Re: a simple NATing gateway. What am I missing?

[Luis Cerdas <luis_(_dot_)_cerdas_(_at_)_rawten_(_dot_)_net>]

If you're using a NAT address different from the FW IP address (which 
seems to be the case), then it is necessary to set up a proxy arp entry 
for the NAT address so that packets can be associated with the MAC 
address of the FW's external NIC.

In other words, you need to add a static, permanent (published) arp for 
the firewall to accept the replies for the NAT address (194.54.107.17) 
on its external interface (194.54.107.19).  Otherwise, you can 
see/allow the packets going out (as shown in the PF state table), but 
the replies never reach the xl0 interface (the MAC address is not 
associated with the IP that the replies are directed to).

The correct syntax would be:

# arp -s 194.54.107.17 00:04:76:22:e3:bc permanent pub

The command should also be added in rc.local or one of the startup 
scripts in case the machine is rebooted.

Regards,
Luis Cerdas

On Thursday, January 23, 2003, at 01:35  PM, Anthony Schlemmer wrote:

> I can't help but notice that the IP address you've specified in your 
> NAT
> rule is different that the one specified on the xl0 interface. On xl0
> you have 194.54.107.19 but in your NAT rule you have 194.54.107.17
> instead.
>
> When I've set up NAT rules for my gateway/firewall system I use the
> external interface name in the NAT rules so I don't have to worry about
> what the IP address is on the external inteface. I would think you
> would want the NAT rule to be:
>
> nat on xl0 from 192.168.103.0/24 to any -> xl0
>
> If the IP address changes on the xl0 interface because the address is
> assigned via DHCP, then you would want to enclose the interface name in
> parenthesis so it is re-evaluated in case you ever get a different IP
> address via DHCP:
>
> nat on xl0 from 192.168.103.0/24 to any -> (xl0)
>
> Tony
>
> On Wednesday 22 January 2003 20:12 pm, Peter N. M. Hansteen wrote:
> > After my old linux home gateway broke down over too many electrical
> > horrors, I thought it was time to finally get that part of my home
> > network into the OpenBSD fold. Only the gateway is stubbornly
> > refusing to forward any packets!
> >
> > the setup is simple. xl0 is the outer interface, which shows up in
> > dmesg as
> >
> > xl0 at pci0 dev 9 function 0 "3Com 3c905C 100Base-TX" rev 0x74: irq 9
> > address 00:04:76:22:e3:bc exphy0 at xl0 phy 24: Broadcom 3C905C
> > internal PHY, rev. 6
> >
> > and ifconfig as
> >
> > xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> >         address: 00:04:76:22:e3:bc
> >         media: Ethernet autoselect (100baseTX full-duplex)
> >         status: active
> >         inet 194.54.107.19 netmask 0xfffffff8 broadcast 194.54.107.23
> >         inet6 fe80::204:76ff:fe22:e3bc%xl0 prefixlen 64 scopeid 0x1
> >
> > xl1 is the inner interface, dmesg shows
> >
> > xl1 at pci0 dev 10 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq
> > 10 address 00:10:5a:86:18:2c exphy1 at xl1 phy 24: 3Com internal
> > media interface
> >
> > and ifconfig
> >
> > xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> >         address: 00:10:5a:86:18:2c
> >         media: Ethernet autoselect (10baseT)
> >         status: active
> >         inet 192.168.103.1 netmask 0xffffff00 broadcast
> > 192.168.103.255 inet6 fe80::210:5aff:fe86:182c%xl1 prefixlen 64
> > scopeid 0x2
> >
> > My /etc/sysctl.conf has the requisite line
> >
> > net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of
> > packets
> >
> > -- I restrict myself to the old-fashioned ipv4 for now, which leads
> > me to the next piece of evidence, my /etc/pf.conf (yes, I have pf=YES
> > in /etc/rc.conf) which has been reduced to
> >
> > nat on xl0 from 192.168.103.0/24 to any -> 194.54.107.17
> >
> > - but nothing gets through from anywhere on the inside to the outside
> > world. I can ssh in to the gateway, and the gateway communicates with
> > the outside world just fine. It's the gatewaying that for some reason
> > just doesn't work. I'm convinced I've just overlooked something
> > embarrasingly obvious here.
> >
> > pfctl -ss tells me typically (when tracerouting to a well-known web
> > site in Norway):
> >
> > bash-2.05b# pfctl -ss
> > tcp 192.168.103.1:22 <- 192.168.103.5:32772
> > ESTABLISHED:ESTABLISHED tcp 192.168.103.1:22 <- 192.168.103.5:32773
> >     ESTABLISHED:ESTABLISHED udp 192.168.103.5:32768 ->
> > 194.54.107.17:59105 -> 198.41.0.4:53       SINGLE:NO TRAFFIC udp
> > 192.168.103.5:32768 -> 194.54.107.17:50471 -> 192.112.36.4:53
> > SINGLE:NO TRAFFIC udp 192.168.103.5:32768 -> 194.54.107.17:60193 ->
> > 198.41.0.10:53       SINGLE:NO TRAFFIC udp 192.168.103.5:32768 ->
> > 194.54.107.17:50258 -> 192.36.148.17:53       SINGLE:NO TRAFFIC udp
> > 192.168.103.5:32768 -> 194.54.107.17:60529 -> 202.12.27.33:53
> > SINGLE:NO TRAFFIC udp 192.168.103.5:32768 -> 194.54.107.17:50521 ->
> > 128.63.2.53:53       SINGLE:NO TRAFFIC udp 192.168.103.5:32768 ->
> > 194.54.107.17:54656 -> 128.9.0.107:53       SINGLE:NO TRAFFIC udp
> > 192.168.103.5:32768 -> 194.54.107.17:53618 -> 193.0.14.129:53
> > SINGLE:NO TRAFFIC udp 192.168.103.5:33952 -> 194.54.107.17:60548 ->
> > 80.232.38.252:33508       SINGLE:NO TRAFFIC udp 192.168.103.5:33952
> > -> 194.54.107.17:64107 -> 80.232.38.252:33509       SINGLE:NO TRAFFIC
> > udp 192.168.103.5:33952 -> 194.54.107.17:57785 -> 80.232.38.252:33510
> >       SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> > 194.54.107.17:53864 -> 80.232.38.252:33511       SINGLE:NO TRAFFIC
> > udp 192.168.103.5:33952 -> 194.54.107.17:50879 -> 80.232.38.252:33512
> >       SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> > 194.54.107.17:58367 -> 80.232.38.252:33513       SINGLE:NO TRAFFIC
> > udp 192.168.103.5:33952 -> 194.54.107.17:50271 -> 80.232.38.252:33514
> >       SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> > 194.54.107.17:64135 -> 80.232.38.252:33515       SINGLE:NO TRAFFIC
> > udp 192.168.103.5:33952 -> 194.54.107.17:55843 -> 80.232.38.252:33516
> >       SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> > 194.54.107.17:59821 -> 80.232.38.252:33517       SINGLE:NO TRAFFIC
> > udp 192.168.103.5:33952 -> 194.54.107.17:56775 -> 80.232.38.252:33518
> >       SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> > 194.54.107.17:56938 -> 80.232.38.252:33519       SINGLE:NO TRAFFIC
> > udp 192.168.103.5:33952 -> 194.54.107.17:63271 -> 80.232.38.252:33520
> >       SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> > 194.54.107.17:64001 -> 80.232.38.252:33521       SINGLE:NO TRAFFIC
> > udp 192.168.103.5:33952 -> 194.54.107.17:60890 -> 80.232.38.252:33522
> >       SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> > 194.54.107.17:62815 -> 80.232.38.252:33523       SINGLE:NO TRAFFIC
> > udp 192.168.103.5:33952 -> 194.54.107.17:51581 -> 80.232.38.252:33524
> >       SINGLE:NO TRAFFIC
> >
> > There must be a simple, obvious solution to this one.
> >
> > - P
>
> --
> Anthony Schlemmer
> aschlemm_(_at_)_attbi_(_dot_)_com