Src NAT using PF on OpenBSD 4.9 doesn't work

  • Stefan

    Stefan - 2011-05-16

    Hi All,

    I have done some testing using PF Open BSD 4.9.
    There are 2 testing:
    1. without nat (successfull)
    2.With source NAT(not successfull)

    The diagram is

    em0 is
    notebook is
    em1 is
    webserver is
    IP alias for NAT on em1 is
    ip forwarding on sysctl =1

    FWBuilder version: (Windows version)
    Notebook's gateway is firewall internal IP:
    Firewall's gateway is webserver :
    Webserver's gateway is firewall external IP:

    I have tried to do source NAT testing to allow traffic from notebook to webserver so that the webserver knows that the incoming traffic is coming from IP) instead of>>

    Unfortunately it hasn't worked at all. I have tried to monitor the traffic using tcpdump on em1(external int) but there are no packets pass through em1 at all.

    Below is the rule of the scenario above using NAT:

    # Tables: (1)
    table <tbl.r0.d> { , , , }

    # Rule  0 (NAT)
    match out on em0 proto {tcp udp icmp} from to nat-to

    # Rule  backup ssh access rule
    #    backup ssh access rule
    pass in   quick inet proto tcp  from  to <tbl.r0.d> port 22  label "RULE -1 - ACCEPT " 
    # Rule  0 (em1)
    pass  log  quick on em1 inet proto tcp  from any  to any port 443 keep state  label "RULE 0 - ACCEPT " 
    # Rule  fallback rule
    #    fallback rule
    block  quick inet  from any  to any no state  label "RULE 10000 - DROP " 

    What else is missing or isn't configured correctly? There was no error while I reload the rule using pfctl -f /etc/pf.conf



  • Vadim Kurland

    Vadim Kurland - 2011-05-16

    in the rule

    match out on em0 proto {tcp udp icmp} from to nat-to

    it matches wrong interface. How does the NAT rule look like in fwbuilder ?

  • Stefan

    Stefan - 2011-05-16

    Hello Vadim,

    Those rule that I wrote in my question is shown by firewall code viewer from fwbuilder.
    On FWBuilder, the NAT rule look like this:

    notebook   webserver   any   notebooknat   original   original   internal   translate

    internal: em0


  • Vadim Kurland

    Vadim Kurland - 2011-05-16

    try the other interface in the column "Interface"

  • Stefan

    Stefan - 2011-05-17

    I tried it but it doesn't work.
    I have tried to create ping test rule, pinging from em0 -> em1 and em1 --->em0, both without NAT and it works perfectly.
    When I implement simple NAT, it doesnt't work.


  • Stefan

    Stefan - 2011-05-17

    Hi Vadim,

    I modified the rule on NAT and Policy section:

    NAT rule:
    match out on em1 proto {tcp udp icmp} from to nat-to

    Policy Section:
    #allowing https traffic from notebook to webserver
    # Rule  1 (em1,em0)
    #Comment: I change to as the is already translated to on em1 #then it will pass through em1 interface to go to
    pass  log  quick on { em0 em1 } inet proto tcp  from  to port 443 keep state

    #    Deny all rule
    block  quick inet  from any  to any no state

    Unfortunately, it still doesn't work , it is strange.
    I was able to access webserver/https from notebook without NAT rule and also ping my notebook from webserver works perfectly except NAT portion.


  • Vadim Kurland

    Vadim Kurland - 2011-05-17

    you only need one policy rule matching source and destination Reply packets should be matched by the state created when the firewall sees the first packet of the tcp session. PF inspect packets on each interface, so if the policy rule you created is attached to em1, then you need another one on em0. You can create policy rule assicuated with both interfaces or even not associated with any interface. This rule will work for both interfaces. In any case you should not need a rule to match packets coming from to the notebook, neither you need a rule to match

    How do you activate the firewall configuration on the firewall machine ?

    About address - you said it is an alias address on em1. Did you configure it on the firewall ? How did you configure it ? You can let fwbuilder do it for you if you turn on checkbox "configure interfaces on the firewall" in the "Script" tab of the firewall object settings dialog. Note that in this case you have to use .fw script generated by fwbuilder to activate firewall configuration.


Log in to post a comment.