OpenBSD 6.0: Simple NAT with pf

This post is more of a “note to self”, but this is a summary of a simple NAT setup between an “Internal” interface and an “External” interface on our OpenBSD server or router.

Why would we do this? Well we might have an OpenBSD machine acting as a router and so 1 public IP address on our “External” interface which is to be shared between our devices on our “Internal” network. Otherwise we might have a VPN running on a TUN/TAP that we wish to communicate with the outside world.

First thing’s first. Make sure pf is enabled by editing /etc/rc.conf.local, uncomment/add the following line:


Now, we need to enable IP forwarding by editing /etc/sysctl.conf and un-comment/add this line:


We can get this IP forwarding working without rebooting with the following command:

# sysctl net.inet.ip.forwarding=1

Now we can edit our /etc/pf.conf to put in place our NAT. For this we are going to assume that our “Internal” interface has a private network on it, for this example we are using a range. Append the following lines your pf configuration file.


## Interfaces, External and Internal
ExtIf = "xnf0"
IntIf = "xnf1"

## Our Private Network in NAT
PrivNet = "192.168.100/24"

## Our NAT
match out log on $ExtIf from $PrivNet to any received-on $IntIf tag EGRESS nat-to ($ExtIf:0)

Now there is probably more configuration needed for the network as a whole but the NAT can be simply created in the above 1 line and 3 variables.

I’ve found some use for it, others might want it for reference.