This has had me stumped for the last few days.. As I still can't figure out whether or not my boss is asking me to complete a task that cannot be done. At the moment he's asking me to set up a "route" between two of our internal networks here. We have one network sitting on the 192.168.2 C-class and another on the 192.168.3, The gateway for the .2 network is 192.168.2.1 and is not my machine to play with and has a mask of 255.255.255.0. Until now I have been using an OpenBSD 3.3 box to perform NAT and pf functions between these two networks. With the internal interface being 192.168.3.1 and the external 192.168.2.254, using ipforwarding and NAT. He wants to keep the two network segments seperate but to allow traffic to flow between the two freely using what he deems "routing", while still being able to access the internet through the .2 network. I still fail to understand how to achieve such a thing under OpenBSD, and have already had a look down the transperant bridging path without any luck as I still don't grasp how I will be able to get internet access through the .3 network without using NAT.

Any solutions / help / comments will be greatly appreciated ;)

- dave

I don't see what the problem is. The thing you describe sounds just like ordinary IP-routing.

1. You need to enable ip routing (guess you've already done this if you are using NAT at the moment).
2. You need to pass traffic between the two internal interfaces.
3. You need to set up two NAT rules in pf.conf i.e:

[code:1:3b0ed4f6f8]
nat on $ext_if inet from 192.168.3.0/24 to any -> $ext_if
nat on $ext_if inet from 192.168.2.0/24 to any -> $ext_if
[/code:1:3b0ed4f6f8]

4. You need to have the ip of the OpenBSD-machine as gateway on all client computers
5. You need to have 192.168.2.1 as default gateway on the OpenBSD-machine

I think in the end that's what the boss was trying to get me to do, I had set it up with NAT, however he didn't want the excess 64 or so bits of data attached to each packet that was going external. Due to this being an internal gateway from one network to the next, which then has the internet connection gateway on it, we were natting twice. Instead I've decided to make a transparent bridge with the box, changing the subnet mask on the external router to 255.255.252.0 to allow for the 192.168.3 network to be able to communicate with it instead of the 192.168.2. network only. The box has three nics in it so I'll leave two of them without IP addresses and the third I'll give an IP for remote access.

Thanks for this, I'll see how I go this morning =)

- dave

Why not just setup a bridge (brconfig) set that up forwarding packets. you have for example.

192.168.1.0/.24 with a gateway of 192.168.1.1
192.168.2.0/24 with a gateway of 192.168.2.1

computer 192.168.2.1 obviously has two interfaces, one in the 192.168.2 subnet and on in the 192.168.1 subnet. It's default gateway should be 192.168.1.1

on the box with the 192.168.1.1 address I'm assuming it's the default gateway for internet traffic, all that needs to done is to add a route to the 192.168.1 interface of the bridge for return traffic.

Assuming you have a working bridge then you'd have something like this:

[code:1:96866fb061]

Internet---pubIP/192.168.1.1---InternalNet---192.168.1.2/192.168.2.1---secondnet

[/code:1:96866fb061]

then just add this to the main gateway:

[code:1:96866fb061]
route add 192.168.2.0/24 192.168.1.2
[/code:1:96866fb061]

and traffic should flow just fine. This is what I do on my home net to sep. my wireless net. No nat required. Not that the way you have it setup now won't work cause that works quite well to.

Cheers for that elmore, i think i'll actually adopt your method as opposed to mine as my boss doesn't know what he wants ;PP

Seems like a viable change that might make him happy =)

- dave