Hi,

I've got a basic but quite important question about NAT: our OpenBSD PF
Firewall will have 2 different class C subnets behind our firewall
assigned by our provider (one per interface) then behind our firewall we
will also use a private C subnet (192.168.X.X). In front of our firewall
there will be the WAN subnet (also called transit subnet) which connects
us directly to the router of the ISP. The ISP routes the two class C
subnets directly to our OpenBSD firewall on it's WAN IP address.

Now I would like to use NAT only for the whole private C subnet
(192.168.X.X) and map it to one of the public class C subnet. So if I
understand everything correctly the only single NAT entry in my pf.conf
file I will need is the following:

nat on $dmz1_if from ($int_if:network) -> ($dmz1_if:0)

$dmz1_if is the network interface connected to one of our two public
class C subnet. $int_if is the interface connected to our private subnet
(192.168.X.X) and $dmz1_if:0 should map to the IP address of our
firewall's IP address on that public class C.

Am I correct here ? Because I tested this setup today with our ISP and
unfortunately it didn't work. Internal machines on the private subnet
couldn't reach the internet. On the firewall itself no problem, I could
ping any host on the internet.

Best regards