Src NAT using PF on OpenBSD 4.9 doesn't work

Stefan
2011-05-16
2013-03-05
  • Stefan
    Stefan
    2011-05-16

    Hi All,

    I have done some testing using PF Open BSD 4.9.
    There are 2 testing:
    1. without nat (successfull)
    2.With source NAT(not successfull)

    The diagram is

    notebook-------em0em1------webserver(TCP/443)
    em0 is 192.168.1.216/24
    notebook is 192.168.1.21/24
    em1 is 192.168.2.216/24
    webserver is 192.168.2.80/24
    IP alias for NAT on em1 is 192.168.2.232/32
    ip forwarding on sysctl =1

    FWBuilder version: 4.2.2.3541 (Windows version)
    Notebook's gateway is firewall internal IP: 192.168.1.216
    Firewall's gateway is webserver :192.168.2.80
    Webserver's gateway is firewall external IP: 192.168.2.216

    I have tried to do source NAT testing to allow traffic from notebook to webserver so that the webserver knows that the incoming traffic is coming from 192.168.2.232(NAT IP) instead of 192.168.1.21.
    192.168.1.21->192.168.2.232->192.168.2.80

    Unfortunately it hasn't worked at all. I have tried to monitor the traffic using tcpdump on em1(external int) but there are no packets pass through em1 at all.

    Below is the rule of the scenario above using NAT:

    # Tables: (1)
    table <tbl.r0.d> { 192.168.1.216 , 192.168.2.216 , 192.168.2.232 , 192.168.3.216 }

    #
    # Rule  0 (NAT)
    match out on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to 192.168.2.232

    #
    # Rule  backup ssh access rule
    #    backup ssh access rule
    pass in   quick inet proto tcp  from 192.168.1.21  to <tbl.r0.d> port 22  label "RULE -1 - ACCEPT " 
    #
    # Rule  0 (em1)
    pass  log  quick on em1 inet proto tcp  from any  to any port 443 keep state  label "RULE 0 - ACCEPT " 
    #
    # Rule  fallback rule
    #    fallback rule
    block  quick inet  from any  to any no state  label "RULE 10000 - DROP " 

    What else is missing or isn't configured correctly? There was no error while I reload the rule using pfctl -f /etc/pf.conf

    Thanks

    Regards,
    Stefan

     
  • Vadim Kurland
    Vadim Kurland
    2011-05-16

    in the rule

    match out on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to 192.168.2.232

    it matches wrong interface. How does the NAT rule look like in fwbuilder ?

     
  • Stefan
    Stefan
    2011-05-16

    Hello Vadim,

    Those rule that I wrote in my question is shown by firewall code viewer from fwbuilder.
    On FWBuilder, the NAT rule look like this:

    notebook   webserver   any   notebooknat   original   original   internal   translate

    notebook: 192.168.1.21
    webserver: 192.168.2.80
    notebooknat: 192.168.2.232
    internal: em0

    Regards,
    Stefan

     
  • Vadim Kurland
    Vadim Kurland
    2011-05-16

    try the other interface in the column "Interface"

     
  • Stefan
    Stefan
    2011-05-17

    I tried it but it doesn't work.
    I have tried to create ping test rule, pinging from em0 -> em1 and em1 --->em0, both without NAT and it works perfectly.
    When I implement simple NAT, it doesnt't work.

    Regards,
    Stefan

     
  • Stefan
    Stefan
    2011-05-17

    Hi Vadim,

    I modified the rule on NAT and Policy section:

    NAT rule:
    match out on em1 proto {tcp udp icmp} from 192.168.1.21 to 192.168.2.80 nat-to 192.168.2.232

    Policy Section:
    #allowing https traffic from notebook to webserver
    # Rule  1 (em1,em0)
    #Comment: I change 192.168.1.21 to 192.168.2.232 as the 192.168.1.21 is already translated to 192.168.2.232 on em1 #then it will pass through em1 interface to go to 192.168.2.80(webserver)
    pass  log  quick on { em0 em1 } inet proto tcp  from 192.168.2.232  to 192.168.2.80 port 443 keep state

    #    Deny all rule
    block  quick inet  from any  to any no state

    Unfortunately, it still doesn't work , it is strange.
    I was able to access webserver/https from notebook without NAT rule and also ping my notebook from webserver works perfectly except NAT portion.

    Regards,
    Stefanus

     
  • Vadim Kurland
    Vadim Kurland
    2011-05-17

    you only need one policy rule matching source 192.168.1.21 and destination 192.168.2.80. Reply packets should be matched by the state created when the firewall sees the first packet of the tcp session. PF inspect packets on each interface, so if the policy rule you created is attached to em1, then you need another one on em0. You can create policy rule assicuated with both interfaces or even not associated with any interface. This rule will work for both interfaces. In any case you should not need a rule to match packets coming from 192.168.2.80 to the notebook, neither you need a rule to match 192.168.2.232.

    How do you activate the firewall configuration on the firewall machine ?

    About address 192.168.2.232 - you said it is an alias address on em1. Did you configure it on the firewall ? How did you configure it ? You can let fwbuilder do it for you if you turn on checkbox "configure interfaces on the firewall" in the "Script" tab of the firewall object settings dialog. Note that in this case you have to use .fw script generated by fwbuilder to activate firewall configuration.