OpenBSD Journal

[Ask OBSDJ] IP Forwarding in 3.1 without NAT?

Contributed by Dengue on from the no-nat-please dept.

Garett Spencley writes :
Dear OpenBSD Community,

I have recently setup a firewall/router running OpenBSD 3.1 for my company and am running into difficulty when it comes to ip forwarding and NAT.

The setup is like so:

We have devided each "department" in our company onto their own physical networks. So for example software development gets on xl1, sales gets on xl2, beta testing on xl3 etc.

Then our internet interface is xl0 and it NAT's internal IP address to an external for internet access.

All of the internal networks must be able to talk to each other for things like printing, file sharing etc. So in other words the router must be able to route packets between interfaces.

Now the problem is that ip forwarding is enabled but we only want to NAT from all internal networks to the internet. We don't want to NAT -> so that development can access the printer etc. In other words the firewall should just route the packets instead of translating them.

So how do you accomplish this? Every single document I've read (and I've spent the last 2 weeks just reading documents and tutorials on pf) has claimed that you must write your NAT rules after you enable ip forwarding for things to work and I believe that because my own experience proved it. However, that is not an acceptable solution because I must be able to see communication comming into the sales department from the development department etc.

Thank you greatly in advance for any help that you can offer.

Garett Spencley

(Comments are closed)

  1. By Anonymous Coward () on

    Why not do bridging instead of NAT? I've seen a good example @ or I dunno if it's the same as you want though, but might give you some ideas. Just the same, I'm looking to do something similar and looking forwarding to more ideas from people.

  2. By Christopher H. Hylarides () on

    You should have:
    nat on xl0 from to any -> xl0
    in your nat.conf wich will send all outbound packets on that interface with your external IP.

    The OpenBSD machine should forward all internal packets to the correct interface, if you have the right IPs assigned to the interfaces. Are you just using the one same IP for all the internal interfaces? This may be your problem, as ip forwarding will not know to send it to those networks and send it to the outside world. Make sure each interface has an IP in its network.

    On a side note, I noticed a currious issue with the way you are assining networks. You say that each network has a /24 but you incriment the networks in the second octet. Shouldn't you be using a /16 instead? (forgive me if you are doing something different).

    1. By Justin Krejci () justin at krejci dot com on mailto:justin at krejci dot com

      You can change the second or third octet and still make it a /24. if it is a /24, any change of the first 3 octets will be a different network. If it is a /16, only changes to the first 2 octets will change the network. /24
      N .N.N.H /16
      N .N.H.H

  3. By RC () on

    If in the /etc/sysctl.conf you enable IP Forwarding (and PF in /etc/rc.conf) your OpenBSD box will forward the packets it recieves. Your problem is likely one of lack of knowledge of routing IP, not a problem with OpenBSD.

    If you have three NICs in your OpenBSD router, one with the globally valid IP Address, one with (for example), and one with, as long as those machines in the network have as their default gateway & network have as their default gateway, they should have no problem connecting to each other.

    I have a similiar situation. goes to one room, goes to another room... (There are additional rooms, but they aren't important for this example) From, you can ping, et al. No nat rules required (except on the external interface with the globally unique IP address).

  4. By Sacha () on

    I have a similar setup at home.
    One interface (de0) for the internet
    and two interfaces (ne3 and ne4) for the Lan.

    I bridged the two interfaces of the lan and made Inet interface NAT it. Both parts of the LAN can communicate flawlessly with eachother and the rest of the cybervoid through de0.

  5. By Barry () on

    Check you're netmask is /16 NOT /24

    You're workstations probably can't get to their gateways...
    I'm assuming,,

    "I'm confused..." is a little confused too...
    It's NOT


    1. By chris cappuccio () on

      what are you talking about?
      you can subnet it any way you would like.

      1. By Barry () on

        My mistake. I'll sit down and shut up now...

  6. By Toine Ganzeboom () on

    you should put some NAT rules in that explicitly say NOT to NAT between the internal networks and put them above your internal -> external NAT rule.

    This works in checkpoint Firewall-1.


  7. By Garett Spencley () on

    Hi All,

    The problem is resolved now.

    I don't know why it wasn't working initially for me. I knew that I didn't need NAT but for some reason the networks couldn't see each other.

    Anyway, yesterday I posted to and got similar responses so I tried just removing all of the NAT rules except to NAT for internet access and it worked fine. So it must have been a brain fart on my behalf when I set it up, or it could have been a client-side issue with caching on windows clients or something because they couldn't ping the other networks.

    The hosts actually couldn't ping the gateway itself on the other interfaces. Meaning that could ping but not I know this sounds like a forwarding issue but I guarantee you that forwarding was enabled right from the start. Adding a hole bunch of redundant NAT rules that are gone now fixed the symptom. I still don't know what the problem was.

    For those that said that 10.x.0.0 should be 16 and not 24 you're right if the netmask is but we're using because we only want class C networks. We don't actually have the physical accomodation for more than 256 hosts per department so we don't need a class B.

    Thank you very much for posting your thoughts. I really appreciate the help :O)


    1. By Doa () on

      4 Year w/o a remote hole.

      //me rolls on the floor laughing...

      1. By Anonymous Coward () on

        5 years now.

      2. By Anonymous Coward () on

        Might want to get up to speed on things, it's 5 years now.

  8. By Erik () on

    Why don't you check out this page:

    It got me up and running with my 3.1 firewall.



Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]