NAT – OpenBSD

I want to setup a LAN for experimental use in my office. However, for the security policy, I have only one MAC (my laptop) authenticated to connect to wired network. Usually, I have to fake the MAC for my desktop so that I can connect my desktop to network. Now, I have several physical machines to connect network.

Here is the approach: I use one machine with two NIC as a gateway to setup NAT, so that all other machines can connect to network via a switch and this machine.

Two interfaces in Gateway: re0, re1

Arrange: re0 connect to company network; re1 connect to LAN

1. Setup re0,

#ifconfig re0 lladdr xx:xx:xx:xx:xx:xx
#ifconfig re0 up
#dhclient re0

Or permanently, edit /etc/hostname.re0 by adding the following lines

lladdr xx:xx:xx:xx:xx:xx   # change MAC
dhcp                      # use DHCP to request IP

Comment: this configure is for enabling re0 to connect corporate network when system starts.

(When I reboot the system, there is no DHCPREQUEST responding to DHCPDISCOVERY via ra0. Whatever I tried, it doesn’t work until I run tcpdump synchronously.  Finally, I found the reason. Before this experiment, I create the bridge between re0 and re1, however, I did not destroy the bridge properly. So the above issue happened. So, I create the bridge0 back, added re0, re1, up the bridge, and then, remove re0, re1, destroy the bridge sequentially.

if I run #tcpdump -e -i re0, then it will make re0 work well. If I run #tcpdump -p -e -i re0, then re0 does not work. The -p means does not put the interface work intro promiscuous mode. So the reason, I guess, is that re0 still holds its original MAC address to filter packets, so all packets sent to the fake mac address are discarded intentionally, or it uses fake mac address to filter but sends packets using original mac address.

That’s all right. I always need to run tcpdump or other packets capture in this interface. I leave this problem unsolved and move forward.

2.  Start dhcpd service in the gateway

edit /etc/rc.conf to set dhcpd_flags=YES

3. Set re1 as the gateway of LAN

create /etc/hostname.re1 and add the following line:
inet 192.168.1.1 255.255.255.0 192.168.1.0

or use ifconfig for temporary but take effect immediately:
#ifconfig re1 192.168.1.1 netmask 255.255.255.0

4. Connect the gateway at re1 from my laptop, run dhclient. My laptop successfully get a ip address 192.168.1.32

5. Enable ftp service in gateway, test ftp from my laptop

edit /etc/rc.conf, set inetd=YES,
edit /etc/inetd.conf, uncomment the ftp line
if you want take effect immediately, exec #/etc/rc.d/inetd restart

(same problem here, I must run tcpdump on the interface re1 so that it can properly receive packets from my laptop)

6. enable ip forwarding (for forwarding between re0 and re1)
# sysctl net.inet.ip.forwarding=1

Error – sysctl: fourth level name forward in net.inet.ip.forward is invalid. I do not know what exact reason is. I guess it may be because of my security level. Instead to fix it, I turn to edit /etc/rc.conf (permanently) to enable it. (I need reboot the system)

For permanent configuration:
edit /etc/pf.conf, add the following lines
pass out on re0 from re1:network to any nat-to (re0)

Save the file, run ‘#pfctl -s state’ to check the NAT status

8. Then, I successfully ping 173.194.73.174 from my laptop (192.168.1.32). 173.194.73.174 is the IP address of google.com, since I don’t setup any DNS server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s