# Pf+nat+lan



## manti (Sep 10, 2011)

Hello, I have problem ;P
please help:

PF + NAT + LAN(WINDOWS OS)

rc.conf:


```
#ethernet
ifconfig_rl0="inet WAN  netmask 255.255.255.248"
ifconfig_rl1="inet 192.168.20.1 netmask 255.255.255.0"
dhcpd_enable="YES"
dhcpd_flags="-q"        # command option(s)
dhcpd_conf="/usr/local/etc/dhcpd.conf"  # configuration file
dhcpd_ifaces="rl1"      # ethernet interface(s)
dhcpd_withumask="022"   # file creation mask
defaultrouter="WAN"
hostname="domena.pl"
gateway_enable="YES"

#PF
pf_enable="YES"                 # Enable PF (load module if required)
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_flags=""                     # additional flags for pfctl startup
pflog_enable="YES"              # start pflogd(8)
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_flags=""

#gateway_enable="YES"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipnat.rules"
ipnat_flags=""
```

dhcpd.conf


```
option domain-name "domena.pl";
option domain-name-servers 194.204.152.34, 194.204.159.1, 192.168.20.1;
default-lease-time 86400;
max-lease-time 86400;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 192.168.20.0 netmask 255.255.255.0 {
  range 192.168.20.240 192.168.20.254;
  option routers 192.168.20.1;
  option subnet-mask 255.255.255.0;
  option domain-name-servers 194.204.152.34, 194.204.159.1, 192.168.20.1;
  option broadcast-address 192.168.20.255;
  default-lease-time 86400;
  max-lease-time 86400;
}
```

pf.conf

```
ext_if  = "rl0"
ext_if2 = "rl1"
int_if="rl1"
int_ip="192.168.20.1"
int_net="{ 192.168.20.0/24 }"

# table containing all IP addresses assigned to the firewall
table <firewall> const { self }

#nat
rdr on $int_if proto { tcp udp } from any to { 194.204.152.34, 194.204.159.1, 192.168.20.1 } port 53 -> 127.0.0.1
nat on $ext_if from $int_net to any -> $ext_if
```

sysctl.conf

```
net.inet.ip.forwarding=1
```

Windows: (LAN)

```
cmd>ipconfig /renew
ipconfig /all

IP: 192.168.20.242
GATEWAY: 192.168.20.1
NETMASK: 255.255.255.0
DNS: 192.168.20.1
194.204.152.34
194.204.159.1 
Server DHCP: 192.168.20.1
WINS: 192.168.20.1
```
And there is no Internet in LAN... And I do not know why?
Please help.


----------



## kisscool-fr (Sep 10, 2011)

I see different things which can cause problems. 

The first one you have set your hostname just to domaine name, you've forgot the host name. So the hostname line in your rc.conf file should look like this


```
hosotname="host.domenal.pl"
```

Then you have ipnat enabled. Pf is able to do nat directly. So ipnat is not necessary. And from what i can see you have nat rules in pf so you can disable ipnat. 

Important thing is to enable ip forwarding in your rc.conf file. You have disabled it. So change


```
#gateway_enable="YES"
```
to

```
gateway_enable="YES"
```
and reboot

Do you have a dns server on your gateway ? If so, you can put in your dhcpd.conf


```
option domain-name-servers 192.168.20.1;
```

From what you put, the windows config reported a wins server. Did you entered it manually ? Because there is nothing in dhcpd config about it.

Tell us it if helps


----------



## CoTones (Sep 10, 2011)

Hmm, no "pass log all" rule in pf.conf?


----------



## manti (Sep 11, 2011)

OK:


```
hosotname="host.domenal.pl"
```


```
gateway_enable="YES"
```


```
option domain-name-servers 192.168.20.1;
```

pf.conf


```
ext_if  = "rl0"
ext_if2 = "rl1"
int_if="rl1"
int_ip="192.168.20.1"
int_net="{ 192.168.20.0/24 }"

# table containing all IP addresses assigned to the firewall
table <firewall> const { self }

#nat
rdr on $int_if proto { tcp udp } from any to { 194.204.152.34, 194.204.159.1, 192.168.20.1 } port 53 -> 127.0.0.1
nat on $ext_if from $int_net to any -> $ext_if

table <badhosts> persist
block on $ext_if from <badhosts> to any
set skip on lo0
block all

block in quick from urpf-failed

set skip on lo0
antispoof for $ext_if

pass quick on lo0 all
pass out on $ext_if proto { tcp udp icmp } all modulate state
pass out on $ext_if2 proto { tcp udp icmp } all modulate state
pass quick on { $ext_if2 $ext_if } inet proto tcp from any port 67:68 to any port 67:68 keep state flags S/SA
pass quick on { $ext_if2 $ext_if } inet proto udp from any port 67:68 to any port 67:68 keep state
pass in on $ext_if2 proto {tcp,udp} from any to any port 67 keep state
pass out on $ext_if2 proto {tcp,udp} from any to any port 67 keep state
pass in on $ext_if proto {tcp,udp} from any to any port 67 keep state
pass out on $ext_if proto {tcp,udp} from any to any port 67 keep state
pass in on $ext_if proto { tcp, udp } from any to $ext_if port { 53, 953 } keep state #dns
pass in on $ext_if proto { tcp, udp } from any to $ext_if port {80,443,500} keep state #www
pass in on $ext_if proto { tcp, udp } from any to $ext_if port 22 keep state #ssh
pass in on $ext_if proto { tcp, udp } from any to $ext_if port 22 keep state queue int_ftp #ssh
pass in on $ext_if proto { tcp, udp } from any to $ext_if port 443 keep state #ssh ssl
pass in on $ext_if proto { tcp, udp } from any to $ext_if port 443 keep state queue int_ftp #ssh
pass in on $ext_if proto { tcp, udp } from any to $ext_if port 614 keep state #ssh ssl
pass in on $ext_if proto { tcp, udp } from any to $ext_if port 614 keep state queue int_ftp #ssh ssl
pass in on $ext_if proto { tcp, udp } from any to $ext_if port 8080 keep state #ssh ssl
pass in on $ext_if proto { tcp, udp } from any to $ext_if port 8080 keep state queue int_ftp #ssh
pass in on $ext_if2 proto { tcp, udp } from any to $ext_if port 8080 keep state #ssh ssl
pass in on $ext_if2 proto { tcp, udp } from any to $ext_if port 8080 keep state queue int_ftp #ssh
pass in on $ext_if proto tcp from any to any port { 20, 21 } keep state
pass in on $ext_if proto tcp from any to any port { 110, 995, 465,143 } keep state 
pass in on $ext_if proto tcp from any to any port 25 keep state 
pass in on $ext_if proto tcp from any to any port >5000 keep state #ftp
pass in on $ext_if proto tcp from any to any port 113 flags S/FSRA keep state
pass in on $ext_if proto tcp from any to any port 113 flags S/FSRA keep state
```


----------



## CoTones (Sep 11, 2011)

For testing purposes disable "antispoof" and "urpf-failed" rules and for all blocking rules add logging. Then check logs.


----------



## manti (Sep 22, 2011)

CoTones said:
			
		

> For testing purposes disable "antispoof" and "urpf-failed" rules and for all blocking rules add logging. Then check logs.



I changed the IPFW firewall + NAT and it works.
But check of yet...


----------

