[TriLUG] Re: NAT with OpenBSD on sparcstation 5

Chris Bullock cgbullock at yahoo.com
Sun Sep 3 16:59:55 EDT 2006 

First off what does not work?  Are you sure that you sparc can access your main router, ie do you know for sure that the $ext_if of the sparc is functional, can you ping the main router from the sparcstation?  To see if nat is the true problem I would drop the pf rules with routing still enabled and see if your laptop could access anything beyond the sparcstation, or at least try to ping the ext_if of the sparc.  Also have you ran pfctl -sn to see if the nat rules are being implented as you desire them to be.  If everything seem ok, try running tcpdump -nettti le0 to see if you are getting any traffic from anywhere.
  Good luck,
  Chris
  Date: Fri, 1 Sep 2006 14:11:29 -0400
From: "Cristobal Palmer" <cristobalpalmer at gmail.com>
Subject: [TriLUG] NAT with OpenBSD on sparcstation 5
To: "Triangle Linux Users Group discussion list" <trilug at trilug.org>
Message-ID:
 <39e2ba090609011111v5fcf054dj8945e599dadd2562 at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

I've already spoken with several people on the list about this
problem, but I'm still stuck, so I thought I'd cast a wider net.

I've got a sparcstation 5 on which I've installed OpenBSD 3.9. I've
got another openbsd box that handles NAT fine, but the sparc isn't
happy. The situation looks like this:

laptop --> sparcstation --> main router (openbsd) --> entireweb

There are four other machines plugged into the main router besides the
sparc, all of which have a happy NATing experience. The laptop behind
the sparc is sadly not so lucky.

Here's the (very basic) pf.conf for the sparc:

---------pf.conf begins here---------
#       $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or 
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="le0"
all_int="hme0 hme1 hme2 hme3"

tcp_services="{ 22, 113 }"  # per instructions on
http://www.openbsd.org/faq/pf/example1.html
icmp_types="echoreq"

set block-policy return # what should we do with packets destined for
blocked ports?
set loginterface $ext_if

#table <spamd> persist
#table <spamd-white> persist

set skip on lo

scrub in

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from <spamd> to port smtp \
#       -> 127.0.0.1 port spamd
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
#       -> 127.0.0.1 port spamd

block in
pass out keep state

#anchor "ftp-proxy/*"

pass quick on $all_int
antispoof quick for { lo $all_int }

pass in on $ext_if inet proto tcp from any to ($ext_if) \
  port $tcp_services flags S/SA keep state
#pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
#pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state

---------pf.conf ends here---------

Other notes:

* I've got dnsmasq as my dhcp server (the laptop does successfully get
an address).
* I've got something very close to this on the main router. Some similar 
lines:

---------some pf.conf lines from main router begin here---------

set block-policy return # what should we do with packets destined for
blocked ports?
set loginterface $ext_if

set skip on { lo $int_if }
scrub in

nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass out keep state

antispoof quick for { lo $int_if }

---------some pf.conf lines from main router end here---------

TIA for any and all help.

-- 
Cristobal M. Palmer
UNC-CH SILS Student
TriLUG Vice Chair
cristobalpalmer at gmail.com
cmpalmer at ils.unc.edu
ils.unc.edu/~cmpalmer
"Television-free since 2003"

<tarheelcoxn> iank has trouble with English. his native language is Python
<iank> Yeah
<iank>   I'm forced
<iank>     To indent
<iank>   My sentences



 		
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.

More information about the TriLUG mailing list