NAT IP router on OpenBSD

NAT IP router on OpenBSD

Post by Jens Olss » Thu, 03 Apr 2003 08:17:50



Hi All!

I am trying to create a router with an OpenBSD box between my internal
network and the internet

It should be something like this:

Workstation (192.16.0.2) >>> (192.168.0.1) OpenBSD Router
(194.47.142.86) >>> Internet

And I want the Workstation to be able to browse the internet as
normal. I can't get it to work though... However interesting... I can
ping Internet IPs from my workstation threw the router, however I
can't connect to any ports on them.

Anyone have any ideas? Thanks in advance!

//Jens

batman# cat /etc/pf.conf
#       $OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $
#
# See pf.conf(5) for syntax and examples
#
# xl0=intern
# xl1=extern
#
# replace ext0 with external interface name, 10.0.0.0/8 with internal
network
# and 192.168.1.1 with external address

# Normalize: reassemble fragments and resolve or reduce traffic
ambiguities

scrub in all

# nat: packets going out through ext0 with source address 10.0.0.0/8
will get
# translated as coming from 192.168.1.1. a state is created for such
packets,
# and incoming packets will be redirected to the internal address.

nat on xl0 from 192.168.0.0/24 to any -> 194.47.142.86

# rdr: packets coming in through ext0 with destination
192.168.1.1:1234 will
# be redirected to 10.1.1.1:5678. a state is created for such packets,
and
# outgoing packets will be translated as coming from the external
address.

# rdr on ext0 proto tcp from any to 192.168.1.1/32 port 1234 ->
10.1.1.1 port 5678

# filter rules
# the implicit first two rules are
pass in all
pass out all

# block all incoming packets but allow ssh, pass all outgoing tcp and
udp
# connections and keep state
# log blocked packets

 block in log all
 pass  in  on xl1 proto tcp from any to xl1 port 22 keep state
 pass  out on xl1 proto { tcp, udp } all keep state
batman# pfctl -f /etc/pf.conf
batman# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:10:4b:27:6c:8d
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::210:4bff:fe27:6c8d%xl0 prefixlen 64 scopeid 0x1
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:76:92:0d:6d
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::204:76ff:fe92:d6d%xl1 prefixlen 64 scopeid 0x2
        inet 194.47.142.86 netmask 0xfffffe00 broadcast 194.47.143.255
pflog0: flags=0<> mtu 33224
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=10<POINTOPOINT> mtu 3000
tun1: flags=10<POINTOPOINT> mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
vlan0: flags=0<> mtu 1500
        address: 00:00:00:00:00:00
vlan1: flags=0<> mtu 1500
        address: 00:00:00:00:00:00
gre0: flags=9010<POINTOPOINT,LINK0,MULTICAST> mtu 1450
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
batman#
batman#

-----------
Remove _spamno_ from my e-mail address if you like to reply via e-mail
mailto:%6A%65%6E%73%40%7A%65%6B%72%61%2E%73%65

The OS Journal
--------------
www.osjournal.hopto.org - Main URL
www.osjournal.tk - Backup URL
www.*scriptorium.com/osjournal/cgi-bin/index.pl?action=home

My personal page
----------------
jenssoftware.hopto.org (NO WWW.!!!)

 
 
 

NAT IP router on OpenBSD

Post by mr_sca » Thu, 03 Apr 2003 09:54:09



said the following:

Quote:>Hi All!

>I am trying to create a router with an OpenBSD box between my internal
>network and the internet

>It should be something like this:

>Workstation (192.16.0.2) >>> (192.168.0.1) OpenBSD Router
>(194.47.142.86) >>> Internet

>And I want the Workstation to be able to browse the internet as
>normal. I can't get it to work though... However interesting... I can
>ping Internet IPs from my workstation threw the router, however I
>can't connect to any ports on them.

>Anyone have any ideas? Thanks in advance!

The first thing I would do is use tcpdump.

On the router:

$ tcpdump -i xl1

On the workstation make a few requests:

a) DNS resolution (nslookup, dig, etc) to some new domain
b) HTTP using a name that resolved above (telnet <domain> 80)

What does tcpdump pick up?