -> ($pub_if)

    > I would be guessing using this?
    > nat on tl0 from 192.168.0.0/16 to any -> (210.1.2.3 - 210.1.2.203)


    Think about it... how can 210.1.2.3 do nat for traffic that is
    flowing through 210.1.2.203?


    internet ---- router ---+-- 210.1.2.3 ---- natted_network_1
    |
    +-- 210.1.2.4 ---- natted_network_2

    Or do you have a different model in mind?

    // marc

  3. Re: general question on PF

    Here is the pf.conf file I am going to use and edit, it's the sample
    from openbsd.com. I changed some things to fit my configuration
    already.

    # macros
    int_if = "xl0"
    ext_if = "dc0"

    tcp_services = "{ 22, 113 }"
    icmp_types = "echoreq"

    priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
    }"

    comp3 = "192.168.0.3"

    # options
    set block-policy return
    set loginterface $ext_if

    # scrub
    scrub in all

    # nat/rdr
    nat on $ext_if from $int_if:network to any -> ($ext_if)
    rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
    port 8021
    rdr on $ext_if proto tcp from any to any port 80 -> $comp3

    # filter rules
    block all

    pass quick on lo0 all

    block drop in quick on $ext_if from $priv_nets to any
    block drop out quick on $ext_if from any to $priv_nets

    pass in on $ext_if inet proto tcp from any to ($ext_if) \
    port $tcp_services flags S/SA keep state

    pass in on $ext_if proto tcp from any to $comp3 port 80 \
    flags S/SA synproxy state

    pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
    user proxy flags S/SA keep state

    pass in inet proto icmp all icmp-type $icmp_types keep state

    pass in on $int_if from $int_if:network to any keep state
    pass out on $int_if from any to $int_if:network keep state

    pass out on $ext_if proto tcp all modulate state flags S/SA
    pass out on $ext_if proto { udp, icmp } all keep state

    the model is similar to this, say I have around 100 computers, and 4
    networks (192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24,
    192.168.3.0/24)

    [ COMP1 ] [ COMP3 ]
    | | T1
    ---+------+-----+------- xl0 [ OpenBSD ] dc0 -------- ( Internet )
    |
    [ COMP2 ]

    So I will be assigning the external NIC a IP staticly. So what I was
    thinking was something like this.

    nat on tl0 from 192.168.0.0/24 to any -> (210.1.2.3 - 210.1.2.23)

    nat on tl0 from 192.168.1.0/24 to any -> (210.1.2.24 - 210.1.2.44)

    nat on tl0 from 192.168.2.0/24 to any -> (210.1.2.45 - 210.1.2.55)

    nat on tl0 from 192.168.3.0/24 to any -> (210.1.2.55- 210.1.2.203)

    does this make any sense now??

    thanks for the reply.


+ Reply to Thread