[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT/PF lockup; probably my fault, but nothing else attempted works either (losing hair/sleep); ideas?

To: misc@openbsd.org
Subject: NAT/PF lockup; probably my fault, but nothing else attempted works either (losing hair/sleep); ideas?
From: bsd user <fbibsd@yahoo.com>
Date: Mon, 1 Jul 2002 15:00:43 -0700 (PDT)

Hi all.

Ok, this is lame, but I'm hoping someone might be able to suggest
what I'm doing wrong with OpenBSD 3.1 NAT/PF, please? :)

Well I've tried a few dozen different configurations of PF/NAT
over the past few days, (OpenBSD 3.1), and I'm not having any luck.

I've gone from the 'ideal/desirable' all the way to the 'try what's in
the man page as simply as possible' and I have yet to get traffic from
the private subnet to and from the internet.

I was hoping to just find some similar `known good' example
configurations to base mine on.  I feel a bit lame posting a
`why doesn't this work' question for such a simple configuration,
so my apologies.  I wouldn't ask if I hadn't researched / tried many
possibilities first.

I really did read the FAQ / man pages / mailing list / et. al.
first.  My nat.conf is essentially exactly the example given
in the nat.conf man page, and PF by itself without NAT seems like
it might be sort of working kind of ok...
 
When I turn on PF the OpenBSD box can talk to the net OK (quick tests).
When I turn on PF+NAT the OpenBSD box can talk to the net OK (quick tests).

When NAT is ON:
>From another host on the local intranet subnet 10.x.x.x
I do a few pings to the OpenBSD box's 10.x.x.x address (they fail, usually).
I do a few pings to the ISP router's 205.x.x.1 address (they fail).
The OpenBSD box quickly/quietly dies, locking hard; other configurations
I've tried simply just didn't work, but they didn't lock the BSD box.

I'm less interested in why this particular configuration locks / doesn't
work than just practically knowing what a working configuration could be;
I presume I've got some kind of infinite loop / bad routing thing going on
because of some error of mine I don't quite see yet.

Strategy:
Quick test PF.CONF that pretty much allows anything in/out.
Quick test NAT.CONF that NATs a private subnet on vr0 onto a static IP on AUE0
VR0 interface is assigned an address on the private internal subnet.
AUE0 interface is assigned a static internet routable address.
default route is set to the static internet routable address of ISP GW on AUE0
NAT should map 10.x.x.x/8 <-> the BSD box's static IP address on AUE0.
ping/dns lookup/ftp/www from Openbsd box to internet?  Yes?  Good.
ping/dns lookup/ftp/www from private subnet to internet? Yes?  Good.

...then apply more complex / restrictive rules in PF.

P.S. I also tried a nat rule that specifies the endpoint address of
NAT as being ANOTHER static internet routable IP address besides the
one the OpenBSD box is bound to on AUE0.  That didn't fly either.

My settings: (N.B. ip addresses edited to "x.x" or whatever by me)
........................................

NAT.CONF (basically right out of the manpage):
#	$OpenBSD: nat.conf,v 1.4 2001/07/09 23:20:46 millert Exp $
#
# See nat.conf(5) for syntax and examples
#
# replace ext0 with external interface name, 10.0.0.0/8 with internal network
# and 192.168.1.1 with external address
#
# nat: packets going out through ext0 with source address 10.0.0.0/8 will get
# translated as coming from 192.168.1.1. a state is created for such packets,
# and incoming packets will be redirected to the internal address.

#nat on ext0 from 10.0.0.0/8 to any -> 192.168.1.1
nat on aue0 from 10.33.21.0/24 to any -> 205.x.x.66

# rdr: packets coming in through ext0 with destination 192.168.1.1:1234 will
# be redirected to 10.1.1.1:5678. a state is created for such packets, and
# outgoing packets will be translated as coming from the external address.

# rdr on ext0 proto tcp from any to 192.168.1.1/32 port 1234 -> 10.1.1.1 port 5678

........................................
PF.CONF:

scrub in all
scrub out all
pass out all keep state allow-opts
RT="fastroute"
pass in on aue0 $RT proto tcp from any to any keep state allow-opts
pass in on vr0 $RT proto tcp from any to any keep state allow-opts
pass in on aue0 $RT proto udp from any to any keep state allow-opts
pass in on vr0 $RT proto udp from any to any keep state allow-opts
pass in on aue0 $RT proto icmp from any to any keep state allow-opts
pass in on vr0 $RT proto icmp from any to any keep state allow-opts

........................................
sysctl routing active:
net.inet.ip.forwarding = 1
net.inet6.ip6.forwarding = 0
........................................
ifconfig vr0:
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	media: Ethernet autoselect (100baseTX full-duplex)
	status: active
	inet 10.n.n.66 netmask 0xffffff00 broadcast 10.n.n.255
........................................
ifconfig aue0:
aue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	media: Ethernet autoselect (10baseT)
	status: active
	inet 205.x.x.66 netmask 0xffffff00 broadcast 205.x.x.255
........................................
pfctl -ss all:

@0 scrub in all 
@1 scrub out all 
@2 pass out all keep state allow-opts 
@3 pass in on aue0 proto tcp all keep state allow-opts 
@4 pass in on vr0 proto tcp all keep state allow-opts 
@5 pass in on aue0 proto udp all keep state allow-opts 
@6 pass in on vr0 proto udp all keep state allow-opts 
@7 pass in on aue0 proto icmp all keep state allow-opts 
@8 pass in on vr0 proto icmp all keep state allow-opts 

nat on aue0 from 10.n.n.0/24 to any -> 205.x.x.66

Status: Enabled  Time: 1025558038  Since: 1025557819  Debug: None
Bytes In IPv4: 0           Bytes Out: 0         
         IPv6: 0           Bytes Out: 0         
Inbound Packets IPv4:  Passed: 0           Dropped: 0         
                IPv6:  Passed: 0           Dropped: 0         
Outbound Packets IPv4: Passed: 0           Dropped: 0         
                 IPv6: Passed: 0           Dropped: 0         
States: 0
pf Counters
state searches            289     
state inserts             32      
state removals            32      
Counters
match                     36      
bad-offset                0       
fragment                  0       
short                     0       
normalize                 0       
memory                    0       

........................................
netstat -nr:
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu  Interface
default            205.x.x.1          UGS         0        7   1500   aue0
10.n.n/24          link#1             UC          0        0   1500   vr0
127/8              127.0.0.1          UGRS        0        0  33224   lo0
127.0.0.1          127.0.0.1          UH          2       24  33224   lo0
205.x.x/24         link#19            UC          0        0   1500   aue0
205.x.x.1        xx:xx:xx:xx:xx:xx    UHL         1        0   1500   aue0
224/4              127.0.0.1          URS         0        0  33224   lo0

........................................
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

Follow-Ups:
- Re: NAT/PF lockup; probably my fault, but nothing else attempted works either (losing hair/sleep); ideas?
  - From: bsd user <fbibsd@yahoo.com>

Prev by Date: Problems with MySQL
Next by Date: manpage installation
Prev by thread: Re: Problems with MySQL
Next by thread: Re: NAT/PF lockup; probably my fault, but nothing else attempted works either (losing hair/sleep); ideas?
Index(es):
- Date
- Thread