Contributed by Dengue on from the no-nat-please dept.
Dear OpenBSD Community,
I have recently setup a firewall/router running OpenBSD 3.1 for my company and am running into difficulty when it comes to ip forwarding and NAT.
The setup is like so:
We have devided each "department" in our company onto their own physical networks. So for example software development gets 10.1.0.0/24 on xl1, sales gets 10.2.0.0/24 on xl2, beta testing 10.3.0.0/24 on xl3 etc.
Then our internet interface is xl0 and it NAT's internal IP address to an external for internet access.
All of the internal networks must be able to talk to each other for things like printing, file sharing etc. So in other words the router must be able to route packets between interfaces.
Now the problem is that ip forwarding is enabled but we only want to NAT from all internal networks to the internet. We don't want to NAT 10.1.0.0 -> 10.2.0.0 so that development can access the printer etc. In other words the firewall should just route the packets instead of translating them.
So how do you accomplish this? Every single document I've read (and I've spent the last 2 weeks just reading documents and tutorials on pf) has claimed that you must write your NAT rules after you enable ip forwarding for things to work and I believe that because my own experience proved it. However, that is not an acceptable solution because I must be able to see communication comming into the sales department from the development department etc.
Thank you greatly in advance for any help that you can offer.
(Comments are closed)