nat gateway for small office network

Tonight i replace old FreeBSD based NAT gateway to OpenBSD based NAT gateway and firewall. This short note about pf configuration.

I use Celeron 500 with two network cards (vr0 and vr1). Here is configuration steps:

1. buy more beer and pizza!
2. install openbsd
3. set net.inet.ip.forwarding value to “1”. add string net.inet.ip.forwarding=1 to /etc/sysctl.conf file
4. activate pf. add pf=YES line to /etc/rc.conf.local file
5. let’s edit /etc/pf.conf file
   1. macros

      ext_if="vr0"
      int_if="vr1"

   2. options

      set block-policy return
      set loginterface $ext_if
      set skip on lo

   3. scrub

      scrub in

   4. network address translation

      nat on $ext_if from !($ext_if) to any -> ($ext_if)

   5. filter

      block in
      pass out keep state
      antispoof quick for { lo $int_if }
      pass quick on $int_if

6. load config file. pfctl -f /etc/pf.conf
7. check pf configuration. pfctl -f /etc/pf.conf

…and read “The OpenBSD Packet Filter”.

process..