[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Feasibility Inquiry - NAT'ing broadcast packets



Hi all,

I'm not sure if what I'm trying to accomplish is possible. Let me detail my network:

pf machine is OpenBSD/Sparc with 3 network interfaces

le1 interface routes to the outside world
le0 interface routes to the wired LAN (192.168.1.x)
le2 interface routes to the wireless AP (192.168.2.x)

Currently, I don't have the wireless hooked up -- I've taken the AP out of the loop so I can debug using an old machine connected straight to le2 {$wireless} on its own.

Obviously, I want to isolate the wireless from the internal network, restricting access to all but a few services (e.g. ssh).

I have NAT to the outside world and block all but the appropriate services from the wireless AP to the LAN. So far, so good.

However, my fileserver is on the LAN, and I want my wireless clients to be able to have iTunes autodiscover network-shared libraries on the fileserver. iTunes apparently uses Rendezvous/Zeroconf, and starts discovery by broadcasting UDP packets to 244.0.0.251:5353.

tcpdump -i le2 shows these packets arriving nicely at the router from $wireless.

The question is: is there any way to forward 244.0.0.x broadcast packets from one interface to another. I know, strictly-speaking, this is a no-no. But I want pf sitting between the wireless AP and the LAN, yet I want autodiscovery to work transparently, as though they were the same network.

I presume I have to nat this traffic and rdr it, but since 244.0.0.1 is not technically routable, and not explicitly tied to any particular interface, I'm not sure how to do this, if it's possible at all.


TIA, JMF



internal = "{ le0, le2 }"
external = "le1"
wireless = "le2"
unsafe = "{ le1, le2 }"
safe = "le0"
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3,
255.255.255.255/32 }"
routers = "{ 192.168.1.1, 192.168.2.1 }"


set optimization normal
set block-policy return

scrub in all
scrub out on $external random-id

altq on $external priq bandwidth 125Kb queue { highpri_q, default_q }
queue highpri_q priority 7
queue default_q priority 1 priq(default)

nat on $external from 192.168.1.0/24 to any -> $external
nat on $external from 192.168.2.0/24 to any -> $external

nat on $safe from 192.168.2.0/24 to 224.0.0.251 -> $safe
nat on $wireless from 192.168.1.0/24 to 224.0.0.251 -> $wireless

rdr pass on $external inet proto tcp to port 7777 -> 192.168.1.9 port 8888
rdr pass on $external inet proto tcp to port 16532 -> 192.168.1.9 port 8888


rdr pass on $safe proto udp from any to any port 5353 -> $wireless port 5353
rdr pass on $wireless proto udp from any to any port 5353 -> $safe port 5353


pass out quick on lo0 from any to any
pass in quick on lo0 from any to any

pass out quick on $safe from any to any
pass in quick on $safe from any to any

block in quick on $unsafe inet proto icmp from any to any icmp-type redir
block in quick on $external from $nonroutable to any
block out quick on $external from any to $nonroutable


pass in quick on $unsafe inet proto icmp from any to any icmp-type { \
    echorep, echoreq, timex, unreach }
block in quick on $unsafe inet proto icmp from any to any

pass out quick on $wireless inet proto tcp from any to any \
     flags S/SA keep state queue (default_q, highpri_q)

servicesw2wl = "{22}"
pass in quick on $wireless inet proto { tcp,udp } from any to any port $servicesw2wl \
flags S/SA keep state queue (default_q, highpri_q)


pass in quick on $wireless inet proto udp from any to 224.0.0.251 port 5353
pass in quick on $safe inet proto udp from any to 224.0.0.251 port 5353
pass in quick on $wireless from any to $routers
block in quick on $wireless from any to $nonroutable
pass in quick on $wireless from any to any


pass out quick on $external inet proto tcp from any to any \
     flags S/SA keep state queue (default_q, highpri_q)
pass out quick on $external inet proto udp all keep state
pass out quick on $external inet proto icmp from any to any keep state

block return-rst in quick on $unsafe inet proto tcp from any to any
block return-icmp in quick on $unsafe inet proto udp from any to any
block in quick on $unsafe all
block all

# (Yeah, the second-to-last line is redundant to the last. It's a remnant.)

(spamassassinexception)