I am trying to set up an OpenBSD 3.3 -release (screw the patches just get it working right now) NAT router/gateway. I have 2 NICs' in it, dc0, and ne3. ne3 will be connected to the LAN (hub), and dc0 will be connected to the WAN (Cable modem). I have uncommented net.inet.ip.forwarding in /etc/sysctl.conf, and I have the following pf.conf:

[code:1:b900b52f3d]# I <3 variables
ext_if = "dc0"
int_if = "ne3"
interior_net="192.168.0.0/24"
external_addr="10.0.0.0"

# I <3 tables

table <rfc1918> const { 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }

set timeout interval 10
set timeout frag 30
set block-policy drop
set loginterface dc0

nat on $ext_if from $interior_net to any -> ($ext_if)

scrub in all

block in log all


pass in on $ext_if proto tcp from $ext_if to any port 23 keep state #allow all incoming port 23 connections


block out on $ext_if from any to <rfc1918> #don't allow any packets to from rfc 1918 adresses to make it out of $ext_if


pass out on $ext_if proto { tcp udp } <rfc1918> keep state #allow my network to connect out[/code:1:b900b52f3d]

Any problems so far? My major question is, what else should I do (do I need to modify my pf.conf?)?

My hostname.dc0 and hostname.ne3 are the same and I know they shouldn't be... They both say

"inet 192.168.0.1 255.255.255.0 NONE media 10baseT"

What should they say? Thanks for everything.

try:

nat on $ext_if from 192.168.0.0/24 to any -> $ext_if

Also try this pass lines:

pass out on $external inet proto tcp all flags S/SA keep state
pass out on $external inet proto udp all keep state
pass out on $external inet proto icmp all keep state

I've also had trouble with using "block log all". Might give this a try:

block log on $ext_if all

I'll try those, although I'm having problems at boot-up with the NICs' trying to take the same IP, should I make the NIC connected to the WAN my external IP adress?

nope. Just make it 192.168.100.1 or something. Try to keep in the same Class C mask to make it easier on yourself.

That didn't work, or my extern IP or whatever I tried. I changed my pf.conf to save me trouble incase that was it to just pass in all pass out all, and lo' and behold, I had a faulty line and local LAN starts working, WAN still not going OUT, I am still getting DoSed by my ISPs' ARP packets but I can't go out, I have that NAT line that you said I should have, should I have some route in my routing table? 192.168.100.1 is my cable modems IP and dc0's IP is whatever you want it to be :)

dc0 goes to your cable modem, correct? How do you normally get an ip from your cable modem? I get one via dhcp, so my hostname file for that if is:
dhcp NONE NONE NONE

Yes, dc0 is straight to the cable modem, IP external or IP internal? All internal adresses on my network are static. External is pretty much static (I don't think it's changed in 8+ months....)

Thread moved to firewall forum.