Contributed by Dengue on from the no-nat-please dept.
Dear OpenBSD Community,I have recently setup a firewall/router running OpenBSD 3.1 for my company and am running into difficulty when it comes to ip forwarding and NAT.
The setup is like so:We have devided each "department" in our company onto their own physical networks. So for example software development gets 10.1.0.0/24 on xl1, sales gets 10.2.0.0/24 on xl2, beta testing 10.3.0.0/24 on xl3 etc.
Then our internet interface is xl0 and it NAT's internal IP address to an external for internet access.
All of the internal networks must be able to talk to each other for things like printing, file sharing etc. So in other words the router must be able to route packets between interfaces.
Now the problem is that ip forwarding is enabled but we only want to NAT from all internal networks to the internet. We don't want to NAT 10.1.0.0 -> 10.2.0.0 so that development can access the printer etc. In other words the firewall should just route the packets instead of translating them.
So how do you accomplish this? Every single document I've read (and I've spent the last 2 weeks just reading documents and tutorials on pf) has claimed that you must write your NAT rules after you enable ip forwarding for things to work and I believe that because my own experience proved it. However, that is not an acceptable solution because I must be able to see communication comming into the sales department from the development department etc.
Thank you greatly in advance for any help that you can offer.
Garett Spencley
(Comments are closed)
By Anonymous Coward () on
By Christopher H. Hylarides () hylaride@NNOOSSPPAAMMsheridanc.on.ca on http://www.ubersource.net/chylarides
nat on xl0 from 10.0.0.0/24 to any -> xl0
in your nat.conf wich will send all outbound packets on that interface with your external IP.
The OpenBSD machine should forward all internal packets to the correct interface, if you have the right IPs assigned to the interfaces. Are you just using the one same IP for all the internal interfaces? This may be your problem, as ip forwarding will not know to send it to those networks and send it to the outside world. Make sure each interface has an IP in its network.
On a side note, I noticed a currious issue with the way you are assining networks. You say that each network has a /24 but you incriment the networks in the second octet. Shouldn't you be using a /16 instead? (forgive me if you are doing something different).
Comments
By Justin Krejci () justin at krejci dot com on mailto:justin at krejci dot com
10.1.0.0 /24
N .N.N.H
10.1.0.0 /16
N .N.H.H
By RC () on
If you have three NICs in your OpenBSD router, one with the globally valid IP Address, one with (for example) 192.168.1.1, and one with 192.168.2.1, as long as those machines in the 192.168.1.0/24 network have 192.168.1.1 as their default gateway & 192.168.2.0/24 network have 192.168.2.1 as their default gateway, they should have no problem connecting to each other.
I have a similiar situation. 192.168.40.1 goes to one room, 192.168.50.1 goes to another room... (There are additional rooms, but they aren't important for this example) From 192.168.40.25, you can ping 192.168.50.30, et al. No nat rules required (except on the external interface with the globally unique IP address).
By Sacha () on
One interface (de0) for the internet
and two interfaces (ne3 and ne4) for the Lan.
I bridged the two interfaces of the lan and made Inet interface NAT it. Both parts of the LAN can communicate flawlessly with eachother and the rest of the cybervoid through de0.
By Barry () on
10.1.0.0 is /16 NOT /24
You're workstations probably can't get to their gateways...
I'm assuming 10.1.1.1, 10.2.1.1, 10.3.1.1
"I'm confused..." is a little confused too...
It's 10.0.0.0/8 NOT 10.0.0.0/24
¥Peace
Comments
By chris cappuccio () chris@dqc.org on mailto:chris@dqc.org
you can subnet it any way you would like.
Comments
By Barry () on
By Toine Ganzeboom () on
This works in checkpoint Firewall-1.
Bye
By Garett Spencley () on http://www.geocities.com/gspencley
The problem is resolved now.
I don't know why it wasn't working initially for me. I knew that I didn't need NAT but for some reason the networks couldn't see each other.
Anyway, yesterday I posted to misc@openbsd.org and got similar responses so I tried just removing all of the NAT rules except to NAT for internet access and it worked fine. So it must have been a brain fart on my behalf when I set it up, or it could have been a client-side issue with caching on windows clients or something because they couldn't ping the other networks.
The hosts actually couldn't ping the gateway itself on the other interfaces. Meaning that 10.1.0.35 could ping 10.1.0.1 but not 10.4.0.1. I know this sounds like a forwarding issue but I guarantee you that forwarding was enabled right from the start. Adding a hole bunch of redundant NAT rules that are gone now fixed the symptom. I still don't know what the problem was.
For those that said that 10.x.0.0 should be 16 and not 24 you're right if the netmask is 255.255.0.0 but we're using 255.255.255.0 because we only want class C networks. We don't actually have the physical accomodation for more than 256 hosts per department so we don't need a class B.
Thank you very much for posting your thoughts. I really appreciate the help :O)
--
Garett
Comments
By Doa () on
//me rolls on the floor laughing...
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Erik () noodle@home.nl on mailto:noodle@home.nl
http://www.unixcircle.com/features/openpfnat.php
It got me up and running with my 3.1 firewall.
Succes,
Erik