pf not reading proper IP address

[bbzz]

My pf configuration file has:

nat on $ext_if from any to any  -> ($ext_if)

However, even though I specified parenthesis over $ext_if, it still doesn't get updated after DHCP request on that interface, which requires manual pf restart to read new IP.

What am I missing?

 

[bbzz]

Anyone got an idea? How to make pf update $ext_if with IP address change?

 

[_martin]

Strange. I don't use NAT over DHCP interface but for the sake of test I did create it my LAB.

It's working for me though; both manual and DHCP IP change works transparently for a NAT client.

I'm using pass in my NAT clause but this should not be a problem here.

nat pass on $ext_if from any to any -> ($ext_if)

I'm using default pass on all interfaces.

 

[aragon]

Anyone got an idea? How to make pf update $ext_if with IP address change?

Create a /etc/dhclient-enter-hooks or /etc/dhclient-exit-hooks script that updates PF's rules when the IP address is renewed.

See dhclient-script(8).

 

[bbzz]

I guess I'll have to do that then.

 

[wblock@]

Two things:

First: I don't see why IP address should matter. ext_if is an interface name, not an IP address.

Second:

nat on $ext_if from any to any  -> ($ext_if)

From any? It should be from anything internal, $int_if or $int_net.

 

[bbzz]

$ext_if is macro for IP address. pf reads IP address from macro when it reads from configuration file. The problem is that it should update address when it changes.
It's very weird that it doesn't, in my case.

In pf terminology NAT happens only outbound on interface. By saying "any" (or not saying anything) it will translate any internal IP coming from any LAN.

 

[wblock@]

$ext_if is supposed to be the external interface name, like em0. Although pf might translate that to an IP address when the rules are read, and that would explain the problem.

If this a problem of the firewall starting before the external address is assigned, SYNCDHCP should solve that.

 

[bbzz]

$ext_if is read correctly by pf, the problem is it doesn't get updated. This should work (with both interface name or alias for interface name), as stated in OpenBSD pf handbook; I shouldn't be running any additional updating method.

Thanks for helping.

 

[wblock@]

But the interface name doesn't change. If pf acts on that rule literally, it should NAT packets going out the external interface regardless of the address of that interface. If your rules file sets ext_if to an IP address, that could be the problem.

 

[kisscool-fr]

what is the value for your $ext_if macro ?

 

[_martin]

From any? It should be from anything internal, $int_if or $int_net.

Agreed that in real-world situation one should use either IP range or specify interface(s), but this should not be a showstopper here. any is just a wildcard.

@bbzz: I expect you have an egress (internet facing) ext_if macro set to interface name, e.g. em0.

 

[bbzz]

ext_if = "vge1"

Specifying "any" is legit because pf only applies that NAT rule to outgoing connections. By saying "any" I'm saying to firewall to NAT any and all internal LANs (there are 4) to external IP. Specifying specific cards or LAN doesn't make any difference.

 

[wblock@]

Okay, so pf "resolves" the interface name to an IP address when the rules are read. Later, DHCP hands out a new address, but pf is still using the old one. Restarting pf causes the rules to be interpreted again, getting the new IP address. Maybe define the nat rule as an anchor so it can be reloaded separately?

 

[kpa]

Two things:

First: I don't see why IP address should matter. ext_if is an interface name, not an IP address.

Second:

nat on $ext_if from any to any  -> ($ext_if)

From any? It should be from anything internal, $int_if or $int_net.

Nat rules are applied only to traffic leaving out an interface so usually there's no harm in saying "from any to any" in a simple set up with just one external interface with one ip address. Whatever leaves out via ext_if should have the address assigned to ext_if as source address anyway.