I can't help but notice that the IP address you've specified in your NAT
rule is different that the one specified on the xl0 interface. On xl0
you have 194.54.107.19 but in your NAT rule you have 194.54.107.17
instead.

When I've set up NAT rules for my gateway/firewall system I use the
external interface name in the NAT rules so I don't have to worry about
what the IP address is on the external inteface. I would think you
would want the NAT rule to be:

nat on xl0 from 192.168.103.0/24 to any -> xl0

If the IP address changes on the xl0 interface because the address is
assigned via DHCP, then you would want to enclose the interface name in
parenthesis so it is re-evaluated in case you ever get a different IP
address via DHCP:

nat on xl0 from 192.168.103.0/24 to any -> (xl0)

Tony

On Wednesday 22 January 2003 20:12 pm, Peter N. M. Hansteen wrote:
> After my old linux home gateway broke down over too many electrical
> horrors, I thought it was time to finally get that part of my home
> network into the OpenBSD fold. Only the gateway is stubbornly
> refusing to forward any packets!
>
> the setup is simple. xl0 is the outer interface, which shows up in
> dmesg as
>
> xl0 at pci0 dev 9 function 0 "3Com 3c905C 100Base-TX" rev 0x74: irq 9
> address 00:04:76:22:e3:bc exphy0 at xl0 phy 24: Broadcom 3C905C
> internal PHY, rev. 6
>
> and ifconfig as
>
> xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> address: 00:04:76:22:e3:bc
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet 194.54.107.19 netmask 0xfffffff8 broadcast 194.54.107.23
> inet6 fe80::204:76ff:fe22:e3bc%xl0 prefixlen 64 scopeid 0x1
>
> xl1 is the inner interface, dmesg shows
>
> xl1 at pci0 dev 10 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq
> 10 address 00:10:5a:86:18:2c exphy1 at xl1 phy 24: 3Com internal
> media interface
>
> and ifconfig
>
> xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> address: 00:10:5a:86:18:2c
> media: Ethernet autoselect (10baseT)
> status: active
> inet 192.168.103.1 netmask 0xffffff00 broadcast
> 192.168.103.255 inet6 fe80::210:5aff:fe86:182c%xl1 prefixlen 64
> scopeid 0x2
>
> My /etc/sysctl.conf has the requisite line
>
> net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of
> packets
>
> -- I restrict myself to the old-fashioned ipv4 for now, which leads
> me to the next piece of evidence, my /etc/pf.conf (yes, I have pf=YES
> in /etc/rc.conf) which has been reduced to
>
> nat on xl0 from 192.168.103.0/24 to any -> 194.54.107.17
>
> - but nothing gets through from anywhere on the inside to the outside
> world. I can ssh in to the gateway, and the gateway communicates with
> the outside world just fine. It's the gatewaying that for some reason
> just doesn't work. I'm convinced I've just overlooked something
> embarrasingly obvious here.
>
> pfctl -ss tells me typically (when tracerouting to a well-known web
> site in Norway):
>
> bash-2.05b# pfctl -ss
> tcp 192.168.103.1:22 <- 192.168.103.5:32772
> ESTABLISHED:ESTABLISHED tcp 192.168.103.1:22 <- 192.168.103.5:32773
> ESTABLISHED:ESTABLISHED udp 192.168.103.5:32768 ->
> 194.54.107.17:59105 -> 198.41.0.4:53 SINGLE:NO TRAFFIC udp
> 192.168.103.5:32768 -> 194.54.107.17:50471 -> 192.112.36.4:53
> SINGLE:NO TRAFFIC udp 192.168.103.5:32768 -> 194.54.107.17:60193 ->
> 198.41.0.10:53 SINGLE:NO TRAFFIC udp 192.168.103.5:32768 ->
> 194.54.107.17:50258 -> 192.36.148.17:53 SINGLE:NO TRAFFIC udp
> 192.168.103.5:32768 -> 194.54.107.17:60529 -> 202.12.27.33:53
> SINGLE:NO TRAFFIC udp 192.168.103.5:32768 -> 194.54.107.17:50521 ->
> 128.63.2.53:53 SINGLE:NO TRAFFIC udp 192.168.103.5:32768 ->
> 194.54.107.17:54656 -> 128.9.0.107:53 SINGLE:NO TRAFFIC udp
> 192.168.103.5:32768 -> 194.54.107.17:53618 -> 193.0.14.129:53
> SINGLE:NO TRAFFIC udp 192.168.103.5:33952 -> 194.54.107.17:60548 ->
> 80.232.38.252:33508 SINGLE:NO TRAFFIC udp 192.168.103.5:33952
> -> 194.54.107.17:64107 -> 80.232.38.252:33509 SINGLE:NO TRAFFIC
> udp 192.168.103.5:33952 -> 194.54.107.17:57785 -> 80.232.38.252:33510
> SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> 194.54.107.17:53864 -> 80.232.38.252:33511 SINGLE:NO TRAFFIC
> udp 192.168.103.5:33952 -> 194.54.107.17:50879 -> 80.232.38.252:33512
> SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> 194.54.107.17:58367 -> 80.232.38.252:33513 SINGLE:NO TRAFFIC
> udp 192.168.103.5:33952 -> 194.54.107.17:50271 -> 80.232.38.252:33514
> SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> 194.54.107.17:64135 -> 80.232.38.252:33515 SINGLE:NO TRAFFIC
> udp 192.168.103.5:33952 -> 194.54.107.17:55843 -> 80.232.38.252:33516
> SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> 194.54.107.17:59821 -> 80.232.38.252:33517 SINGLE:NO TRAFFIC
> udp 192.168.103.5:33952 -> 194.54.107.17:56775 -> 80.232.38.252:33518
> SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> 194.54.107.17:56938 -> 80.232.38.252:33519 SINGLE:NO TRAFFIC
> udp 192.168.103.5:33952 -> 194.54.107.17:63271 -> 80.232.38.252:33520
> SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> 194.54.107.17:64001 -> 80.232.38.252:33521 SINGLE:NO TRAFFIC
> udp 192.168.103.5:33952 -> 194.54.107.17:60890 -> 80.232.38.252:33522
> SINGLE:NO TRAFFIC udp 192.168.103.5:33952 ->
> 194.54.107.17:62815 -> 80.232.38.252:33523 SINGLE:NO TRAFFIC
> udp 192.168.103.5:33952 -> 194.54.107.17:51581 -> 80.232.38.252:33524
> SINGLE:NO TRAFFIC
>
> There must be a simple, obvious solution to this one.
>
> - P

-- 
Anthony Schlemmer
aschlemmattbi.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]