syn_nospam_uw <syn_nospam_uw@hotmail.com> wrote:
> Hi,
>
> I've got a basic but quite important question about NAT: our OpenBSD PF
> Firewall will have 2 different class C subnets behind our firewall
> assigned by our provider (one per interface) then behind our firewall we
> will also use a private C subnet (192.168.X.X). In front of our firewall
> there will be the WAN subnet (also called transit subnet) which connects
> us directly to the router of the ISP. The ISP routes the two class C
> subnets directly to our OpenBSD firewall on it's WAN IP address.
>
> Now I would like to use NAT only for the whole private C subnet
> (192.168.X.X) and map it to one of the public class C subnet. So if I
> understand everything correctly the only single NAT entry in my pf.conf
> file I will need is the following:
>
> nat on $dmz1_if from ($int_if:network) -> ($dmz1_if:0)
>
> $dmz1_if is the network interface connected to one of our two public
> class C subnet. $int_if is the interface connected to our private subnet
> (192.168.X.X) and $dmz1_if:0 should map to the IP address of our
> firewall's IP address on that public class C.
>
> Am I correct here ? Because I tested this setup today with our ISP and
> unfortunately it didn't work. Internal machines on the private subnet
> couldn't reach the internet. On the firewall itself no problem, I could
> ping any host on the internet.

If I understand you correctly, you want to map 192.168.X.15 to
pub.lic.ip.15, 192.168.X.153 to pub.lic.ip.153, and so on?

In that case, you'll want 'binat'. See pf.conf(5).

Joachim