On Tue, 19 Jan 2016 09:14:08 +0100 "Peter N. M. Hansteen" <[email protected]> wrote:
> > [email protected] (zje.net.cn), 2016.01.19 (Tue) 03:37 (CET): > > > Hi, i'm tesing the NAT with the pf on OpenBSD 5.8, but i can not > > > make it successful.There is a server with pf having a internal IP > > > 10.0.11.200 and external IP 61.xxx.xx.xx, then, i make a pf.conf > > > with contents like below(having enable IP forwarding) : > > > > > > #my define > > > int_if = "de1" #10.0.11.200 > > > ext_if = "de2" #61.xxx.xx.xx > > > int_net = "10.0.11.0/24" > > > #my rules > > > pass out on $ext_if inet from $int_if:network to any nat-to > > > $ext_if > > if those rules are your entire ruleset, forwarding is enabled and all > interfaces involved are correctly set up (not forgetting netmasks), > this should just work. Maybe I missed something, but what about: pass in on $int_if from $int_if:network > > First, do > > ~$ sysctl net.inet.ip.forwarding > > if the response isn't exactly > > net.inet.ip.forwarding=1 > > that's at least one of your problems. > > Next, check that both de1 and de2 are in fact configured and > functional (as in, ifconfig output should include at least "UP" and > "RUNNING"), check that you can ping the configured address on the > gateway itself and from the client, check that netmasks match on both > client and gateway, check the client's routing, and of course check > that your pf.conf doesn't have one or more 'block' statements you > haven't shown us. > > And as Marcus said earlier, > > > your lovely dos box image shows that the connection is in SYN > > state; I guess your client (10.0.11.19) just gets blocked when > > entering the firewall via de1. > > This means that your client has a route for the target address that > it considers valid, however in that state it has yet to receive > *anything* back from the intended target address. Going through the > steps I outlined in the previous paragraph will tell you why that is > so.
