How do I add nat to other subnet in pf

Fri, 26 Sep 2008 11:37:02 -0700 

 I have already have nat configured in pf.conf.

It4s working good and all my clients are connected to the internet.

I need to tell to openBSD route when my clients try to access subnet
10.100.0.0/26.

>From openbsd I can access this network.

I think when I add other nat rule in pf its missing something. Nat rule is
commented and has a mark called MPLS.



I have this:

# ifconfig

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33208

        groups: lo

        inet 127.0.0.1 netmask 0xff000000

        inet6 ::1 prefixlen 128

        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7

em0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500

        lladdr 00:11:25:7f:86:28

        media: Ethernet autoselect (none)

        status: no carrier

bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

        lladdr 00:10:18:16:14:1b

        media: Ethernet autoselect (1000baseT full-duplex,master)

        status: active

        inet6 fe80::210:18ff:fe16:141b%bge0 prefixlen 64 scopeid 0x2

        inet 10.100.1.3 netmask 0xff000000 broadcast 255.255.255.192

bge1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500

        lladdr 00:10:18:16:0e:8a

        media: Ethernet autoselect (none)

        status: no carrier

xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

        lladdr 00:0a:5e:63:7e:2e

        media: Ethernet autoselect (100baseTX full-duplex)

        status: active

        inet 10.10.100.254 netmask 0xffff0000 broadcast 10.10.255.255

        inet6 fe80::20a:5eff:fe63:7e2e%xl0 prefixlen 64 scopeid 0x4

xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

        lladdr 00:0a:5e:63:7d:72

        groups: egress

        media: Ethernet autoselect (100baseTX full-duplex)

        status: active

        inet 200.162.41.XX netmask 0xfffffff8 broadcast 200.162.41.39

        inet6 fe80::20a:5eff:fe63:7d72%xl1 prefixlen 64 scopeid 0x5

enc0: flags=0<> mtu 1536

pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208

        groups: pflog

#





# cat /etc/pf.conf

# interface externa WAN

ext_if="xl1"

# interface interna LAN

int_if="xl0"

# interface MPLS

mpls_if ="bge0"

#Default GW

gw="200.162.41.1"

############

# Variaveis

##########



#################

#1 - Redirecionamento ambiente de homologocao

###############

ws_ip = "{ 10.10.100.21 }"

ws_ports = "{ 8101, 8102, 8103 }"



####################################

#2- Variaveis uteis

################################

lan = "{ 10.10.0.0/16 }"

rede_mpls  = "{ 10.100.0.0/26 }"

ip_admin = "{ 10.10.0.135 }"

portas_saida_tcp = " {25, 80, 110 }"

portas_saida_udp = " { 53 }"

portas_entrada_tcp = " { 22} "



#######

#options

set block-policy return

set loginterface $ext_if

set skip on lo

scrub in



# redirecionamento para lan, foi necessario fazer nat tb.

rdr pass on $int_if inet proto tcp from $lan to any port 80 -> $int_if port
3128

rdr pass on $ext_if inet proto tcp from any to $ext_if port $ws_ports ->
$ws_ip

nat on $int_if from any to $ws_ip -> $int_if



#################

##### NAT  ######

#################



#nat para dar acesso a internet para a lan

nat on $ext_if from $lan to !($ext_if) -> $ext_if

#nat on $ext_if  from $lan to $rede_mpls -> 10.100.1.1   #MPLS



# bloqueia a entrada de tudo e saida de tudo

block in on $ext_if



#regras de entrada



# libera entrada de tudo na interface interna

pass in quick on $int_if proto udp from $lan to $int_if port 53

pass in quick on $int_if from $lan to any keep state



# libera a entrada na interface externa

pass in quick on $ext_if proto tcp from any to $ext_if port
$portas_entrada_tcp keep state

pass in quick on $ext_if proto tcp from any to $ext_if port $ws_ports keep
state



# regras de saida

antispoof quick for { lo $int_if }

pass out on $int_if keep state



#####

# proibe todo o trafego de saida

block out on $ext_if

pass out on $ext_if from $ext_if to any



pass out quick on $ext_if proto tcp from $lan to any port $portas_saida_tcp



#libera acesso total para os administradores

pass out on $ext_if from $ip_admin to any

#











Dmesg:





# dmesg

OpenBSD 4.3 (CMT) #0: Wed Sep 24 09:52:31 BRT 2008

    [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/CMT

cpu0: Intel(R) Pentium(R) 4 CPU 2.13GHz ("GenuineIntel" 686-class) 2.13 GHz

cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR

real mem  = 1072697344 (1023MB)

avail mem = 1032876032 (985MB)

mainbus0 at root

bios0 at mainbus0: AT/286+ BIOS, date 06/16/05, BIOS32 rev. 0 @ 0xfd5b6,
SMBIOS rev. 2.33 @ 0x3ff77000 (46 entries)

bios0: vendor IBM version "-[KEE134AUS-1.34]-" date 06/16/2005

bios0: IBM CORPORATION -[84824RU]-

bios0: ROM list: 0xc0000/0x9000 0xc9000/0x1000 0xca000/0x1000 0xcb000/0x9c00
0xd5000/0x2000 0xd7000/0x2000 0xd9000/0x800 0xd9800/0x800

cpu0 at mainbus0

pci0 at mainbus0 bus 0: configuration mode 1 (no bios)

pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02

ppb0 at pci0 dev 3 function 0 "Intel 82875P CSA" rev 0x02

pci1 at ppb0 bus 2

em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq 5,
address 00:11:25:7f:86:28

ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02

pci2 at ppb1 bus 3

bge0 at pci2 dev 1 function 0 "Broadcom BCM5703 Alt" rev 0x10, BCM5703 B0
(0x1100): irq 11, address 00:10:18:16:14:1b

brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3

bge1 at pci2 dev 2 function 0 "Broadcom BCM5703 Alt" rev 0x10, BCM5703 B0
(0x1100): irq 11, address 00:10:18:16:0e:8a

brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3

ahd0 at pci2 dev 4 function 0 vendor "Adaptec", unknown product 0x808f rev
0x10: irq 11

ahd0: aic7901, U320 Wide Channel A, SCSI Id=7, PCI-X 50-66MHz, 512 SCBs

scsibus0 at ahd0: 16 targets

sd0 at scsibus0 targ 0 lun 0: <IBM-ESXS, VPR036W3-ETS10FN, S370> SCSI2
0/direct fixed

sd0: 34715MB, 34401 cyl, 3 head, 688 sec, 512 bytes/sec, 71096640 sec total

sd1 at scsibus0 targ 6 lun 0: <IBM-ESXS, VPR036W3-ETS10FN, S370> SCSI2
0/direct fixed

sd1: 34715MB, 34401 cyl, 3 head, 688 sec, 512 bytes/sec, 71096640 sec total

uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq 11

uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: irq 5

"Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured

"Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured

ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq 11

usb0 at ehci0: USB revision 2.0

uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1

ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x0a

pci3 at ppb2 bus 4

vga0 at pci3 dev 2 function 0 "ATI Radeon VE QY" rev 0x00

wsdisplay0 at vga0 mux 1: console (80x25, vt100 emulation)

wsdisplay0: screen 1-5 added (80x25, vt100 emulation)

xl0 at pci3 dev 7 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 5, address
00:0a:5e:63:7e:2e

exphy0 at xl0 phy 24: 3Com internal media interface

xl1 at pci3 dev 8 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 11,
address 00:0a:5e:63:7d:72

exphy1 at xl1 phy 24: 3Com internal media interface

ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02: 24-bit timer
at 3579545Hz

pciide0 at pci0 dev 31 function 1 "Intel 6300ESB IDE" rev 0x02: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility

atapiscsi0 at pciide0 channel 0 drive 0

scsibus1 at atapiscsi0: 2 targets

cd0 at scsibus1 targ 0 lun 0: <HL-DT-ST, DVD-RAM GSA-H58N, 1.01> SCSI0 5/cdrom
removable

cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2

pciide0: channel 1 disabled (no drives)

pciide1 at pci0 dev 31 function 2 "Intel 6300ESB SATA" rev 0x02: DMA, channel
0 configured to native-PCI, channel 1 configured to native-PCI

pciide1: using irq 5 for native-PCI interrupt

ichiic0 at pci0 dev 31 function 3 "Intel 6300ESB SMBus" rev 0x02: irq 5

iic0 at ichiic0

admtm0 at iic0 addr 0x2d: 47m192

adt0 at iic0 addr 0x2e: adm1027 rev 0x6a

spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM ECC PC3200CL3.0

spdmem1 at iic0 addr 0x51: 512MB DDR SDRAM ECC PC3200CL3.0

usb1 at uhci0: USB revision 1.0

uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1

usb2 at uhci1: USB revision 1.0

uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1

isa0 at ichpcib0

isadma0 at isa0

pckbc0 at isa0 port 0x60/5

pckbd0 at pckbc0 (kbd slot)

pckbc0: using irq 1 for kbd slot

wskbd0 at pckbd0: console keyboard, using wsdisplay0

pcppi0 at isa0 port 0x61

spkr0 at pcppi0

midi0 at pcppi0: <PC speaker>

lpt0 at isa0 port 0x378/4 irq 7

npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16

pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo

pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo

fdc0 at isa0 port 0x3f0/6 irq 6 drq 2

fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec

biomask ff65 netmask ff65 ttymask ffe7

mtrr: Pentium Pro MTRR support

Kernelized RAIDframe activated

ahd0: target 0 synchronous with period = 0x8, offset =
0x7f(RDSTRM|DT|IU|RTI|QAS)

ahd0: target 6 synchronous with period = 0x8, offset =
0x7f(RDSTRM|DT|IU|RTI|QAS)

cd0(atapiscsi0:0:0): Check Condition (error 0x70) on opcode 0x0

    SENSE KEY: Not Ready

     ASC/ASCQ: Medium Not Present

softraid0 at root

root on sd0a swap on sd0b dump on sd0b

#


Thanks

Reply via email to