[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Network address rewriting



On Thu, Apr 01, 2004 at 04:19:24PM +0100, Joe Warren-Meeks wrote:
>                   ------------
>            fxp1   | OpenBSD  | fxp0
>         ----------|   3.4    |---------
>   10.21.21.2/24   |  i386    | 10.3.1.130/24
>                   ------------
> 
> Now, traffic arriving in on fxp0 going to 10.65.0.0/16 needs to have its
> destination address changed to 10.95.0.0/16 and its source address changed
> to 10.21.21.0/24 (where the host parts of the networks are the same as the
> original)
> 
> e.g. A packet arrives in on fxp0 destined to 10.65.1.4 coming from
> 10.88.1.8. This should leave fxp1 with the destination set to 10.95.1.4 and
> the source address of 10.21.21.8
First off, all translations (binat, rdr, nat) will only ever translate
one address (source or destination) per state created. You can't
translate both source and destination address with a single translating
state. If you have a recent -current (3.5), make sure to 'set
state-policy if-bound', otherwise you'll likely get state conflicts.
So, if you want to translate both addresses, you'll need two state
entries, one on each interface. Luckily, all the connections you
described do pass through both interfaces, so that shouldn't be a
problem.
You don't want to modify any ports, so if you use nat or rdr, make sure
to disable port translation
  # 10.88.1.8 -> 10.65.1.4 (in fxp0, out fxp1) 10.21.21.8 -> 10.95.1.4
  rdr pass on fxp0 from any to 10.65.0.0/16 -> 10.95.0.0/16 bitmask
  nat pass on fxp1 from 10.88.0.0/16 -> 10.21.21.0/24 bitmask static-port
Note that when the packet translated by the rdr rule passes out on fxp1,
the destination address will already have been replaced, so we can't use
'to 10.65.0.0/16' in the nat rule. Tagging would be nice here, (tag on
rdr rule works, but nat doesn't allow 'tagged' yet). So you'll have to
find some way to restrict the nat rule to only apply to the packets you
want ('exactly those that have been translated by the rdr rule' is
impossible to express right now, try source or destination address
restrictions, like I tried with 'from 10.88.0.0/16').
See pf.conf(5) about 'bitmask' (which does the 'replace the network
part, keep the host part') and static-port (which disables port
translation).
This would only cover connections from the fxp0 side to the fxp1 side
(and replies in the reverse direction, related to those connections).
You'd need a similar set of rdr/nat rules for the reverse direction.
With binat, you could try to combine both directions into one rule
(binat applies to incoming and outgoing connections, replacing source
address for outgoing and destination address for incoming connections).
I hope this gets you a little further, it's not exactly a trivial setup,
you'll have to test and debug. Run tcpdump on both interfaces and check
what translations occur. See pfctl -vvss output, you should see two
states (one on fxp0 and fxp1 each).
Daniel