OPenBSD and nat issues.

**Schotty** · 06-30-2004, 01:07 AM

I am having difficulty getting NAT to work. I currently have the port forwarding setup, the PF set to go on, and a pair of rules to allow all traffic in and out. My nat rule is as follows:

nat on xl0 from ne3:network to any -> (xl0)

I know the line is good, but for some reason it just wont nat. It allows ssh, dhcp reqests, etc. Just no damn nat!

Ideas?

Thanks
Andrew

**praetorian** · 06-30-2004, 03:04 AM

did you setup the NAT rules after you initially setup your PF rules? I bet you're not reloading the NAT rules. 'pfctl -R -f /etc/pf.conf' will only reload the PF ruleset. NAT is not included in that. In order to do NAT you must do 'pfctl -N -f /etc/pf.conf'.

Let me know that works. And if it does, 'man pfctl' for more info on crazy flags it uses. :-)

BTW, my NAT rule just looks like this.

"nat on $ext_if inet -> ($ext_if)"

Just does NAT on the external interface and rewrites all outgoing packets with the IP of the external interface.

PF is simply amazing...

**Schotty** · 06-30-2004, 08:34 PM

No, the rules are there as specified. I can see the nat rule by going:

pfctl -sn

Which shows the nat rule(s). It is getting updated. It is something else I think. I dunno, I am getting an iso as we speak of 3.0. I will try that and upgrade to each successive release until it either breaks (and go one back) or I get success on 3.5.

I am utterly lost as to what is wrong here.

**praetorian** · 06-30-2004, 08:51 PM

Hmm, you don't have any 'no nat' rules before the NAT rule, do you? You probably know the ruleset works on a last match basis, but the NAT rules work on a first match basis (like IPFW on FreeBSD). Would you mind posting a bit (or all) of your ruleset so I can see where the problem may lie. I'm running PF on OpenBSD 3.5, but I doubt there's any real difference between my config and yours.

BTW, do you have IP forwarding enabled? That could also be an issue. You can change it with 'sysctl -w ....' or just change the value in /etc/rc.conf and restart.

**Schotty** · 06-30-2004, 10:32 PM

no just the three rules

1 nat
2 pass all in
3 pass all out

Not much to really screw up ;D

**praetorian** · 07-01-2004, 12:02 AM

IP forwarding is enabled, right?

I think it's "pass all in" and "pass all out" too.

**Schotty** · 07-01-2004, 03:29 PM

yep and yep.

I was paraphrasing. I have shown alot of people the files and the exact syntaxes to get a dumb look, and "Damn, WTF isn't right??!"

The pf commands I am sure are right. Its something to do with the rest that isnt. As far as I recall and could find, all I needed to do was enable pf, and set ipforwarding on -- easiest place being in /etc/rc.conf.

**Schotty** · 07-02-2004, 07:22 PM

Well it wasnt 3.5. 3.0 is doing the same thing. I am going to have to take a deeper look at what is going on.

**Ashcrow** · 07-10-2004, 10:54 PM

[quote author=Schotty link=board=10;threadid=9435;start=0#msg85717 date=1088796158]
Well it wasnt 3.5. 3.0 is doing the same thing. I am going to have to take a deeper look at what is going on.
[/quote]

Post the answer when you figure it out. You might want to try asking at bsdvault.net as well.

**Schotty** · 07-11-2004, 04:41 PM

Thanks ash.

I put it on the back burner for now. I was wayyy too busy the past couple weeks to really care. Hopefully it improves in the near future.