I fail to configure Pf of OpenBSD gateway

Question

I have an OpenBSD server that I want to use as a gateway. OBSD server has the following interfaces -

em5 (130...** ext.IP with internet connectivity)
em0 (internal IP - 172.16.0.0/17)

My default gateway is 130...1 and is accessible via ping.

The goal is to NAT traffic between 172.16.0.0/17 and 130...** networks so that clients with an 172.16.* IP address will be able to access the internet.

route command shows gateway is set properly.

ns1# route show
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio    Iface
default            130.**.**.1      UGS        4     5293     -     8 em5

I'm able to access internet from this OpenBSD server.

Now, forwarding is enabled on OBSD.

ns1# sysctl -a|grep forwarding
net.inet.ip.forwarding=1

pf has the following configuration.

ext = "em5"
priv = "em0"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
               172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
               192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
               203.0.113.0/24 }

set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $ext $priv}
#block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass out quick inet
pass in on { $ext $priv} inet
pass in proto tcp to port 22 keep state

This setup which used to work before stopped working after a few changes that I have reverted already. I'm struggling to figure out what is stopping this NAT traffic.

OpenBSD is able to talk to internet.

Nodes in private network can talk to each other just fine.

But, nodes are unable to access internet.

How can I troubleshoot this?

I have tried the following and failed so far:

Reboot OBSD server
disable pf, try and then re-enable it.
waited a few hours after cable shuffling thinking it is some cache that blocks new entries.
added another public interface in a different n/w and changed default gateway to that one.

All of the above failed to get internet access to the internal network.

Anyone has any ideas what might be going on here?

More info: pfctl -sr turns up blank.

ns1# pfctl -sr
ns1#

UPDATE: @chuckx's request for pfctl -sr prompted me to make pf re-read its config file, and now it seems to do its job, and traffic forwarding works!

Can you share the output of `pfctl -sr`? – chuckx Sep 19 '19 at 05:17 — chuckx, Sep 19 '19 at 05:17
@chuckx pfctl -sr turns up nothing... ns1# pfctl -sr ns1# – Aravindh Sathish Sep 19 '19 at 08:30 — Aravindh Sathish, Sep 19 '19 at 08:30

I fail to configure Pf of OpenBSD gateway

0 Answers0