I am trying to configure one to one nat for some duplicate subnets. I have tried very hard to figure how how this can be done with OpenBSD, but I haven't gotten it completely working yet. First, I want to explain what I am trying to accomplish. I have a single public interface in rdomain 0 and then I will have many private interfaces each in seperate rdomains. Each of these private interfaces will have a high probability of having the same subnet 192.168.64.0/24 and there will be multiple systems in each of the private rdomains. ie 192.168.64.2-5. I want to be able to address each system with a public a unique public IP and I want each system to use the same public IP to get to external systems beyond their one private rdomain.
<publicIP> replace with real public IP What is currently working: I can successfully do a redirect from the public interface to the private host in a specific rdomain like this. client to server: match in log(all) on em0 to <publicIP> rdr-to 192.168.64.2 rtable 3020 match out log(all) on em1 nat-to em1 server to client or external system is broken match in log(all) on em1 from 192.168.64.2 to !em1:network nat-to <publicIP> rtable 0 match out log(all) on em0 received-on em1 Remember I want to nat each system to a specific public IP in rdomain 0, so I have base that decision on which rdomain its coming from and what's private IP is because their will be multiple systems in each rdomain. The syntax above was the only way I have found to make that nat statement match those conditions the limitations of multiple conditions once the packet was back in rdomain0. If you wait until its back in rdomain zero. Then you have to be able to say something like received-on em1 from 192.168.64.2 nat-to <publicIP>... I wasn't able to do a double condition like that in the pf.conf This is what you see in tcpdump of pflog0 so it does in fact get nated and the request is routed to the destination IP and it responds with a response packet. The response packet never makes it back to the internal server though because it doesn't use the rules that I would expect it to. ...rule 1/(match) [uid 0, pid 16504] pass in on em0: <external client> > <publicIP>: icmp: echo reply (id:fdbe seq:225) (ttl 64, id 29430, len 84) ...rule 3/(match) [uid 0, pid 16504] match in on em0: <external client> > <publicIP>: icmp: echo reply (id:fdbe seq:225) (ttl 64, id 29430, len 84) ...rule 1/(match) [uid 0, pid 16504] pass out on em0: <publicIP> > <external client>: icmp: time exceeded in-transit (ttl 255, id 10940, len 56, bad ck That is not what I expect or what I need to happen. I need the response packet to pass using rule 2 so that it get's redirected back to the server where it came from. If its a new request started from a client or external system then it does hit rule 2 and it does get redirected to the server. I realize this might be acomplicated configuration, but I really need a true one to one nat both directions with multiple rdomains. I would love to use OpenBSD to solve this use case. @0 block drop in on ! lo0 proto tcp from any to any port 6000:6010 [ Skip steps: f=2 sa=5 da=2 sp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] @1 pass log (all) all flags S/SA [ Skip steps: r=end p=end sa=5 sp=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] @2 match in log (all) on em0 inet from any to <publicIP> rtable 3020 rdr-to 192.168.64.2 [ Skip steps: i=4 r=end p=end sa=5 sp=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] @3 match out log (all) on em0 all received-on em1 [ Skip steps: d=5 r=end p=end sa=5 da=5 sp=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] @4 match out log (all) on em1 inet all nat-to 192.168.64.1 [ Skip steps: i=end r=end f=end p=end sp=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] @5 match in log (all) on em1 inet from 192.168.64.2 to ! 192.168.64.0/24 rtable 0 nat-to <publicIP> [ Skip steps: i=end d=end r=end f=end p=end sa=end da=end sp=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] pass log(all) match in log(all) on em0 to <publicIP> rdr-to 10.2.0.2 rtable 3020 match out log(all) on em0 received-on em1 match out log(all) on em1 nat-to em1 match in log(all) on em1 from 192.168.64.2 to !em1:network nat-to <publicIP> rtable 0 Thank You for any Advice or if this is a bug then hopefully it can get resolved. I think this mightbe a bug, but I didn't want to call it a bug before I had other people look at this. James Hunter
