Travel router part 2A - NAT

[D'Arcy Cain <darcy%NetBSD.org@localhost>]

On 2018-09-02 09:34 AM, D'Arcy Cain wrote:
> Some of you may remember that I was trying to set up a NetBSD machine to
> do all of my routing in my trailer while we travel.  I hit a snag when

So, basic on my new setup is mostly working but I can't seem to get NAT
working at all.  I am trying to use NPF which I am not too familiar with
but the docs seem pretty clear.  Here is my npf.conf.  Can some NPF
experts check this out please.  Ta.

------------------------------ npf.conf -------------------------------
$ext_if = inet4(re0)
$int_if = inet4(wm0)
$wifi_if = inet4(athn0)

table <blacklist> type hash file "/etc/enemies.list"
table <limited> type tree dynamic

$services_tcp = { http, https, smtp, domain, 6000, 9022 }
$services_udp = { domain, ntp, 6000 }
$localnet = { 192.168.215.0/24 }
$localwifi = { 192.168.225.0/24 }

alg "icmp"

map $ext_if dynamic $localnet -> $ext_if
map $wifi_if dynamic $localwifi -> $ext_if

group "external" on $ext_if {
    pass stateful out final all

    block in final from <blacklist>
    pass stateful in final family inet4 proto tcp to $ext_if port ssh
    pass stateful in final proto tcp to $ext_if port $services_tcp
    pass stateful in final proto udp to $ext_if port $services_udp
    pass stateful in final proto udp to $ext_if port 33434-33600 #
Traceroute
}

group "internal" on $int_if {
    block in all
    block in final from <limited>

    # Ingress filtering as per BCP 38 / RFC 2827.
    pass in final from $localnet
    pass out final all
}

group "wifi" on $wifi_if {
    block in all
    block in final from <limited>

    # Ingress filtering as per BCP 38 / RFC 2827.
    pass in final from $localwifi
    pass out final all
}

group default {
    pass in final on lo0 all
    pass stateful out final to any
    block in all
}
-----------------------------------------------------------------------------

-- 
D'Arcy J.M. Cain <darcy%NetBSD.org@localhost>
http://www.NetBSD.org/ IM:darcy%Vex.Net@localhost