Okay. If you're going to give access to internet users to be able to access
your system inside your LAN/DMZ(eg webserver), you will need to do NAT.
If you
want the server which is configured by private ip address is reachable from
internet users, you will need NAT.

The way you do NAT might depend on your
network infra setup and how you design and plan the traffic flow.
IP aliasing
is associating more than one IP address to a network interface. With this, one
node on a network can have multiple connections to a network, each serving a
different purpose.Now I will explain you with an example so that you can
visualize it in a better way:

I have web server with IP address 192.168.1.100
My firewall has 2 NICs, one internal(192.168.1.1) and one external using
public IP(50.50.50.59).
I would like to allow users from the internet to
access my webserver. Since I configured webserver using private IP, internet
users can not access my webserver directly, that is why NAT is needed.
For
this example I have 2 scenarios doing NAT.
1.If I have limited public IP
address assigned to me by ISP
any http traffic from internet accessing to
firewallexternalIPaddress will be redirected to my webserver
internet user
port 80 ---> FW ext IP address --> Web server

In this case I don't need to
use additional IP address as an alias, because internet users will access my
website via: http://50.50.50.59
and the traffic will be redirected to the
webserver which is located inside LAN(192.168.1.100)

2.If I have spare public
IP address. this where IP alias can play the role.
I have another public IP
(let say 50.50.50.58) and I would like to assign it to webserver.
The
webserver is still located inside my LAN with IP 192.168.1.100. But I want to
assign the IP 50.50.50.58 only for application server services purpose,
because I don't want to mix it up with firewall service.
So the same concept
applies here.
any http traffic from internet accessing IP 50.50.50.58 will be
redirected to my webserver
internet user port 80 ---> 50.50.50.58 --> Web
server
As the 50.50.50.58 and 50.50.50.59 are within the same subnet ( and
also assigned for my business from ISP), then I need to assign it on the
external firewall interface. If I didn't assign it on the external firewall
interface, the http incoming traffic will not be able to pass through because
neither router nor firewall know how and where to redirect the incoming packet
and also neither router nor firewall take the ownership of 50.50.50.58
although 50.50.50.58 is assigned for my business by ISP. By assigning
50.50.50.58 on the external firewall interface as an IP alias, the firewall
will know how and where to redirect the incoming traffic.When the http traffic
on 50.50.50.58 is coming in, firewall will take the ownership,check the
routing table and then PF engine will check from the rule list whether the
incoming traffic to the webserver is alllowed or not. Once the rule is
matched, then the packet will be redirected to the destination. You can do
the
same by creating the rule for email server etc.internet user port 25 --->
50.50.50.58 --> my email server.

The same IP alias concept also applies if
you want to implement many to one NAT. For example to alllow your LAN users to
access internet access.
You can use IP alias or use firewall ext int IP as a
NAT IP. All depends on how your infra is configured and planned.
In which
scenario your setup is? If you're using 1st scenario, you don't need to use IP
alias, because the external ip addr for firewall which is accessed by the
public users for http traffic is belong to firewall. If you used 2nd
scenario, you will need to use IP alias configured on ext firewall interface.
Please also check the routing table in the router and the default gateway on
your destination node.

I hope it helps.

Regards,
Stefan
________________________________
From: Stefan Midjich <***@gmail.com>
To:
Stefan N <***@yahoo.com>
Cc: "***@openbsd.org" <***@openbsd.org>
Sent: Tuesday, October 11, 2011 1:25 PM
Subject: Re: Help setting up a PF NAT
gateway

No I was not aware of this. Could you please explain the meaning of
an
alias address on the external interface for NAT?

There is no mention of
using an alias for NAT in this document for
example
http://www.openbsd.org/faq/pf/nat.html

Just to be clear, I already have an
external and internal physical
interface to work with, so I am unclear as to
why I need an alias.
Stefan,
add in the IP
openbsd url below:
http://www.openbsd.org/cgi-bin/man.cgi?query=hostname.if&apropos=0&sektion=0&
manpath=OpenBSD+4.9&arch=i386&format=html
10.0.1.255 media 100baseTX description
255.255.255.255 10.0.1.13
inet alias 10.0.1.15 255.255.255.255
0xffffffff
fec0::1 64
65.65.65.65 10.0.1.13
________________________________
Tuesday, October 11, 2011 2:06 AM
gateway
Edition so
Stefan,
miserably.
but no further.
sysctl net.inet.ip.forwarding
instead of 1, you'd get your symptoms. Edit
forwarding if you haven't.
hdlsningar / With kind regards