"Samir" writes:

> to use nat on the a group of computers for one IP is
> nat on tl0 from 192.168.0.0/16 to any -> 24.5.0.5
>
> how do you get it to use a range of ip's instead of one? for ie. Say
> I have 200 computers and I would like to assign a legal IP address
> range from 210.1.2.3 thru 210.1.2.203?

Each computer doing nat has it's own pf.conf and that pf.conf has
a nat statement that looks something like

nat on $pub_if from $priv_ip to any -> ($pub_if)

> I would be guessing using this?
> nat on tl0 from 192.168.0.0/16 to any -> (210.1.2.3 - 210.1.2.203)

Think about it... how can 210.1.2.3 do nat for traffic that is
flowing through 210.1.2.203?


internet ---- router ---+-- 210.1.2.3 ---- natted_network_1
|
+-- 210.1.2.4 ---- natted_network_2

Or do you have a different model in mind?

// marc

Here is the pf.conf file I am going to use and edit, it's the sample
from openbsd.com. I changed some things to fit my configuration
already.

# macros
int_if = "xl0"
ext_if = "dc0"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
}"

comp3 = "192.168.0.3"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
rdr on $ext_if proto tcp from any to any port 80 -> $comp3

# filter rules
block all

pass quick on lo0 all

block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state

pass in on $ext_if proto tcp from any to $comp3 port 80 \
flags S/SA synproxy state

pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
user proxy flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

the model is similar to this, say I have around 100 computers, and 4
networks (192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24,
192.168.3.0/24)

[ COMP1 ] [ COMP3 ]
| | T1
---+------+-----+------- xl0 [ OpenBSD ] dc0 -------- ( Internet )
|
[ COMP2 ]

So I will be assigning the external NIC a IP staticly. So what I was
thinking was something like this.

nat on tl0 from 192.168.0.0/24 to any -> (210.1.2.3 - 210.1.2.23)

nat on tl0 from 192.168.1.0/24 to any -> (210.1.2.24 - 210.1.2.44)

nat on tl0 from 192.168.2.0/24 to any -> (210.1.2.45 - 210.1.2.55)

nat on tl0 from 192.168.3.0/24 to any -> (210.1.2.55- 210.1.2.203)

does this make any sense now??

thanks for the reply.