[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

client -> world problem (NAT)



Greetings,

After freshly installing OpenBSD 2.8 on my future firewall, I am
attempting to get a single client machine to see the world through the
eyes of the firewall.  I'm using NAT, with the internal networking
residing in the 192.168.1.0 range of addresses.  Here is my setup,
with inconsequential modifications to some IP addresses:

Client -> Firewall (internal side) -> Firewall (external side)
-> Gateway -> world

Client: 192.168.1.10 (255.255.255.0 netmask)
Firewall Internal: 192.168.1.1
Firewall External: 205.167.105.180
Gateway: 205.167.105.161
Range of available addresses: .162-190
Subnet Mask of external network: 255.255.255.224


With the client, I am able to ping both the internal and external firewall interfaces, but am unable to ping the gateway or beyond. With the Firewall I can ping anywhere outside (www.openbsd.org for example) and also the client machine. I do not have access to the gateway to see if it is receiving packets from the client machine or not. All pinging is done by IP address.


in /etc/sysctl.conf I uncommented the line: net.inet.ip.forwarding=1

/etc/hostname.fxp0 says:
inet 205.167.105.180 255.255.255.224 NONE

/etc/hostname.xl0 says:
inet 192.168.1.1 255.255.255.0 NONE


In /etc/rc.conf I have: ipfilter=YES ipnat=YES ipfilter_rules=/etc/ipf.rules ipnat_rules=/etc/ipnat.rules


The rules in /etc/ipf.rules are: pass in from any to any pass out from any to any


Following the example in section 6 of the FAQ, this is what I have in /etc/ipnat.rules: map fxp0 192.168.1.0/24 -> 205.167.105.180/27 portmap tcp/udp 10000:60000 map fxp0 192.168.1.0/24 -> 205.167.105.180/27


What is interesting is that in the FAQ, when the command "ipnat -l" is run: List of active MAP/Redirect filters: map fxp0 192.168.1.0/24 -> 205.167.105.160/27 portmap tcp/udp 10000:60000 map fxp0 192.168.1.0/24 -> 205.167.105.160/27

List of active sessions:
MAP 192.168.1.10  0   <- -> 205.167.105.161 0   [205.167.105.161 0]

The result of 205.167.105.160 is different than the entry in /etc/ipnat.rules,
which should be 205.167.105.180


Hmm, that's interesting. I've been constantly pinging the gateway from the client machine, and I just stopped-and-restarted the pinging and got this new information from ipnat -l:

List of active MAP/Redirect filters:
map fxp0 192.168.1.0/24 -> 205.167.105.160/27 portmap tcp/udp 10000:60000
map fxp0 192.168.1.0/24 -> 205.167.105.160/27

List of active sessions:
MAP 192.168.1.10  0   <- -> 205.167.105.162 0   [205.167.105.161 0]


Now, the difference is in the <- -> 205.167.105.162 instead of .161


ipnat -CF -f /etc/ipnat.rules shows: 1 entries flushed from NAT table 2 entries flushed from NAT list

ipf -Fa -f /etc/ipf.rules -E   gives:
IP Filter: already initialized    [this is in blue]
SIOCFRENB: Device busy
Mar 30 10:48:12 fire1 /bsd: IP Filter: already initialized
Mar 30 10:48:12 fire1 /bsd: IP Filter: already initialized


Any advice or pointers to further information would be greatly appreciated! Also, if I forgot to include some useful information, please let me know and I'll fire it off.


Side note: I'm getting a keyboard lockup seemingly at random, so I'm also forced to unplug the mouse (per the advice on DejaNews, now Google). Any ideas for this one? Some of the archives said it shouldn't be a problem with 2.8 current, hich I believe I am running, since I did an ftp-install today from the Ann Arbor ftp site. Any ideas?

Thanks,
Brian Bucher


Info from ifconfig -a:

lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 32972
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (100baseTX)
status: active
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::201:2ff:fec6:3e4c%xl0 prefixlen 64 scopeid 0x1
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (10baseT)
status: active
inet 205.167.105.180 netmask 0xffffffe0 broadcast 205.167.105.191
inet6 fe80::2a0:c9ff:fe81:b52f%fxp0 prefixlen 64 scopeid 0x2
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=10<POINTOPOINT> mtu 3000
tun1: flags=10<POINTOPOINT> mtu 3000
enc0: flags=0<> mtu 1536
enc1: flags=0<> mtu 1536
enc2: flags=0<> mtu 1536
enc3: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
gre0: flags=8010<POINTOPOINT,MULTICAST> mtu 1450
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280