SEO

I am trying replace my soho router with an OpenBSD setup. So far I have
enabled PF, IP forwarding, and created a NAT rule. I was also able to
make it into a DHCP server. I went ahead and disabled the DHCP daemon
tried it with static IP's and still nothing.

The NAT rule that I am using is:

nat on fxp0 from fxp1:network to any -> (fxp0)

I can't figure out what I am missing.

I greatly appreciate any help and advice.

Thanks

"itln.stln" <itln.stln@cox.net> writes:

> The NAT rule that I am using is:
>
> nat on fxp0 from fxp1:network to any -> (fxp0)

assuming fxp0 is your outer interface, this looks correct.

Do you also have rules which allow traffic to pass?

This would be something like

pass out inet proto tcp from $localnet to any port $tcp_services keep state

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

Peter N. M. Hansteen wrote:
> "itln.stln" <itln.stln@cox.net> writes:
>
>
>>The NAT rule that I am using is:
>>
>>nat on fxp0 from fxp1:network to any -> (fxp0)
>
>
> assuming fxp0 is your outer interface, this looks correct.
>
> Do you also have rules which allow traffic to pass?
>
> This would be something like
>
> pass out inet proto tcp from $localnet to any port $tcp_services keep state
>
No, I don't have a rule like that. Would that be what keeps this from
working?

Thanks

"itln.stln" <itln.stln@cox.net> writes:

> No, I don't have a rule like that. Would that be what keeps this from
> working?

Assuming you have a default block policy such as "block all", "block out
all", or something similar, that's a valid hypothesis at least.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

Peter N. M. Hansteen wrote:
> "itln.stln" <itln.stln@cox.net> writes:
>
>
>>No, I don't have a rule like that. Would that be what keeps this from
>>working?
>
>
> Assuming you have a default block policy such as "block all", "block out
> all", or something similar, that's a valid hypothesis at least.
>
You know what after you told me about the rule to pass traffic I went
ahead and looked over the PF user's guide again and found the answer
which I kept skipping over. I really appreciate your help and also thank
you for not flaming me.

Ok I have configured PF and I still am not able to talk to the outside
world except on the OpenBSD machine itself. I am even using the example
rules from the PF User's Guide and still nothing. If anyone can shed
some light on this it would be really great.

Here is the pf.conf file:

# macros
int_if = "fxp1"
ext_if = "fxp0"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16}"

comp3 = "192.168.0.3"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021

# filter rules
block all

pass quick on lo0 all

block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state

pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
user proxy flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state


Oh by the way I'm trying to get a bunch of windows machines to work with
this if that helps to pin point the issue.

Thank you very much.

itln.stln wrote:

> Ok I have configured PF and I still am not able to talk to the outside
> world except on the OpenBSD machine itself. I am even using the example
> rules from the PF User's Guide and still nothing. If anyone can shed
> some light on this it would be really great.
>
> Here is the pf.conf file:
>


/etc/sysctl.conf

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets



Check it - it's commented out by default.

Already done. I've been following pretty closely to the PF User's Guide.
I'm sure I'm missing something simple and I just can't figure it out.
IP forwarding is enabled
PF is enabled
rules are in place and I think are correct.

"itln.stln" <itln.stln@cox.net> writes:

> Ok I have configured PF and I still am not able to talk to the outside
> world

Did you enable ip forwarding. IP forwarding is disabled in a stock
install.

$ sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=0

You can enable it with 'sysctl net.inet.ip.forwarding=1'. You can
make that happen at boot time by editing /etc/sysctl.conf.

// marc

I have had IP forwarding enabled in /etc/sysctl.conf from the beginning
and I am still having issues.

Marco S Hyman wrote:
> "itln.stln" <itln.stln@cox.net> writes:
>
>
>>Ok I have configured PF and I still am not able to talk to the outside
>>world
>
>
> Did you enable ip forwarding. IP forwarding is disabled in a stock
> install.
>
> $ sysctl net.inet.ip.forwarding
> net.inet.ip.forwarding=0
>
> You can enable it with 'sysctl net.inet.ip.forwarding=1'. You can
> make that happen at boot time by editing /etc/sysctl.conf.
>
> // marc