OpenBSD pf NAT question

[imnoboist]

I'm confused about how NAT is working. I currently have the following line:
match out on $ext_if from !(egress:network) to any nat-to $default_out

Which works. $default_out is one of the static IP addresses assigned to $ext_if.

However, I have certain systems that I want to go out of a different IP address (I have five statics). I tried this:
match out on $ext_if from 172.16.111.1 to any nat-to $static2

where $static2 is a different static address. After loading the ruleset, when I browse with 172.16.111.1, when I google "ip" it shows the address from $default_out.

I've tried adding the quick keyword to the $static2 NAT and moving it above the $default_out NAT but no beans.

Why isn't this working?

Is there another way I can NAT specific internal addresses to external addresses other than $default_out?

TIA

[ocicat]

Quote:

Originally Posted by imnoboist

I'm confused about how NAT is working.

Welcome!

It would help if the following would be provided:

$ sysctl kern.version

...as there is no information about what version of OpenBSD is used. pf(4) has gone through significant changes in the last several releases, so knowing what version you are using is important.

[imnoboist]

You got it:

# sysctl kern.version
kern.version=OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012
deraadt@amd64.openbsd.org:/usr/src/s...ile/GENERIC.MP

[jggimi]

I will hazard a guess that it is the use of match that is the problem. From pf.conf(5):

Code:

     match
           The packet is matched.  This mechanism is used to provide fine
           grained filtering without altering the block/pass state of a
           packet.  match rules differ from block and pass rules in that
           parameters are set every time a packet matches the rule, not only
           on the last matching rule.  For the following parameters, this
           means that the parameter effectively becomes ``sticky'' until
           explicitly overridden: nat-to, binat-to, rdr-to, queue, rtable, and
           scrub.

It is on pass where you can apply last-matching-rule-wins.

[imnoboist]

I'm not sure I understand. Are you saying I need to use pass rules instead of match?

[jggimi]

Yes, if I've understood the problem correctly. Let's see if I understand:

• You wish to have a general-case NAT rule in place for $default_out. If so, leave that match rule as-is.
• For specific traffic you wish to use other translated addresses, such as $static2. If so, for that traffic, do not use a match rule. Instead, use nat-to on the specific pass rules. From the NAT chapter of the PF User's Guide (highlight mine):

Code:

pass
    This rule allows the packet to be transmitted. If the packet was
    previously matched by a match rule where parameters were specified,
    they will be applied to this packet.  pass rules may have their own
    parameters; these take priority over parameters specified in a 
    match rule.

[imnoboist]

That did it! pass rule worked! Thanks!

[jggimi]

Great! Thank you for letting us know!

(This was a SWAG on my part as I've not had a need for this capability. Correct documentation really helps.)