Long question about firewall/routing

["Louis W. Erickson" <wwonko@rdwarf.com>]

Hi, all.

I haven't been able to find archives of the mailing list, so this may be a
common question.  If so, I'm sorry about that.  I did try to check.

I've got an OpenBSD machine set up as a firewall.  It has two network
cards in it, sis0 and sis1, and they're working fine.  sis0 is set to an
192.168.0 address, and sis1 is set to one of the addresses given to me by
my ISP, which are in the 63.205.237 range.  Less than a class C, but
having a label for them may make my descriptions clearer.

The excellent FAQ helped me get ipf and ipnat running, and I am quite
pleased with the ease that was done.  All of our workstations have been
able to do anything we asked, right away, and that was completely unlike
any other NAT installation I'd ever done.  That part hass been great.

However, we now want to put some machines up that have permanent addresses
that can be seen from the Internet, yet are behind the firewall and can
take advantage of it's excellent filtering.  I have yet to be able to make
this work.

My first thought was to set the new machine up with a 192.168 address, and
use NAT to let the outside world see it, with a bimap entry in ipnat.rules
and an IP alias on the NIC with the Internet address.  From the outside,
this seemed to work fine; the services on that machine were all avaliable
from it's extrenal address.  However, from our 192.168 network, that
machine wasn't visible as 63.205.237 address.  Apparently, NAT dosen't
happen from any interface, just over the 63.205.237 one.  The machine is
visible to us on it's 192.168.0 address, but using it's web server from
that address is quite difficult, as the DNS lists the 63.205.237 address,
and all the URLs are wrong.

I tried adding entries to ipnat.rules to make it do the NAT for both
interfaces, and was unable to make that happen.

If there is a way to do this, then I believe this is the soloution I would
prefer to use.

The ipf.rules allowed all the right protocols, and the ipnat.rules was set
up this way:

# Allow the outside workd to see this one machine
bimap sis1 192.168.0.183/32 -> 63.205.237.183/32

# Allow all our internal machines to go out
map sis1 192.168.0.0/28 -> 63.205.237.162/32 proxy port ftp ftp/tcp
map sis1 192.168.0.0/28 -> 63.205.237.162/32 portmap tcp/udp 10000:60000
map sis1 192.168.0.0/28 -> 63.205.237.162/32

When I was unable to make this work, I tried to find another way, that
didn't use NAT.  I turned it off, and set both machines up differently.

I also have been trying to set up static routes for the machine.  I put it
on the 192.168.0 side of the firewall, but with a 63.205.237 address. This
server runs Linux, and I added a static route:

route add -host 192.168.0.xxx 63.205.237.xxx

On the OpenBSD firewall, I added a static route back:

route add -host 63.204.237.xxx 192.168.0.xxx

The route commands seemed to work.  I tried pinging from one machine to
the other, though, and could get no response.  tcpdump shows the
63.204.237.xxx machine's echo request on both it, and on the firewall, but
no replies are sent.  My firewall rules allow ICMP, and I can ping
elsewhere just fine, even through NAT.

OpenBSD begins to log messages, too:

Apr 1 12:43:17 muspell /bsd: arplookup: unable to enter address for  63.205.237.xxx
Apr 1 12:43:17 muspell /bsd: arpresolve: can't allocate llinfo

It seems to be unable to install the arp entry for the static routed
machine.  I don't know why it wouldn't be able to.

Can anybody suggest what I might be doing wrong, or another way to allow
access to a machine through the firewall?

I've been messing with this on and off for a week now, and have no other
ideas on how I might get what I need to work.  Thank you for any
suggestions you can give.  I hope I haven't confused everybody terribly
with this long message.

-- 
Louis Erickson - wwonko@rdwarf.com - http://www.rdwarf.com/~wwonko/

Old soldiers never die.  Young ones do.