SEO

Hi,

I've got a basic but quite important question about NAT: our OpenBSD PF
Firewall will have 2 different class C subnets behind our firewall
assigned by our provider (one per interface) then behind our firewall we
will also use a private C subnet (192.168.X.X). In front of our firewall
there will be the WAN subnet (also called transit subnet) which connects
us directly to the router of the ISP. The ISP routes the two class C
subnets directly to our OpenBSD firewall on it's WAN IP address.

Now I would like to use NAT only for the whole private C subnet
(192.168.X.X) and map it to one of the public class C subnet. So if I
understand everything correctly the only single NAT entry in my pf.conf
file I will need is the following:

nat on $dmz1_if from ($int_if:network) -> ($dmz1_if:0)

$dmz1_if is the network interface connected to one of our two public
class C subnet. $int_if is the interface connected to our private subnet
(192.168.X.X) and $dmz1_if:0 should map to the IP address of our
firewall's IP address on that public class C.

Am I correct here ? Because I tested this setup today with our ISP and
unfortunately it didn't work. Internal machines on the private subnet
couldn't reach the internet. On the firewall itself no problem, I could
ping any host on the internet.

Best regards

syn_nospam_uw <syn_nospam_uw@hotmail.com> wrote:
> Hi,
>
> I've got a basic but quite important question about NAT: our OpenBSD PF
> Firewall will have 2 different class C subnets behind our firewall
> assigned by our provider (one per interface) then behind our firewall we
> will also use a private C subnet (192.168.X.X). In front of our firewall
> there will be the WAN subnet (also called transit subnet) which connects
> us directly to the router of the ISP. The ISP routes the two class C
> subnets directly to our OpenBSD firewall on it's WAN IP address.
>
> Now I would like to use NAT only for the whole private C subnet
> (192.168.X.X) and map it to one of the public class C subnet. So if I
> understand everything correctly the only single NAT entry in my pf.conf
> file I will need is the following:
>
> nat on $dmz1_if from ($int_if:network) -> ($dmz1_if:0)
>
> $dmz1_if is the network interface connected to one of our two public
> class C subnet. $int_if is the interface connected to our private subnet
> (192.168.X.X) and $dmz1_if:0 should map to the IP address of our
> firewall's IP address on that public class C.
>
> Am I correct here ? Because I tested this setup today with our ISP and
> unfortunately it didn't work. Internal machines on the private subnet
> couldn't reach the internet. On the firewall itself no problem, I could
> ping any host on the internet.

If I understand you correctly, you want to map 192.168.X.15 to
pub.lic.ip.15, 192.168.X.153 to pub.lic.ip.153, and so on?

In that case, you'll want 'binat'. See pf.conf(5).

Joachim

Joachim Schipper wrote:

> If I understand you correctly, you want to map 192.168.X.15 to
> pub.lic.ip.15, 192.168.X.153 to pub.lic.ip.153, and so on?

Well actually it's a bit more complex, there are a few servers which
will have their own IP addresses mapped 1 to 1 but for all the rest it
will simply map to the firewall's IP address.

Regards

syn_nospam_uw <syn_nospam_uw@hotmail.com> wrote:
> Joachim Schipper wrote:
>
>> If I understand you correctly, you want to map 192.168.X.15 to
>> pub.lic.ip.15, 192.168.X.153 to pub.lic.ip.153, and so on?
>
> Well actually it's a bit more complex, there are a few servers which
> will have their own IP addresses mapped 1 to 1 but for all the rest it
> will simply map to the firewall's IP address.

So, if I understand correctly, there are two classes of machines:

- say 192.168.X.15 and 192.168.X.153, which should appear to be
pub.lic.ip.2 and pub.lic.ip.3 for all intents and purposes?
- and everything else in 192.168.X.0/24, which do not need to be
externally accessible. Any traffic originating here should appear to
come from the firewall

I'm pretty certain you can do this by combining binat and nat - see
pf.conf(5), specifically this part, under TRANSLATION, about the order
in which rules are evaluated:

Evaluation order of the translation rules is dependent on the
type of the translation rules and of the direction of a packet.
binat rules are al ways evaluated first. Then either the rdr
rules are evaluated on an inbound packet or the nat rules on an
outbound packet. Rules of the same type are evaluated in the
same order in which they appear in the ruleset. The first
matching rule decides what action is taken.

Thus, I would expect you to end up with something like

binat on $ext_if 192.168.X.15 to any -> pub.lic.ip.2
binat on $ext_if 192.168.X.163 to any -> pub.lic.ip.3

nat on $ext_if from $int_if:network to any -> $ext_if:0

See pf.conf(5), particularly TRANSLATION and TRANSLATION EXAMPLES, for
more details.

Joachim

Joachim Schipper wrote:

> So, if I understand correctly, there are two classes of machines:
>
> - say 192.168.X.15 and 192.168.X.153, which should appear to be
> pub.lic.ip.2 and pub.lic.ip.3 for all intents and purposes?
> - and everything else in 192.168.X.0/24, which do not need to be
> externally accessible. Any traffic originating here should appear to
> come from the firewall

That's exactly what I am doing, correct.

> Thus, I would expect you to end up with something like
>
> binat on $ext_if 192.168.X.15 to any -> pub.lic.ip.2
> binat on $ext_if 192.168.X.163 to any -> pub.lic.ip.3
>
> nat on $ext_if from $int_if:network to any -> $ext_if:0


Acutally what I have right now is the following:

nat on $ext_if from 192.168.X.15 -> pub.lic.ip.15
nat on $ext_if from 192.168.X.40 -> pub.lic.ip.40

nat on $ext_if from ($int_if:network) -> $ext_ip_firewall


This works fine in our current configuration with the $ext_if being the
interface connected to our provider (with the CPE on this network). We
don't even need binat. But where this configuration doesn't work anymore
is as described in my first post. Then this doesn't work at all.

I can't think of this being an issue of using binat and it wasn't just
the two servers mentioned up here it was any internal machine on the
internal network which couldn't access the internet...

Regards

syn_nospam_uw <syn_nospam_uw@hotmail.com> wrote:
> Joachim Schipper wrote:
>
>> So, if I understand correctly, there are two classes of machines:
>>
>> - say 192.168.X.15 and 192.168.X.153, which should appear to be
>> pub.lic.ip.2 and pub.lic.ip.3 for all intents and purposes?
>> - and everything else in 192.168.X.0/24, which do not need to be
>> externally accessible. Any traffic originating here should appear to
>> come from the firewall
>
> That's exactly what I am doing, correct.
>
>> Thus, I would expect you to end up with something like
>>
>> binat on $ext_if 192.168.X.15 to any -> pub.lic.ip.2
>> binat on $ext_if 192.168.X.163 to any -> pub.lic.ip.3
>>
>> nat on $ext_if from $int_if:network to any -> $ext_if:0
>
> Acutally what I have right now is the following:
>
> nat on $ext_if from 192.168.X.15 -> pub.lic.ip.15
> nat on $ext_if from 192.168.X.40 -> pub.lic.ip.40
>
> nat on $ext_if from ($int_if:network) -> $ext_ip_firewall
>
>
> This works fine in our current configuration with the $ext_if being the
> interface connected to our provider (with the CPE on this network). We
> don't even need binat. But where this configuration doesn't work anymore
> is as described in my first post. Then this doesn't work at all.
>
> I can't think of this being an issue of using binat and it wasn't just
> the two servers mentioned up here it was any internal machine on the
> internal network which couldn't access the internet...

(Sorry for the slow response, I am somewhat busy with my exams.)

If I am getting anything wrong, please correct me. For some reason I
can't really wrap my head around your configuration...

If I understand correctly, your old setup is

<ISP>
|
|
$ext_if at pub.lic.ip.1
<FIREWALL>
$int_if at 192.168.X.1
|
|
192.168.X.0/24

Or something very close. And this does, in fact, work. Furthermore,
traffic from 192.168.X.{15,40} appears to come from pub.lic.ip.{15,40}.
(Traffic to pub.lic.ip.{15,40} is not necessarily sent to
192.168.X.{15,40}.)

Also, if I understand you correctly, you want to have

<ISP>
|
|
$ext_if at pub.lic.ip.1
<FIREWALL> $dmz1_if at pub.lic.ip2.1 -- pub.lic.ip2.0/24
$int_if at 192.168.X.1
|
|
192.168.X.0/24

where you have two public class C subnets, pub.lic.ip.0/24 and
pub.lic.ip2.0/24. Is what I call $dmz1_if indeed what you meant in your
first post?

Am I also correct that you didn't set up any special things for
pub.lic.ip2.0/24 - that is just routed - and that that subnet has no
problems accessing the internet or being accessed by the internet? That
is, can I ignore this subnet, because it works?

Finally, am I correct in thinking that traffic from 192.168.X.0/24
should appear to come from $ext_if (pub.lic.ip.1), except for traffic
from 192.168.X.{15,40} which should appear to come from
pub.lic.ip.{15,40}?

Because if all this is correct, I would fully expect your configuration
to work (in fact, it didn't materially change). It will not necessarily
allow pub.lic.ip.{15,40} to be accessed from the internet, but that is
not your problem, is it?

Could you post a diagram, and perhaps the output of 'route show'? I have
the feeling I don't understand what you are trying to do...

Joachim