Re: NPF single NIC & NAT

To: Ryan Brackenbury <ryan.brackenbury%gmail.com@localhost>
Subject: Re: NPF single NIC & NAT
From: Eric Garver <e%erig.me@localhost>
Date: Mon, 27 Jun 2016 09:31:41 -0400

On Sun, Jun 26, 2016 at 04:30:30PM +0000, Ryan Brackenbury wrote:
> I'm having difficulty redirecting some traffic on my home network, from a 
> server with a single nic.
> 
> Here's the situation: I have a wifi/gateway router which forwards all 
> traffic from my external IP to a NetBSD server on my internal network. The 
> server has a single NIC, but I have a second server also on my internal 
> network I'd like to offload some of the services onto. For specific 
> reasons, I don't want to do the 'proper' way and change the gateway 
> router's rules, and instead I want to redirect the packets via the NetBSD 
> server and NPF.

I recently rebuilt my home network and do exactly this. Coincidentally I
just finished writing/posting it yesterday.

http://erig.me/blog/201606261300/My-Home-Network.html

> I've added some map rules in my npf.conf, but they don't seem to work. 
> Traffic tries to connect, but hangs waiting for return packets, and 
> eventually times out. Npfctl shows the NAT allocations occuring, but they 
> later get destroyed. Changing the IP address of the dest server to 
> localhost does in fact pass traffic, so I'm a bit confused why this other 
> way isn't working.
> 
> I know that with PF, you cannot reflect packets out the same interface, is 
> that what's preventing me from doing this with NPF also?
> 
> My npf.conf:
> 
> # Wonderful basic config!
> $ext_if = "ale0"
> $localnet = { 192.168.0.0/24 }
> $irc_server = { 192.168.0.3 }
> $ext_ipaddr = { 192.168.0.2 }
> # My persistent block tables
> table <blacklist> type tree file "/etc/npf_blacklist"
> group "external" on $ext_if {
>     block in final from <blacklist>
>     pass all
> }

Just a warning: You're allowing _all_ traffic to hit your NetBSD box.
Probably better to do something like

	pass stateful out final all

	block in all
	pass stateful in proto tcp to inet4($ext_if) port 6667
	pass in ... 
	pass in ...

The above blocks all incoming traffic with some exception for your port
6667 service. The "stateful" keyword on the outgoing will track TCP
connections and allow them to pass in the reverse (incoming) direction.
This is probably what's biting you. Also good to put this on your
incoming pass filters for the same reason.

> group default {
>     pass final on lo0 all
>     block all
> }
> map $ext_if static $irc_server port 6667 <- $ext_ipaddr port 6667
> 
> Hopefully someone can shed some light on what I'm doing wrong - and 
> hopefully there is a way to do this that doesn't require a second NIC.

It is possible that NPF won't let you redirect out the same interface (
I don't know). But try the above first. If that fails, then you can try
using VLANs.

Good luck.
E.

Follow-Ups:
- Re: NPF single NIC & NAT
  - From: Ryan Brackenbury

References:
- NPF single NIC & NAT
  - From: Ryan Brackenbury

Prev by Date: Re: NPF single NIC & NAT
Next by Date: Re: NPF single NIC & NAT
Previous by Thread: Re: NPF single NIC & NAT
Next by Thread: Re: NPF single NIC & NAT
Indexes:

Home | Main Index | Thread Index | Old Index