From owner-freebsd-pf@freebsd.org Sun Nov 10 13:43:19 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 82DC11B4F21 for ; Sun, 10 Nov 2019 13:43:19 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 479wFL13jxz40TY for ; Sun, 10 Nov 2019 13:43:18 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vs1-xe2b.google.com with SMTP id u6so7017554vsp.4 for ; Sun, 10 Nov 2019 05:43:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=sHMrRFk6XbrbHum6acBiBdNvrq9I9J/wSDwEA7h1HWw=; b=SEsJeExOdrb9cmzb8x4AlZm0fXO9ESLBkDUm9mONB+lghf7+4tebE7txf2jwN+yzvi +uvuI/76Pw5+F5H6F7KPm4sgsvH68/V0gX/c24Y7jhCstMmnmp6rWpVVfndecgV1Hbv2 t4lK/I7j3DtuTXZ4GGuq5ymZdd9JrP95/6EPsp1gHS4oxq+8KWy1ZTSQu9vpYqgS0dag 8SZTnby4IqTLa41ViJXBKuoklOlkzVmAdzbOQlUN4BfT8C8qm6djIGzWel3u2Pmlpda6 NiMUMIlVs61rv5nnoboIMw7xs8tBIZnU6xb8zNYOy7GrHwfytrl20eb9YJdPiXVfipP9 663A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=sHMrRFk6XbrbHum6acBiBdNvrq9I9J/wSDwEA7h1HWw=; b=cC5oFjr9Qn8ho4l5mnr59dAL+pA98ZisA9sRY+5wbL6Q+kl8ANwinrtfJS110e8CJx RDl1dzbz1zkIsrmjflw2cfSEwvtVHkkyIYTd3BpKmYMBZ/0g7DmeMDhSX86aBK8NyIbO 4kM0gZHLvCREPc816j+J2V7iaqg+tH4knneURvhEwBL7CY7KYHvUpb0lqxHqPWAMMqbL J5vaCf5AwSKh+HzfGqTAxjozy3mJ1A7w+I+sTB/winTT0SvyBCsxRmZm3USLhOoeGXyl 9otsH3LhK25mHtQiCzr0l7Y01GYafahrY/ugi23FbK8+Zq1PqAdyzatfaLgNUG5xXfdi U1cg== X-Gm-Message-State: APjAAAUlCW2vG3nl4eNwL+pxQe1aUNb/P/ORn+iS3cmsuWqLgBHNEmBu mC876GvD3PLfxGmFCQUlNLrRu2eDATeH580skT8U147FqJc= X-Google-Smtp-Source: APXvYqyHsFprzC7wqm7Ux5KZU3ViBoFPoUCFUYfsh4dCAHbZnHTw8jVm54OR7rDjCwTmHwmLOZfHYQz9fObiB9Wayfg= X-Received: by 2002:a05:6102:519:: with SMTP id l25mr16514857vsa.222.1573393396565; Sun, 10 Nov 2019 05:43:16 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Phil Staub Date: Sun, 10 Nov 2019 08:42:39 -0500 Message-ID: Subject: Re: freebsd-pf Digest, Vol 689, Issue 3 To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 479wFL13jxz40TY X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=SEsJeExO; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::e2b as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-2.99 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; URI_COUNT_ODD(1.00)[3]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[staub.us]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[b.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; HTTP_TO_IP(1.00)[]; IP_SCORE(-2.79)[ip: (-9.57), ipnet: 2607:f8b0::/32(-2.34), asn: 15169(-2.00), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Nov 2019 13:43:19 -0000 > Ah, you have a standalone SOHO router. That changes things drastically. :) > > Exactly! > I assume the computers on your LAN (including FreeBSD) have private IP > addresses (192.168.x.x)? In that case your Netgear router is doing the > NAT for you and you don't need to worry about that part. > > Yes. I know it's lazy, but I left the local subnet as the route default of 192.168.1.0/24. All of my local hosts are on that subnet. . I'm PARTIALLY in agreement here.The OpenVPN clients are being assigned 10.8.0.x addresses. Somehow, those addresses need to be translated into the OpenVPN server's address to provide their access to the internet. - You need to forward port 1194/udp (or whatever you chose for OpenVPN) > in your Netgear router so it points to the IP address of your FreeBSD > machine. Consult the router's manual how to do port forwarding. > > This is done and appears to be working fine, because the OpenVPN log registers 10.8.0.x connections when they come in. - The firewall in the Netgear router also needs to allow incoming > connections on this port. It's probably setup along with the port > forwarding but once again you need to consult the Netgear manual. > The firewall isn't configurable on this router. But as I mentioned above, it obviously takes the configured forwarded port as an indication that it needs to allow that connection through to the local net. > - You can disable pf on your FreeBSD machine unless you absolutely want > an extra firewall to protect it. I strongly suggest you disable it at > this point though until you have the OpenVPN server running. It's > protected behind your Netgear router I don't care about the firewalling capabilities of PF in this case. I only use it to establish the connection between the 10.8.0.0/24 and 192.168.1.0/24 subnets. I fully accept the possibility that I have a misconception about what is necessary here, but without doing SOMETHING, the 10.8.0.x connections make it to OpenVPN and go no further. . > > So to sum up: > > - Configure firewall and port forwarding in your Netgear router. > > Done > - Configure the OpenVPN server on FreeBSD. > > At least partially done. One caveat to look out for: > > I'm not familiar with your Arris modem. Make sure it doesn't do routing > and NAT too so you have two layers of NAT since that would complicate > things. Make sure your modem is in bridge mode and that your Netgear > router has a public IP address on the interface connected to the modem. > > The modem doesn't do NAT. The WAN side of the router has a public ip, and there is nothing else on the connection between the modem and the router. Regards > Morgan > > > > > > > Phil, I forgot... > > OpenVPN needs its own subnet in the config file. Make sure you don't use > the same subnet as your LAN uses because that would confuse the routing > and could result in the behaviour you describe in your initial post. > Data would reach the server but return packets wouldn't find their way > back onto the Internet. > > This may be the crux of the matter. I'm not sure I know how I would set this up. > I would need to see your OpenVPN config and details about the subnets > you use to spot any errors. > Here is my OpenVPN config: local 192.168.1.200 port 1194 proto udp dev tun ca /usr/local/etc/openvpn/ca.crt cert /usr/local/etc/openvpn/server.crt dh /usr/local/etc/openvpn/dh2048.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" client-config-dir /usr/local/etc/openvpn/ccd route 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 1.1.1.1" keepalive 10 120 cipher AES-256-CBC persist-key persist-tun status openvpn-status.log log openvpn.log log-append openvpn.log verb 4 explicit-exit-notify 1zzz > /Morgan > > Thanks, Morgan! Phil From owner-freebsd-pf@freebsd.org Sun Nov 10 14:47:05 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0D1BF1B6111 for ; Sun, 10 Nov 2019 14:47:05 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 479xfv6zC1z42ZH for ; Sun, 10 Nov 2019 14:47:03 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xAAEkxeJ095909 for ; Sun, 10 Nov 2019 15:47:00 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: freebsd-pf Digest, Vol 689, Issue 3 To: freebsd-pf@freebsd.org References: From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> Date: Sun, 10 Nov 2019 15:46:56 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 479xfv6zC1z42ZH X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.93 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.82)[-0.821,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.06)[asn: 198203(-0.32), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.61)[0.612,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Nov 2019 14:47:05 -0000 > Yes. I know it's lazy, but I left the local subnet as the route default of > 192.168.1.0/24. All of my local hosts are on that subnet. . > > I'm PARTIALLY in agreement here.The OpenVPN clients are being assigned > 10.8.0.x addresses. Somehow, those addresses need to be translated into the > OpenVPN server's address to provide their access to the internet. > Here is my OpenVPN config: > Your OpenVPN config has a few lines I'd like to address. Unless you're absolutely sure you know what you're doing and has a reason to use them I'd suggest you remove the following three lines: topology subnet push "route 192.168.1.0 255.255.255.0" route 10.8.0.0 255.255.255.0 The next thing you need to check is that you have enabled routing in FreeBSD so it will forward packets between your LAN subnet 192.168.1.0/24 and the OpenVPN subnet 10.8.0.0/24. (You do not need NAT here although I suppose it would be theoretically possible. The thought has never occurred to me to be honest. I would not recommend it though.) /etc/rc.conf gateway_enable="YES" Either restart FreeBSD after this or type "service routing start". One additional thing. If you by any chance want to communicate with any of the other machines on your LAN from the VPN clients (not just Internet access), you need to add a static route for 10.8.0.0/24 pointing to 192.168.1.200 IN YOUR NETGEAR ROUTER or they won't know where to send their replies. Preferably you'd add such a route to each of your LAN machines but it's not strictly necessary since they will send any 10.8.0.0/24 packets to your router which then will route it back properly to your FreeBSD machine. This shouldn't be needed for the basic OpenVPN communication though since as far as your router is concerned, this only involves pushing udp packets to 192.168.1.200 and it already knows how to reach that ip. Your setup differs from mine so I may have forgotten something here but start with these changes and we'll see what happens. /Morgan From owner-freebsd-pf@freebsd.org Sun Nov 10 15:34:00 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AC8E01B733D for ; Sun, 10 Nov 2019 15:34:00 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 479yj33RtJz44k9 for ; Sun, 10 Nov 2019 15:33:59 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xAAFXuIP096075 for ; Sun, 10 Nov 2019 16:33:57 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN To: freebsd-pf@freebsd.org References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> Date: Sun, 10 Nov 2019 16:33:56 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 479yj33RtJz44k9 X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.98 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.81)[-0.809,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.06)[asn: 198203(-0.31), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.65)[0.646,0]; DMARC_NA(0.00)[pp.dyndns.biz]; R_SPF_NA(0.00)[]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Nov 2019 15:34:00 -0000 > One additional thing. If you by any chance want to communicate with any > of the other machines on your LAN from the VPN clients (not just > Internet access), you need to add a static route for 10.8.0.0/24 > pointing to 192.168.1.200 IN YOUR NETGEAR ROUTER or they won't know > where to send their replies. Preferably you'd add such a route to each > of your LAN machines but it's not strictly necessary since they will > send any 10.8.0.0/24 packets to your router which then will route it > back properly to your FreeBSD machine. This shouldn't be needed for the > basic OpenVPN communication though since as far as your router is > concerned, this only involves pushing udp packets to 192.168.1.200 and > it already knows how to reach that ip. > I need to correct myself here. You absolutely MUST have a static route for 10.8.0.0/24 defined in your Netgear router or Internet traffic won't work from your VPN clients. The reason is that when FreeBSD routes these packets from the OpenVPN subnet onto your LAN subnet and onto the Netgear router, the source address of those packets will still have 10.8.0.x in them and the router needs to know where this subnet is to be able to return packets there. This would be much simpler if your FreeBSD machine was working as your router instead of that Netgear router. :) Another unknown is how the NAT in your Netgear router will respond to source packets coming from a subnet other than its own. Hopefully it will behave properly. /Morgan From owner-freebsd-pf@freebsd.org Sun Nov 10 21:01:01 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DD12517D4A3 for ; Sun, 10 Nov 2019 21:01:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 47B5yP4NbCz4NNy for ; Sun, 10 Nov 2019 21:01:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.nyi.freebsd.org (Postfix) id 95B9C17D491; Sun, 10 Nov 2019 21:01:01 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 94E4C17D48C for ; Sun, 10 Nov 2019 21:01:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47B5yP2GPqz4NNn for ; Sun, 10 Nov 2019 21:01:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 125B24DA4 for ; Sun, 10 Nov 2019 21:01:01 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id xAAL10Xd083663 for ; Sun, 10 Nov 2019 21:01:00 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id xAAL10VA083661 for pf@FreeBSD.org; Sun, 10 Nov 2019 21:01:00 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201911102101.xAAL10VA083661@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 10 Nov 2019 21:01:00 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Nov 2019 21:01:02 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p Open | 237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Sun Nov 10 21:28:55 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6BFCC1A8979 for ; Sun, 10 Nov 2019 21:28:55 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com [IPv6:2607:f8b0:4864:20::e33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47B6ZZ33QQz4PxT for ; Sun, 10 Nov 2019 21:28:54 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vs1-xe33.google.com with SMTP id 190so7438041vss.8 for ; Sun, 10 Nov 2019 13:28:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=rQXN0/SsdytN0ULfaEDxv7+D7pVxVSHcWkK8JcI2fJQ=; b=P/0iKQbKlZa+dwAjJpFjl3IOQyERwafRn4AlYMDGlrIHVbxOXlnKqKDvou1PGHpYhY 8Nh0ITJ0R/irM+uBkncop96ABwWMKk22uaEiWB0+ua7UGGXriCXdjWf6m9APw++Vjb2n 3mCnzJ9hfHrsBDtucFWu83Xd7qpJu24aTeDvCBqSt1O7vOMUD9QZ4GQ9SlGWmQwCMJ2J Zbc9+o7Fv6eE9yE3EKCeQmLQsYDa+yPao237CQy5sgHfFThqsxDjNh5j0MeqoBtL7ywC w3ZUp4Pm138+7mag6LRdq001LhQxplNGS/WeJ4kxemp+ppi7Q1y4rqAul9fk7ENxL5iz Cxcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=rQXN0/SsdytN0ULfaEDxv7+D7pVxVSHcWkK8JcI2fJQ=; b=immtbKI5Wr5rHBRIJ/c1QOPCBKN2mkgHf4nhlU1wTC6a1jRyVMkFwi9mo9oKz2/9/+ shNUDqXRQweKaX4AYNte+V21egn7EtXFaqvW2McTcqzTj5Rb7G3YuaTuf/KFEEnofFPF Oa0U8o5iu9maJl85f7y8oSi17F3QW7I/RYeSKrwoyKj2nTWlw8mxtKc/lIPBc5Y+0HTC AMJQWc/vbQ6CYHj0MmE6a8IRC8ID6+zzNLsIUa+3BejD4E9hYz1eIQAAL4M7Zk23U2l0 Qs+LfCYHFt8Tw9/y7UMnTytkAs+3VGiDedgY3txHCA76jqvnODtFegOkHxCPLeDdLcpK ez+A== X-Gm-Message-State: APjAAAUD8JYlu21cjUnVElw/LeO4yFj6CCEl3ZSuxE4+4neLdH74qurh 9Z+mzl/x9SaVWLR5BWDtserbZzACPg7IqUcqMpxNDUCT X-Google-Smtp-Source: APXvYqxsT3I1zhKnGG14KqmpQn0IGoLxWKItGBbWga4onC9xWOVPGgsjEQD14OV8qqLXyawK5dbIB2E9FGN1freeVUc= X-Received: by 2002:a67:ad13:: with SMTP id t19mr10486344vsl.188.1573421332627; Sun, 10 Nov 2019 13:28:52 -0800 (PST) MIME-Version: 1.0 References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> In-Reply-To: From: Phil Staub Date: Sun, 10 Nov 2019 16:28:16 -0500 Message-ID: Subject: Fwd: NAT for use with OpenVPN To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47B6ZZ33QQz4PxT X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=P/0iKQbK; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::e33 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-2.99 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.997,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; URI_COUNT_ODD(1.00)[3]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[staub.us]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[3.3.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; HTTP_TO_IP(1.00)[]; IP_SCORE(-2.79)[ip: (-9.56), ipnet: 2607:f8b0::/32(-2.34), asn: 15169(-2.00), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Nov 2019 21:28:55 -0000 ---------- Forwarded message --------- From: Phil Staub Date: Sun, Nov 10, 2019 at 4:22 PM Subject: Re: NAT for use with OpenVPN To: Morgan Wesstr=C3=B6m On Sun, Nov 10, 2019 at 10:34 AM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > > One additional thing. If you by any chance want to communicate with any > > of the other machines on your LAN from the VPN clients (not just > > Internet access), you need to add a static route for 10.8.0.0/24 > > pointing to 192.168.1.200 IN YOUR NETGEAR ROUTER or they won't know > > where to send their replies. Preferably you'd add such a route to each > > of your LAN machines but it's not strictly necessary since they will > > send any 10.8.0.0/24 packets to your router which then will route it > > back properly to your FreeBSD machine. This shouldn't be needed for the > > basic OpenVPN communication though since as far as your router is > > concerned, this only involves pushing udp packets to 192.168.1.200 and > > it already knows how to reach that ip. > > > OK, I removed the lines you specified and added a static route on the router: 10.8.0.0/24 -> 192.168.1.200 I confirmed that gateway was enabled on FreeBSD and restarted routing. Unfortunately this didn't really seem to change anything. I'm still unable to access the internet from a connected client. So now I'm wondering about something. Do packets with 10.8.0.x addresses ever actually make it on the wire between the router and the OpenVPN server? I was under the impression that the encrypted packets created a tunnel at which the IP address is only known at the endpoints, which means the OpenVPN client and server processes, and nothing in between has any access to anything that is going on within the tunnel. If this is the case, I wouldn't think the router needs to know how to deal with 10.8.0.x packets. Furthermore, this pretty much HAS to be the case. The 10.8.0.x addresses can't be routed across the internet, so the only way they could exist on my private network would be as a result of NATing on the part of the router, and I'm pretty sure this isn't happening. But then this re-opens the question of how the connection happens between the server end of the tunnel (10.8.0.1) and the public interface at 192.168.1.200. It would seem that there needs to be some routing information within OpenVPN that makes that connection. Am I way off here? Phil From owner-freebsd-pf@freebsd.org Sun Nov 10 22:27:28 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 37F0F1AE56B for ; Sun, 10 Nov 2019 22:27:28 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47B7t64zCvz4T8X for ; Sun, 10 Nov 2019 22:27:25 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xAAMRGfY097454 for ; Sun, 10 Nov 2019 23:27:17 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: Fwd: NAT for use with OpenVPN To: freebsd-pf@freebsd.org References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: Date: Sun, 10 Nov 2019 23:27:14 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47B7t64zCvz4T8X X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.98 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.81)[-0.811,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.05)[asn: 198203(-0.30), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.64)[0.641,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Nov 2019 22:27:28 -0000 > Do packets with 10.8.0.x addresses ever actually make it on the wire > between the router and the OpenVPN server? I was under the impression that > the encrypted packets created a tunnel at which the IP address is only > known at the endpoints, which means the OpenVPN client and server > processes, and nothing in between has any access to anything that is going > on within the tunnel. If this is the case, I wouldn't think the router > needs to know how to deal with 10.8.0.x packets. > > Furthermore, this pretty much HAS to be the case. The 10.8.0.x addresses > can't be routed across the internet, so the only way they could exist on my > private network would be as a result of NATing on the part of the router, > and I'm pretty sure this isn't happening. > > But then this re-opens the question of how the connection happens between > the server end of the tunnel (10.8.0.1) and the public interface at > 192.168.1.200. It would seem that there needs to be some routing > information within OpenVPN that makes that connection. > > Am I way off here? > > Phil Look at it this way. The VPN software has the same effect as if the client was located in your house and directly connected with a cable to your 10.8.0.0/24 subnet. Any configuration to support this must be done on the FreeBSD machine as well as your router. The router will definitely see the 10.8.0.0/24 addresses on its LAN interface but as you note, these addresses will never show up on the external interface. Your NAT will exchange these addresses on the fly and any traffic between the OpenVPN endpoints will be encrypted and encapsulated in another ip packet where only the external public ip addresses are shown. At this point I started to write a detailed description of how a packet is transferred from your client over the VPN tunnel and then onto the Internet and to its destination but it got overly complicated and probably won't help you at this point. :) Let's instead start to get some more info from your network. When your client is connected, can you please provide the output of the following commands on both the client and the FreeBSD machine? # ifconfig -a # netstat -rn I need to see how the ip stack is configured on each machine and how the routing tables look. /Morgan From owner-freebsd-pf@freebsd.org Sun Nov 10 23:51:37 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EA7851B5BCE for ; Sun, 10 Nov 2019 23:51:37 +0000 (UTC) (envelope-from phil@staub.us) Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47B9lD0yRfz4X16 for ; Sun, 10 Nov 2019 23:51:35 +0000 (UTC) (envelope-from phil@staub.us) Received: by mail-ed1-x52d.google.com with SMTP id r16so10556843edq.2 for ; Sun, 10 Nov 2019 15:51:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wcHjfg7IydAwo9Cj/wRtSJjbttMo26byVG7Wu72dVkE=; b=kf6qBi6TJCTtTA+tUedUqVLjIr9ofwe78YEDcWQniHhFWU3fvWMV7DRUhXUX12kvKf XU0vkqGcjL1w7qmEHjqGAuiHbXfSQNzu4ToxRMZtJbgXDrYAcoLE5huSysJV6AKsWl4Y /xP3t3hBuiIaMQsEarZzrwDkHfwBNFNSkx8QejYIAsqmsAdUnh1+U3o33+d6Q0GMK52W yx6b8rzSHJkCpaxE5yf3n/3yHC06JSdmMKRey/hQhcX9pHmnnRJPf4IhU2xJ2GXCuGx2 nhQejlkBpjpzfr/HHeGniJhNkUgP2uA65/Y4ufFqk9CbMp5l5L1cfHST2cClGg7MUDbX Rc4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wcHjfg7IydAwo9Cj/wRtSJjbttMo26byVG7Wu72dVkE=; b=gZ6lTwoH7shel7ExS/x/d1KmrGH23+WVO0HYx6iGqWUK4VyL3/alL3UJQZOn/d933f +NRMB8SwkQM/enWg9o+aieG3v1LVx87H44K2voyyjczgK++OaoCuWgw7rlcXaqKXR4PY 8qaFawCwJ7oXEkHwK2DBcO4J7PQ+FKuq69zGhraPUiuiXSfB7bbfPi1UoLXKEJwF3LVU SkCRESheLvWF1P3MDvG2QmPJpztcHvIgD6j3RTeAHuQcL/L/0kkhGiaRUIiWvhXPwLiH kvmNQM7laii49D51g5DfsSL+8M7kJvltKQzuqN/o5mMZI5rzVNJW/1N8DGPO5QMQu/Yv pglw== X-Gm-Message-State: APjAAAXoy7Btc/R6vJnrITqO5DIwuOddhSHwL0ZQTUqOzJ6MKcPzejsh K+0Nt+eLa0xhtpEQV6X2ew088CrlzJZSEnicXEHEhw== X-Google-Smtp-Source: APXvYqzP7QNMqduussWHvmQIC2+Kmnz+Jfo03AALoH/zs7ynaVO/QdjCdzW2XmHKiaq04pxHg8/L517W+ECA8pbJqRE= X-Received: by 2002:a50:8859:: with SMTP id c25mr23131127edc.253.1573429893806; Sun, 10 Nov 2019 15:51:33 -0800 (PST) MIME-Version: 1.0 References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> In-Reply-To: From: Phil Staub Date: Sun, 10 Nov 2019 18:51:22 -0500 Message-ID: Subject: Re: Fwd: NAT for use with OpenVPN To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47B9lD0yRfz4X16 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=kf6qBi6T; dmarc=none; spf=none (mx1.freebsd.org: domain of phil@staub.us has no SPF policy when checking 2a00:1450:4864:20::52d) smtp.mailfrom=phil@staub.us X-Spamd-Result: default: False [-4.17 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[staub.us]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[d.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; HTTP_TO_IP(1.00)[]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-2.87)[ip: (-9.54), ipnet: 2a00:1450::/32(-2.75), asn: 15169(-2.00), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Nov 2019 23:51:38 -0000 On Sun, Nov 10, 2019 at 5:27 PM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > > Do packets with 10.8.0.x addresses ever actually make it on the wire > > between the router and the OpenVPN server? I was under the impression > that > > the encrypted packets created a tunnel at which the IP address is only > > known at the endpoints, which means the OpenVPN client and server > > processes, and nothing in between has any access to anything that is > going > > on within the tunnel. If this is the case, I wouldn't think the router > > needs to know how to deal with 10.8.0.x packets. > > > > Furthermore, this pretty much HAS to be the case. The 10.8.0.x addresse= s > > can't be routed across the internet, so the only way they could exist o= n > my > > private network would be as a result of NATing on the part of the route= r, > > and I'm pretty sure this isn't happening. > > > > But then this re-opens the question of how the connection happens betwe= en > > the server end of the tunnel (10.8.0.1) and the public interface at > > 192.168.1.200. It would seem that there needs to be some routing > > information within OpenVPN that makes that connection. > > > > Am I way off here? > > > > Phil > > Look at it this way. The VPN software has the same effect as if the > client was located in your house and directly connected with a cable to > your 10.8.0.0/24 subnet. Any configuration to support this must be done > on the FreeBSD machine as well as your router. The router will > definitely see the 10.8.0.0/24 addresses on its LAN interface but as you > note, these addresses will never show up on the external interface. Your > NAT will exchange these addresses on the fly and any traffic between the > OpenVPN endpoints will be encrypted and encapsulated in another ip > packet where only the external public ip addresses are shown. > > At this point I started to write a detailed description of how a packet > is transferred from your client over the VPN tunnel and then onto the > Internet and to its destination but it got overly complicated and > probably won't help you at this point. :) Let's instead start to get > some more info from your network. When your client is connected, can you > please provide the output of the following commands on both the client > and the FreeBSD machine? > > # ifconfig -a > > # netstat -rn > > I need to see how the ip stack is configured on each machine and how the > routing tables look. > > OK. Here it comes: root@threepio:/usr/local/etc/openvpn # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.1.1 UGS em0 10.8.0.0/24 10.8.0.2 UGS tun0 10.8.0.1 link#4 UHS lo0 10.8.0.2 link#4 UH tun0 127.0.0.1 lo0 UHS lo0 192.168.1.0/24 link#1 U em0 192.168.1.200 link#1 UHS lo0 192.168.1.201 link#1 UHS lo0 Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 ::1 lo0 UHS lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 fe80::/10 ::1 UGRS lo0 fe80::%lo0/64 link#2 U lo0 fe80::1%lo0 link#2 UHS lo0 fe80::%tun0/64 link#4 U tun0 fe80::6a05:caff:fe3b:a7c7%tun0 link#4 UHS lo0 ff02::/16 ::1 UGRS lo0 root@threepio:/usr/local/etc/openvpn # ifconfig -a em0: flags=3D8843 metric 0 mtu 1500 options=3D81249b ether 68:05:ca:3b:a7:c7 inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255 inet 192.168.1.201 netmask 0xffffff00 broadcast 192.168.1.255 media: Ethernet autoselect (1000baseT ) status: active nd6 options=3D29 lo0: flags=3D8049 metric 0 mtu 16384 options=3D680003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=3D21 lo1: flags=3D8008 metric 0 mtu 16384 options=3D680003 groups: lo nd6 options=3D29 tun0: flags=3D8051 metric 0 mtu 1500 options=3D80000 inet6 fe80::6a05:caff:fe3b:a7c7%tun0 prefixlen 64 scopeid 0x4 inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff groups: tun nd6 options=3D21 Opened by PID 15992 _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Phil Staub phil@staub.us From owner-freebsd-pf@freebsd.org Mon Nov 11 08:46:49 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EBCDB1AF3FC for ; Mon, 11 Nov 2019 08:46:49 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47BPcm4cBnz3Qnj for ; Mon, 11 Nov 2019 08:46:47 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xAB8khT2099765 for ; Mon, 11 Nov 2019 09:46:44 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: Fwd: NAT for use with OpenVPN To: freebsd-pf@freebsd.org References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> Date: Mon, 11 Nov 2019 09:46:42 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47BPcm4cBnz3Qnj X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.71 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.78)[-0.778,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.05)[asn: 198203(-0.29), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.34)[0.335,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Nov 2019 08:46:50 -0000 > OK. Here it comes: > > root@threepio:/usr/local/etc/openvpn # netstat -rn > Routing tables > That machine looks good. I can't spot anything wrong on that side. Can you also check the output of "sysctl net.inet.ip.forwarding" and make sure it's set to 1. This is what gateway_enable=YES should do. Now I'd like to see the routing and ip info from one of the connected clients. Preferably I'd like the same info from your Netgear router too but I don't expect it to provide an interface to extract this info so it will have to be the black box for now. The next step is then to start pinging ip addresses from the client side, hop by hop until we don't receive a reply. Starting with the local client vpn address, then the local endpoint, the remote endpoint, the em0 address and so on. But I want to make sure nothing is wrong on the ip stack level first. /Morgan From owner-freebsd-pf@freebsd.org Mon Nov 11 22:15:01 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 77CF71BFC7E for ; Mon, 11 Nov 2019 22:15:01 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47BlYJ1hncz3G1X for ; Mon, 11 Nov 2019 22:14:59 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xABMEu0W002483 for ; Mon, 11 Nov 2019 23:14:56 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: Fwd: NAT for use with OpenVPN To: freebsd-pf@freebsd.org References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> Date: Mon, 11 Nov 2019 23:14:54 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47BlYJ1hncz3G1X X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.54 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.90)[-0.896,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.05)[asn: 198203(-0.28), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.29)[0.292,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Nov 2019 22:15:01 -0000 Phil, I did some more testing in my own environment and you should be able to ping the following addresses from your connected client. It probably breaks down at some point and you need to tell me where: 10.8.0.6 (or whatever ip your vpn client receives) 10.8.0.1 (server endpoint of vpn tunnel) 192.168.1.200 (your FreeBSD LAN address) 192.168.1.1 (LAN side of your router) Next ping test would be an address on the Internet like google.dns (8.8.8.8). Looking at the Netgear support forums, some people claim Netgear routers only does NAT for the subnet on its LAN interface while others claim it does NAT for any subnet. I checked the manual for your router but it doesn't explicitly say anything on this matter so this is still an unknown. We didn't discuss the client side config. I will show you mine below with the server address obfuscated. You need to replace it with your router WAN ip. client dev tun proto udp remote ***.***.***.*** 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key ns-cert-type server verb 4 netstat -rn and ifconfig -a (ipconfig /all on Windows) from the connected client would be useful to further track down the problem if you can't resolve it. P.S. You have a .201 alias on the FreeBSD machine. It shouldn't interfere but I just wanted to make sure you were aware of it and had a reason for it. /Morgan From owner-freebsd-pf@freebsd.org Tue Nov 12 01:50:05 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BED641C4446 for ; Tue, 12 Nov 2019 01:50:05 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vk1-xa32.google.com (mail-vk1-xa32.google.com [IPv6:2607:f8b0:4864:20::a32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47BrKS5HM0z3wqc for ; Tue, 12 Nov 2019 01:50:04 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vk1-xa32.google.com with SMTP id o198so4052737vko.11 for ; Mon, 11 Nov 2019 17:50:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=QNKKIW7gIeMPEoJ5k8dEcSMQQDWLC17Pmax7JR0RQ1I=; b=G2VAfpnqp433Pe95J/CyNXQJ22GrTdZyZCtX9xfUZODrqCxJHAcRjUKjt9gGYcNhOt NfOD1PB7zo1STO0QlwcwQCrmleIR3oiP7p7mJp/OR4NXSzBf4ejesgw6lzw2kZdwZCib EZdQDTX5WwkXa0QO//OEgRA/ZN7xAtfLwKysMLMLzOlZlp+29DNn/7+GP1phFz5w00Cc 8Hv803Mj5ntisM1Jhwu4hIddfLxFmIaZF1KKxSkXNQ6k3NJtjhLzn1XW/HXISI+maGqL lOES5DNN2tksfqv1B57obkon+UtFyOlMibG3iDq4q67PjsueOppyN4yuX4C8BYo7W1+D f3Hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=QNKKIW7gIeMPEoJ5k8dEcSMQQDWLC17Pmax7JR0RQ1I=; b=CXKO0mJaY0lXgDtuI3WDtwJYzTKgF49QqHV+VRQPFjNHV5FYEGagUXRAvGgAPbzlqK mSnFs0G762hRMfXZdpykvYgF9z6h2+Womdg+4K+AnU5FuztqJ8VtRo0+szVY1EWmFoLY wAqAoxo7R0Dkl17ucz8Z0QaXGO8dVJcoevDAa/KjwI4H5V79nhcg+dVxPqP28qBGjbta E0h9n5ykoZsSX9BsxRqAZ9EJ5beTMdVQcIDFMxRHh1srhIkAewrbhNwS0rMnJw/SW7AQ XKJquAoGkYjei5DCjaMcRoxmsi6C2K3syVREwbkVmpee0A3vnBs1dxklhUkRkPHejtoI jWUg== X-Gm-Message-State: APjAAAWxSOquDAjbXWoflRQKU0zGpEf7EWROcpPX4Mlqnh7p8CZm/Cp3 T4YwevjHCYeixxbDWZHLVnVb/a6T0SP5Eh7afK2ojliS X-Google-Smtp-Source: APXvYqzJis+VejM/FXOVt1eBZqOQZpj5mf3HeoZLl9MQRmp9dJB4TpRWbRnNiGyBQJZ0+ngN5vMOYMxP+Bgl17yh6D0= X-Received: by 2002:a1f:fc0e:: with SMTP id a14mr20289694vki.19.1573523402976; Mon, 11 Nov 2019 17:50:02 -0800 (PST) MIME-Version: 1.0 References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> In-Reply-To: From: Phil Staub Date: Mon, 11 Nov 2019 20:49:25 -0500 Message-ID: Subject: Fwd: Fwd: NAT for use with OpenVPN To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47BrKS5HM0z3wqc X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=G2VAfpnq; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::a32 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-3.91 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; URI_COUNT_ODD(1.00)[7]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[staub.us]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[2.3.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.71)[ip: (-9.16), ipnet: 2607:f8b0::/32(-2.33), asn: 15169(-2.00), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2019 01:50:05 -0000 ---------- Forwarded message --------- From: Phil Staub Date: Mon, Nov 11, 2019 at 8:47 PM Subject: Re: Fwd: NAT for use with OpenVPN To: Morgan Wesstr=C3=B6m On Mon, Nov 11, 2019 at 5:15 PM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > Phil, > > I did some more testing in my own environment and you should be able to > ping the following addresses from your connected client. It probably > breaks down at some point and you need to tell me where: > > 10.8.0.6 (or whatever ip your vpn client receives) > 10.8.0.1 (server endpoint of vpn tunnel) > 192.168.1.200 (your FreeBSD LAN address) > 192.168.1.1 (LAN side of your router) > > This was very much along the lines of what I had already planned to try. = I also pinged my public IP address 67.175.144.37. Next ping test would be an address on the Internet like google.dns > (8.8.8.8) This is the ONLY ping that fails. :-( > . > > Looking at the Netgear support forums, some people claim Netgear routers > only does NAT for the subnet on its LAN interface while others claim it > does NAT for any subnet. I checked the manual for your router but it > doesn't explicitly say anything on this matter so this is still an unknow= n I've spent a little time trying to find out how to get a routing table from the router. I haven't had a lot of time to look, but I'm going to look a little more after what I've found so far. > . > > We didn't discuss the client side config. I will show you mine below > with the server address obfuscated. You need to replace it with your > router WAN ip. > > client > dev tun > proto udp > remote ***.***.***.*** 1194 > resolv-retry infinite > nobind > persist-key > persist-tun > ca ca.crt > cert client1.crt > key client1.key > ns-cert-type server > verb 4 > > My client side configs are very similar. I think the only differences are irrelevant or necessitated by the server-side config (cipher option) netstat -rn and ifconfig -a (ipconfig /all on Windows) from the > connected client would be useful to further track down the problem if > you can't resolve it. > I'm not a Windows fan, but since I have a Win10 laptop I use for stuff that only runs on Windows, so I'll hold my nose and try some troubleshooting from there. :-( Here is the Windows Iipconfig: Windows IP Configuration Host Name . . . . . . . . . . . . : Han Primary Dns Suffix . . . . . . . : staub.us Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : staub.us Ethernet adapter Ethernet: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller Physical Address. . . . . . . . . : D0-17-C2-0B-E3-28 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Unknown adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Windows Adapter V9 Physical Address. . . . . . . . . : 00-FF-A2-CF-90-6F DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::641d:f1e3:ff36:891e%14(Preferred) IPv4 Address. . . . . . . . . . . : 10.8.0.5(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252 Lease Obtained. . . . . . . . . . : Monday, November 11, 2019 7:31:43 PM Lease Expires . . . . . . . . . . : Tuesday, November 10, 2020 7:31:42 P= M Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 10.8.0.6 DHCPv6 IAID . . . . . . . . . . . : 318832546 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-DF-60-8C-D0-17-C2-0B-E3-28 DNS Servers . . . . . . . . . . . : 1.1.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled Wireless LAN adapter Local Area Connection* 2: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter Physical Address. . . . . . . . . : 48-45-20-50-78-AB DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Local Area Connection* 13: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2 Physical Address. . . . . . . . . : 4A-45-20-50-78-AA DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Wi-Fi: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7265 Physical Address. . . . . . . . . : 48-45-20-50-78-AA DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::1002:e557:a388:1315%13(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, November 10, 2019 11:06:24 P= M Lease Expires . . . . . . . . . . : Tuesday, November 12, 2019 11:06:23 AM Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : 38290720 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-DF-60-8C-D0-17-C2-0B-E3-28 DNS Servers . . . . . . . . . . . : 192.168.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled (I notice there is no default gateway specified for the TUN interface. I'll have to look into that.) And the routing table: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Interface List 18...d0 17 c2 0b e3 28 ......Realtek PCIe GBE Family Controller 14...00 ff a2 cf 90 6f ......TAP-Windows Adapter V9 15...48 45 20 50 78 ab ......Microsoft Wi-Fi Direct Virtual Adapter 9...4a 45 20 50 78 aa ......Microsoft Wi-Fi Direct Virtual Adapter #2 13...48 45 20 50 78 aa ......Intel(R) Dual Band Wireless-AC 7265 1...........................Software Loopback Interface 1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D IPv4 Route Table =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 35 0.0.0.0 128.0.0.0 10.8.0.6 10.8.0.5 281 10.8.0.1 255.255.255.255 10.8.0.6 10.8.0.5 281 10.8.0.4 255.255.255.252 On-link 10.8.0.5 281 10.8.0.5 255.255.255.255 On-link 10.8.0.5 281 10.8.0.7 255.255.255.255 On-link 10.8.0.5 281 67.175.144.37 255.255.255.255 192.168.1.1 192.168.1.5 291 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 128.0.0.0 128.0.0.0 10.8.0.6 10.8.0.5 281 192.168.1.0 255.255.255.0 On-link 192.168.1.5 291 192.168.1.0 255.255.255.0 10.8.0.6 10.8.0.5 281 192.168.1.5 255.255.255.255 On-link 192.168.1.5 291 192.168.1.255 255.255.255.255 On-link 192.168.1.5 291 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 10.8.0.5 281 224.0.0.0 240.0.0.0 On-link 192.168.1.5 291 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 10.8.0.5 281 255.255.255.255 255.255.255.255 On-link 192.168.1.5 291 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Persistent Routes: None IPv6 Route Table =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Active Routes: If Metric Network Destination Gateway 1 331 ::1/128 On-link 14 281 fe80::/64 On-link 13 291 fe80::/64 On-link 13 291 fe80::1002:e557:a388:1315/128 On-link 14 281 fe80::641d:f1e3:ff36:891e/128 On-link 1 331 ff00::/8 On-link 14 281 ff00::/8 On-link 13 291 ff00::/8 On-link =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Persistent Routes: None > P.S. You have a .201 alias on the FreeBSD machine. It shouldn't > interfere but I just wanted to make sure you were aware of it and had a > reason for it. > > Yes, it's known and I was wondering if YOU would be wondering about it. I have a PLEX server running in a jail on the same machine the OpenVPN server is on, and that is the .201 address. Once I get things working on the non-jail version, I'll build another jail for the OpenVPN process. /Morgan > I'll update when I have more info about the router's routing table and the default gateway . Thanks, Phil _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Tue Nov 12 09:35:51 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 06D6A17F886 for ; Tue, 12 Nov 2019 09:35:51 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47C2fs4nsTz4KbC for ; Tue, 12 Nov 2019 09:35:48 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xAC9Zd4Y004983 for ; Tue, 12 Nov 2019 10:35:40 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: Fwd: Fwd: NAT for use with OpenVPN To: freebsd-pf@freebsd.org References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> Date: Tue, 12 Nov 2019 10:35:36 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47C2fs4nsTz4KbC X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.62 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.83)[-0.834,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.05)[asn: 198203(-0.27), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.30)[0.300,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2019 09:35:51 -0000 > Wireless LAN adapter Wi-Fi: > > IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred) I think I've spotted the problem. You're laptop is hooked up to your local LAN. The NAT in your router can not normally "wrap around" packets destined to its WAN side and then apply NAT to them, which will be the case when you try to establish the VPN tunnel from within your LAN. This is a classic NAT problem and it has hit many, many people in the past trying to run servers of various kinds on their home LAN and then trying to access them as if they were somewhere on the outside of the router. The result will be... well, unpredictable. :) You need to connect your laptop through its own Internet connection so it has a valid public IP address. Other than that, everything else looks fine including the routing table. A small clarification about default gateways. You only have one per machine normally - not one per interface. Your computer knows what subnets and machines are connected to every interface in your computer and will send packets there when appropriate. It's only when it doesn't know where the destination is it will send it to the default gateway. So one default gateway per machine is the norm. /Morgan From owner-freebsd-pf@freebsd.org Tue Nov 12 14:22:07 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C09481AEFA6 for ; Tue, 12 Nov 2019 14:22:07 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-ua1-x931.google.com (mail-ua1-x931.google.com [IPv6:2607:f8b0:4864:20::931]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47C91B5gW9z4byp for ; Tue, 12 Nov 2019 14:22:06 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-ua1-x931.google.com with SMTP id s14so1357809uad.2 for ; Tue, 12 Nov 2019 06:22:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0DXbyGEkbnaRGqEbUV/irctFkmEUAVw3vUsqcXuSB6Q=; b=cGINO+i8wgpCgZvWoqkgzIR5qFjpJH7cRnMDJeg4FTkPBJ/1HV/KgqxLUBBgIEx2qQ MemLKWqhTkjDB2CzqndUBDMdmv2e61JA08ua0qZ+UZCVlypyNraKGrT6LsM7/LQhVlH9 5ZgpU71aojUAN3tsmEHG2k9FKwvNdabhgDX0oCDqmKXio207qqAUB75Uj9XLd9bqN4g7 trWwW8mc36Jx0VCHQC9bzXKCdUYUXG+0eo5kKOxh8/D2ZE9EbMi9w5PYREslwUM+ZofY lQ5IoO57BVaO+cvkzMQNJZsAjAvs0jEusMG9HES7MWsbZ+b7utgf7MqVI9sh1UtzlJF1 q28A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0DXbyGEkbnaRGqEbUV/irctFkmEUAVw3vUsqcXuSB6Q=; b=JNFHKcn1g3HqBE9Jaug+kxcJDwu7yDt61vEhR0/cbqiu5TARaipFLFTNVKw763Qr/8 miXBM0exi5ngXoyzux4YM1nso0rMj1/sQ/wo6CmPm/L/Vt+hGMXEGo3F9VsJu5p2izGV 5GiQ5IRdTi8HmUOa+UDyaVyB8aSfRHTzR/M3lzRxi/RniWZA42O5VbwoV4kE24tOaAuA Rwuts1dIE/7DsQM0gcwvs6nNKHqY3lFzcgoK0DFU0Zg3OkY/vWLM/dGVsM5PMXniKxWU oK79eqv6GHjNQHYU7jsC6yhbFObm/t6OOEM7aYkAbz1jMW6oZq87ReY7hmoeF5+qZw4K Q4tA== X-Gm-Message-State: APjAAAUMuG9ROxXbE0atRrpORf2wjGv0+nWE62jwLJ/AeDBAGVzvulkj 5bvRvZLc/Z6O7Ab3uRGKumQZ+OSJtg/Xj2y1L/4= X-Google-Smtp-Source: APXvYqwkLJr06ON3TKs7Hl4BRf2kXvt3GqTzoK590FkcK0xBQg7Ppnshp5g7ixgyC/R8pCLJaCjqeA8f2YAGORtdm/M= X-Received: by 2002:ab0:61d7:: with SMTP id m23mr20466148uan.10.1573568524097; Tue, 12 Nov 2019 06:22:04 -0800 (PST) MIME-Version: 1.0 References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> In-Reply-To: <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> From: Phil Staub Date: Tue, 12 Nov 2019 09:21:27 -0500 Message-ID: Subject: Re: Fwd: Fwd: NAT for use with OpenVPN To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47C91B5gW9z4byp X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=cGINO+i8; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::931 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-3.90 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[staub.us]; URI_COUNT_ODD(1.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[1.3.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.70)[ip: (-9.12), ipnet: 2607:f8b0::/32(-2.33), asn: 15169(-2.00), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2019 14:22:07 -0000 On Tue, Nov 12, 2019 at 4:35 AM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > > Wireless LAN adapter Wi-Fi: > > > > IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred) > > I think I've spotted the problem. You're laptop is hooked up to your > local LAN. The NAT in your router can not normally "wrap around" packets > destined to its WAN side and then apply NAT to them, which will be the > case when you try to establish the VPN tunnel from within your LAN. This > is a classic NAT problem and it has hit many, many people in the past > trying to run servers of various kinds on their home LAN and then trying > to access them as if they were somewhere on the outside of the router. > The result will be... well, unpredictable. :) You need to connect your > laptop through its own Internet connection so it has a valid public IP > address. > I understand what you're saying here. I had hoped this wouldn't be a problem, since I didn't have a problem with the VPN in my old router, though I agree that this is NOT the same configuration. The problem I have with this explanation is that when I connect to the VPN from my phone with the WiFi turned off, it connects via an outside IP that is NOT my local router. In this case, the ping of 8.8.8.8 still fails. > Other than that, everything else looks fine including the routing table. > > A small clarification about default gateways. You only have one per > machine normally - not one per interface. Your computer knows what > subnets and machines are connected to every interface in your computer > and will send packets there when appropriate. It's only when it doesn't > know where the destination is it will send it to the default gateway. So > one default gateway per machine is the norm. > OK. I sent a support request to Netgear to ask if it's possible to print the router's routing table. (They had previously confirmed my suspicions about the fact that the VPN keys can't be updated on their "consumer" routers.) We'll see what they say about routing tables, but if It isn't possible, I'm strongly considering re-flashing the firmware to DD-WRT. I believe it has OpenVPN built in that can be configured with your own keys. Still, I would like to see this project through after all the work we have put into it. I certainly appreciate all your help on this! have definitely filled in a lot of blanks in my knowledge. Thanks again, Phil _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Tue Nov 12 15:02:46 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 045C61B02A9 for ; Tue, 12 Nov 2019 15:02:46 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47C9w44z9Rz4dvq for ; Tue, 12 Nov 2019 15:02:43 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xACF2eSC006016 for ; Tue, 12 Nov 2019 16:02:41 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> To: freebsd-pf@freebsd.org From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> Date: Tue, 12 Nov 2019 16:02:40 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47C9w44z9Rz4dvq X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.67 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.84)[-0.838,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.05)[asn: 198203(-0.26), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.36)[0.356,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2019 15:02:46 -0000 > I understand what you're saying here. I had hoped this wouldn't be a > problem, since I didn't have a problem with the VPN in my old router, > though I agree that this is NOT the same configuration. NAT is usually only applied to packets arriving/departing on the physical external interface. When you access your external router ip from your LAN, no packets actually touch the physical interface but is only handled internally in the ip stack. I know there has been some SOHO routers on the market that had a setting to work around this but it violated a bunch of RFCs ofc. > The problem I have with this explanation is that when I connect to the > VPN from my phone with the WiFi turned off, it connects via an outside > IP that is NOT my local router. In this case, the ping of 8.8.8.8 still > fails. Ok, this is interesting. If I understood your previous post, from your vpn client you can ping everything on your local LAN up to and including the external ip of your router? This tells me that everything is correctly configured on your LAN, including the routing tables in your Netgear router. If the route was missing there you wouldn't get a reply from the router since it would have no idea where to send packets with a 10.8.0.0/24 destination. Right now my best guess is that your router only do NAT for the subnet directly attached to its LAN port (192.168.1.0/24) and just lets packets from 10.8.0.0/24 through without modification. Your ISP will promptly drop such packets. The only way to tell is if your router allows monitoring of the packets on its interfaces so we can check what source/destination ip addresses are present in the packets passing through it. You can verify on the FreeBSD machine that at least those ping packets leave it correctly with a source address of 10.8.0.5 (vpn client ip) and a destination address of 8.8.8.8. # tcpdump -ni em0 icmp > I certainly appreciate all your help on this! have definitely filled in > a lot of blanks in my knowledge. You're welcome, Phil. I've been using FreeBSD as my router/firewall for the past 15+ years but my knowledge is limited to things I experience in my own environment so it's not always that easy to help others. A general suggestion, if you have the time and interest to install and configure FreeBSD, you'd be better off to replace your Netgear router with a FreeBSD machine. The major benefit is that there will always be security updates available whereas Netgear and other SOHO manufacturers will abandon their products after a couple of years. You will also have all the tools available to monitor and analyse your traffic which will help you with troubleshooting. You also have the flexibility to install any software available for the platform and configure it to your own needs. If the command prompt is scary, there are a few graphical distributions that are based on FreeBSD, like pfSense for example. /Morgan From owner-freebsd-pf@freebsd.org Tue Nov 12 20:01:33 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6C4A91B92F0 for ; Tue, 12 Nov 2019 20:01:33 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CJXr1HHRz42fd for ; Tue, 12 Nov 2019 20:01:31 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xACK1QXD006976 for ; Tue, 12 Nov 2019 21:01:28 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= To: freebsd-pf@freebsd.org Message-ID: Date: Tue, 12 Nov 2019 21:01:25 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47CJXr1HHRz42fd X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.74 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.74)[-0.740,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.05)[asn: 198203(-0.25), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.32)[0.321,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2019 20:01:33 -0000 > This makes me smile! :-) Hehe, I didn't intentionally try to insult you. Just wasn't sure of your background. :) Personally I started off with IBM DOS 1.0 in the mid 80s and worked as a PC/network technician for 30 years. I'll never let go of my beloved command prompt. Back to business though. The more I read on Netgear's community forum, the more posts I find saying that Netgear's stock firmware only NAT on its own subnet and not on subnets hidden behind other routers. The behaviour you describe is consistent with this information. If there's a DD-WRT or OpenWRT firmware for your router, that would be a good option. It would provide you with the full functionality you need and you could also run the VPN server on the Netgear router again. As a worst case scenario I guess we could do NAT with pf between 10.8.0.0/24 and 192.168.1.0/24 but that would be an ugly solution. /Morgan From owner-freebsd-pf@freebsd.org Tue Nov 12 23:07:11 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9C3F41BE0D8 for ; Tue, 12 Nov 2019 23:07:11 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CNg24WyJz4FLc for ; Tue, 12 Nov 2019 23:07:09 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xACN75QD007563 for ; Wed, 13 Nov 2019 00:07:06 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN References: <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> To: freebsd-pf@freebsd.org From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> Date: Wed, 13 Nov 2019 00:06:58 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47CNg24WyJz4FLc X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.80 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.68)[-0.678,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.04)[asn: 198203(-0.24), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.32)[0.318,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2019 23:07:11 -0000 On 2019-11-12 23:53, Phil Staub wrote: > New development: > > In the process of tracking down installation of the DD-WRT firmware, I > found out how to get a command line interface to the router. It involves > sending a special enable packet to the gateway address and then > telnetting into it. > > Though the purpose for doing this was for something else, I figured that > since the router runs linux, a shell should get me access to ifconfig > and netstat. Here's what I get: > If it runs on Linux I suppose it uses iptables for firewalling and NAT? Should be easy to see what the NAT rules look like. Maybe you can simply add a NAT rule for 10.8.0.0/24 if it's missing? Probably won't survive a reboot but as a workaround it might do? I'm no iptables expert (it's black magic compared to pf) but some googling thinks the following command should list the NAT rules: # iptables -t nat -L /Morgan From owner-freebsd-pf@freebsd.org Tue Nov 12 23:43:06 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 923951BEC9D for ; Tue, 12 Nov 2019 23:43:06 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CPST3jsmz4HDj for ; Tue, 12 Nov 2019 23:43:05 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xACNh3IO007681 for ; Wed, 13 Nov 2019 00:43:03 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN References: <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> To: freebsd-pf@freebsd.org From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: Date: Wed, 13 Nov 2019 00:43:03 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 47CPST3jsmz4HDj X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [2.13 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.79)[-0.789,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.04)[asn: 198203(-0.24), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.76)[0.764,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2019 23:43:06 -0000 > Something else I just realized: You'll note the route from 10.8.0.0/24 > and 192.168.1.200. That's the static route I added > from the web interface.. Is that something you think would be needed? Absolutely. When your VPN clients try to access the Internet, the router will see outgoing packets with a source address of 10.8.0.x (remember the tcpdump?). When the reply comes back it will have a destination address of 10.8.0.x and your router needs to know where to send that packet. Since that subnet isn't connected to any of its interfaces the static route tells the router where to forward the packet, in this case to your FreeBSD machine. Your FreeBSD machine knows where that subnet is and will deliver the packet to the correct client. If the static route is missing in your router, it will try to forward the packet to its default gateway which is your ISPs upstream router. > # iptables -t nat -L > > The result is not exactly what I had expected: > > # iptables -t nat -L > Chain PREROUTING (policy ACCEPT) > target     prot opt source               destination > > Chain INPUT (policy ACCEPT) > target     prot opt source               destination > > Chain OUTPUT (policy ACCEPT) > target     prot opt source               destination > > Chain POSTROUTING (policy ACCEPT) > target     prot opt source               destination > # > > Looks like there *are* no natting rules. I wonder if they are using > something other than iptables? With my limited knowledge of iptables I tend to agree with you on this. Just typical it shouldn't be that easy. However, the iptables command was just picked by me from a google search. It might not be the correct syntax. Just out of curiosity - is tcpdump part of the Linux dist on that router? If it is we can see what happens to your VPN clients' pings and just confirm that the router doesn't do NAT on them. /Morgan From owner-freebsd-pf@freebsd.org Wed Nov 13 08:24:17 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 145921AA72F for ; Wed, 13 Nov 2019 08:24:17 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47Cd1q2PLWz3Flq for ; Wed, 13 Nov 2019 08:24:14 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xAD8OAGx009692 for ; Wed, 13 Nov 2019 09:24:12 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN References: <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> To: freebsd-pf@freebsd.org From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: Date: Wed, 13 Nov 2019 09:24:08 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47Cd1q2PLWz3Flq X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.91 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.58)[-0.579,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.04)[asn: 198203(-0.23), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.33)[0.326,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 08:24:17 -0000 On 2019-11-13 01:42, Phil Staub wrote: > Hey, it's about time something went our way. tcpdump is there. Here's > what I get: > > # tcpdump -ni any icmp > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 > bytes > I can't see in this output which interface each packet was captured on. Instead of "any", use the name of your external WAN interface explicitly. If the pings show up there and still has a source address of 10.8.0.x, then it's our confirmation the router does not NAT for other subnets then its own. It might also be that you don't see any pings at all there in which case your router simply has dropped those packets since private ip addresses should not be routed to the Internet. In either case, we need to figure out how to add a NAT rule for your VPN subnet in that router... if possible. /Morgan From owner-freebsd-pf@freebsd.org Wed Nov 13 14:50:56 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 677331B28E3 for ; Wed, 13 Nov 2019 14:50:56 +0000 (UTC) (envelope-from msg20191113065039@grabcad.com) Received: from TPEmailServer (mail.technopurple.net [54.255.229.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47Cnby5wH7z473h for ; Wed, 13 Nov 2019 14:50:54 +0000 (UTC) (envelope-from msg20191113065039@grabcad.com) Received: from [192.168.3.10] (96-85-218-206-static.hfc.comcastbusiness.net [96.85.218.206]) (authenticated bits=0) by TPEmailServer (8.14.4/8.14.4) with ESMTP id xADEoelt026664 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 13 Nov 2019 20:20:42 +0530 To: freebsd-pf@freebsd.org From: US-eBay-Contact-email-40123535762214465040-20191113065039@grabcad.com Subject: freebsd-pf@freebsd.org, outstanding notification! (4012-401) Message-ID: 20191113065039-12cbf5c41335ff57f44a720d59feb6fd@grabcad.com Date: Wed, 13 Nov 2019 14:50:39 GMT X-yoursite-MailScanner-Information: Please contact the ISP for more information X-yoursite-MailScanner-ID: xADEoelt026664 X-yoursite-MailScanner: Found to be clean X-yoursite-MailScanner-SpamScore: s X-yoursite-MailScanner-From: msg20191113065039@grabcad.com X-Spam-Status: No X-Rspamd-Queue-Id: 47Cnby5wH7z473h X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=grabcad.com (policy=none); spf=softfail (mx1.freebsd.org: 54.255.229.97 is neither permitted nor denied by domain of msg20191113065039@grabcad.com) smtp.mailfrom=msg20191113065039@grabcad.com X-Spamd-Result: default: False [2.72 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.87)[-0.870,0]; DMARC_POLICY_SOFTFAIL(0.10)[grabcad.com : No valid SPF, No valid DKIM,none]; MID_RHS_MATCH_FROM(0.00)[]; MIME_TRACE(0.00)[0:~]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.28)[asn: 16509(-1.36), country: US(-0.05)]; NEURAL_HAM_LONG(-0.23)[-0.231,0]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; SUBJECT_HAS_EXCLAIM(0.00)[]; FROM_NO_DN(0.00)[]; MIME_HTML_ONLY(0.20)[]; HFILTER_HELO_5(3.00)[TPEmailServer]; FORGED_SENDER(0.30)[US-eBay-Contact-email-40123535762214465040-20191113065039@grabcad.com,msg20191113065039@grabcad.com]; R_DKIM_NA(0.00)[]; MID_MISSING_BRACKETS(0.50)[]; ASN(0.00)[asn:16509, ipnet:54.255.128.0/17, country:US]; HAS_DATA_URI(0.00)[]; FROM_NEQ_ENVFROM(0.00)[US-eBay-Contact-email-40123535762214465040-20191113065039@grabcad.com,msg20191113065039@grabcad.com]; RCVD_COUNT_TWO(0.00)[2] MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 14:50:56 -0000 From owner-freebsd-pf@freebsd.org Wed Nov 13 15:12:25 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 47C5E1B36BC for ; Wed, 13 Nov 2019 15:12:25 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47Cp4l7240z48HG for ; Wed, 13 Nov 2019 15:12:23 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xADFCCYR010994 for ; Wed, 13 Nov 2019 16:12:12 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN References: <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> To: freebsd-pf@freebsd.org From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: Date: Wed, 13 Nov 2019 16:12:09 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 47Cp4l7240z48HG X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.52 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.77)[-0.769,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.04)[asn: 198203(-0.22), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.13)[0.129,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 15:12:25 -0000 >  # tcpdump -nvvi br0 icmp eth0 is your external interface so try: # tcpdump -ni eth0 icmp Then ping 8.8.8.8 from your VPN client and see what shows up. br0 is a virtual bridge interface. This is what they use to connect your internal interface and your wlan interface together (and maybe some more) so they look as a single entity and one physical network. This way they can have a single subnet spanning both those interfaces instead of multiple subnets which would probably confuse most regular users. :) /Morgan From owner-freebsd-pf@freebsd.org Wed Nov 13 15:27:58 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 78CE61B3CAA for ; Wed, 13 Nov 2019 15:27:58 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CpQj2DQVz495r for ; Wed, 13 Nov 2019 15:27:57 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vs1-xe35.google.com with SMTP id k15so1613065vsp.2 for ; Wed, 13 Nov 2019 07:27:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=w5lAfDc9j/TRR4HpbzljzeDBIEPpGsqd8dz8XrqZhAg=; b=CM2M2IxCxsMiWtgJfiuXeTc9ZyVX5NKNu/Woa6oSpfX0iSxpQ9NCSO64PnIcvus1HZ m9OHIrAI18fKW0OjP5SX6YRm4wuX+K3tGB1Q270dCxNuMk+8lBeXniDJvyx4k+AwD7C1 272wxW8rjoXCQQnpzlH1OkkK5dAQbo2uiipPX3sqRoj5R+5TPS39iQumQ152wNG6VrXg goROIQTYd96WqcIZqCG4aOl/pShrE6XtBvLc1vZD+su247E4k+KJFiAbzqX75zJxhxoS pLVPaJPBapgkPulRPo/oAF9eNvpcYdy0oeiz/uXQ+AFkB/s/83gonzFiDCUTxPb4OAS8 9lsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=w5lAfDc9j/TRR4HpbzljzeDBIEPpGsqd8dz8XrqZhAg=; b=AThQWzKKLIPBGVR07a+pow7e8wudC/eOwnqDkPUHe3NHsrKO9seezhGlNKGlwXNqLc lnLBmzibxtyiVpPqeEO2goFZ5Gi7YiQnch0xlqSrmQ1fqnaftW6z3ms18dj2f+JiY2a5 GyxoA9UinH+VqVAlb00aJBfrQ6V92DYLCHaCWhUjau+H7AlfJog2IMXL83RTx/boefSE +ahLK2zpk0qJwNAgv+gx1wQE1achBPEeEVmdUMnVfdkHNe9ghb/OClI+FsDivBSwwq55 6U14UVhjne+W6XrEYMkFq6l+IkFuooJjcJkiVNcla1+UNFJhCH3P1yW+Q0Q/dRhym9Vp O9OQ== X-Gm-Message-State: APjAAAW26WKN3wXDxM/MX81qnhcPfzcZV5n5l+OaEEYo67WTW0+qBRUb A7mNGAjOJm459SY6x4Hj0rbQycMbzfHEMB8fhno= X-Google-Smtp-Source: APXvYqzYnYlOTJmTA2Cw8CbL5JZHbVDxt/J/s4a/RW0XoWscPe1X4I36AANOxRPA3FjAyjhC3x+7XEVmokW1nA1DCQ8= X-Received: by 2002:a67:ea47:: with SMTP id r7mr2187916vso.106.1573658875981; Wed, 13 Nov 2019 07:27:55 -0800 (PST) MIME-Version: 1.0 References: <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> In-Reply-To: From: Phil Staub Date: Wed, 13 Nov 2019 10:27:18 -0500 Message-ID: Subject: Re: NAT for use with OpenVPN To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47CpQj2DQVz495r X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=CM2M2IxC; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::e35 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-3.88 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[staub.us]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[5.3.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; HTTP_TO_IP(1.00)[]; IP_SCORE(-2.68)[ip: (-9.04), ipnet: 2607:f8b0::/32(-2.33), asn: 15169(-1.99), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 15:27:58 -0000 On Wed, Nov 13, 2019 at 10:12 AM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > > # tcpdump -nvvi br0 icmp > > eth0 is your external interface so try: > > # tcpdump -ni eth0 icmp > > Then ping 8.8.8.8 from your VPN client and see what shows up. > > br0 is a virtual bridge interface. This is what they use to connect your > internal interface and your wlan interface together (and maybe some > more) so they look as a single entity and one physical network. This way > they can have a single subnet spanning both those interfaces instead of > multiple subnets which would probably confuse most regular users. :) > # tcpdump -nvvi eth0 icmp tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 15:22:29.614953 IP (tos 0x0, ttl 62, id 5638, offset 0, flags [DF], proto ICMP (1), length 84) 10.8.0.8 > 8.8.8.8: ICMP echo request, id 13, seq 1, length 64 15:22:31.059524 IP (tos 0x0, ttl 62, id 5808, offset 0, flags [DF], proto ICMP (1), length 84) 10.8.0.8 > 8.8.8.8: ICMP echo request, id 13, seq 2, length 64 15:22:31.733821 IP (tos 0x0, ttl 62, id 6095, offset 0, flags [DF], proto ICMP (1), length 84) 10.8.0.8 > 8.8.8.8: ICMP echo request, id 13, seq 3, length 64 15:22:32.725210 IP (tos 0x0, ttl 62, id 6162, offset 0, flags [DF], proto ICMP (1), length 84) 10.8.0.8 > 8.8.8.8: ICMP echo request, id 13, seq 4, length 64 15:22:35.341540 IP (tos 0x0, ttl 62, id 6344, offset 0, flags [DF], proto ICMP (1), length 84) 10.8.0.8 > 8.8.8.8: ICMP echo request, id 13, seq 5, length 64 ^C 5 packets captured 7 packets received by filter 0 packets dropped by kernel As (I think) you expected, the ping to my public ip (and all the other devices pinging the router) didn't show up this time. Are you thinking that the ping should be coming from 192.168.1.200 (my OpenVPN server machine)? If not, how else would you know whether the address is being NATed? Phil > /Morgan > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Wed Nov 13 16:03:35 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E8F2B1B48ED for ; Wed, 13 Nov 2019 16:03:35 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CqCp5XzYz4CDm for ; Wed, 13 Nov 2019 16:03:33 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xADG3UX4011161 for ; Wed, 13 Nov 2019 17:03:31 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN References: <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> To: freebsd-pf@freebsd.org From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: Date: Wed, 13 Nov 2019 17:03:30 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 47CqCp5XzYz4CDm X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [2.41 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.37)[-0.368,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.04)[asn: 198203(-0.22), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.61)[0.614,0]; DMARC_NA(0.00)[pp.dyndns.biz]; R_SPF_NA(0.00)[]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 16:03:36 -0000 > # tcpdump -nvvi eth0 icmp > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size > 65535 bytes > 15:22:29.614953 IP (tos 0x0, ttl 62, id 5638, offset 0, flags [DF], > proto ICMP (1), length 84) >     10.8.0.8 > 8.8.8.8 : ICMP echo request, id 13, seq > 1, length 64 > Are you thinking that the ping should be coming from 192.168.1.200 (my > OpenVPN server machine)? If not, how else would you know whether the > address is being NATed? The packet is NATed when your Netgear router exchange the source ip address 10.8.0.8 with its own public external ip address 67.175.144.37. I you ping from any machine on your 192.168.1.0/24 subnet you will see those packets as "67.175.144.37 > 8.8.8.8" on your external interface regardless of what ip is the source on the LAN. This is what should've been the case also from 10.8.0.0/24 if the router was doing its job properly. If you listen with tcpdump on the internal interface, before NAT takes place, you will still see the original private ip addresses as source addresses. Private ip addresses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) can't be routed on the Internet (RFC1918). NAT means that when your router receives a packet on its internal interface, destined for the Internet, with one of those private ip addresses in the source field, it exchanges it with its own external ip before forwarding it to your ISP. It then keeps a table of what internal ip communicates with what ip on the Internet. When a reply returns it's matched against this table and if the router finds that this packet is meant for a computer on your LAN it will now reverse the NAT procedure and exchange its external ip (which is now the destination address) with the correct internal ip and put the packet on your LAN. The reason you can't see pings from your internal ips to your external ip on the external interface is simply because those packets are never actually put on that interface physically. When those pings reach the internal interface, the ip stack in the router realizes that the ping is meant for itself and immediately responds on the internal interface. tcpdump listens to what's actually put on the physical interface and won't see those packets while listening on eth0. Everything you have shown me so far is consistent with our suspicion that the Netgear router only provides NAT for 192.168.1.0/24. I have only rudimentary knowledge of iptables but I'm convinced your problem will be solved if you can find a way to add a NAT rule for 10.8.0.0/24 or better yet, for any subnet existing on your LAN. /Morgan From owner-freebsd-pf@freebsd.org Wed Nov 13 19:12:44 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5A1071B8DA6 for ; Wed, 13 Nov 2019 19:12:44 +0000 (UTC) (envelope-from msg20191113021226@rockytoptalk.com) Received: from yero01.nayana.kr (yero01.nayana.kr [220.73.173.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47CvQ21G2Kz4VpY for ; Wed, 13 Nov 2019 19:12:41 +0000 (UTC) (envelope-from msg20191113021226@rockytoptalk.com) Received: from [10.1.1.254] (rrcs-97-76-67-70.se.biz.rr.com [97.76.67.70]) (authenticated bits=0) by yero01.nayana.kr (8.14.4/8.14.4) with ESMTP id xADJCRY9004681 for ; Thu, 14 Nov 2019 04:12:29 +0900 To: freebsd-pf@freebsd.org From: eBay-US-contact.Nov2019-USER-messagenoreply20191113021226@rockytoptalk.com Subject: [ul-7] freebsd-pf@freebsd.org, you have one new system message. Message-ID: 20191113021226-6bbe41113362d68d97b5f1b30a18fca4@rockytoptalk.com Date: Wed, 13 Nov 2019 19:12:26 GMT X-Rspamd-Queue-Id: 47CvQ21G2Kz4VpY X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of msg20191113021226@rockytoptalk.com has no SPF policy when checking 220.73.173.118) smtp.mailfrom=msg20191113021226@rockytoptalk.com X-Spamd-Result: default: False [4.62 / 15.00]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:~]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(0.63)[asn: 4766(3.09), country: KR(0.08)]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_MEDIUM(0.99)[0.991,0]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(1.00)[0.997,0]; FROM_NO_DN(0.00)[]; MIME_HTML_ONLY(0.20)[]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[eBay-US-contact.Nov2019-USER-messagenoreply20191113021226@rockytoptalk.com,msg20191113021226@rockytoptalk.com]; DMARC_NA(0.00)[rockytoptalk.com]; R_DKIM_NA(0.00)[]; MID_MISSING_BRACKETS(0.50)[]; ASN(0.00)[asn:4766, ipnet:220.72.0.0/13, country:KR]; MID_RHS_MATCH_FROM(0.00)[]; FROM_NEQ_ENVFROM(0.00)[eBay-US-contact.Nov2019-USER-messagenoreply20191113021226@rockytoptalk.com,msg20191113021226@rockytoptalk.com]; HAS_DATA_URI(0.00)[] MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 19:12:44 -0000 From owner-freebsd-pf@freebsd.org Wed Nov 13 20:45:59 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C46B71BB219 for ; Wed, 13 Nov 2019 20:45:59 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vk1-xa30.google.com (mail-vk1-xa30.google.com [IPv6:2607:f8b0:4864:20::a30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CxTf5TXtz3Dvm for ; Wed, 13 Nov 2019 20:45:58 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vk1-xa30.google.com with SMTP id k19so909482vke.10 for ; Wed, 13 Nov 2019 12:45:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pOmHeLzeXv6oE3afXTiQNBEYTFN39bMase8VVq3Cf6c=; b=yyxhcdOwVoe7tuXY/8gRzsNx/QCOPaeQiZSW3WJ5W4VOOi/W6ptyC1s53Q7Xl1woVO P1tJfYyGxHak1NqTAJFf4tFr56lNGPzzU0h7fh9t7rlWoVf6oqE0GVZ4rDhAzWSLAQ+3 9eMkQgFprnzUcIuYEWanCuhz15qlqaG0i/4Q3rmTGxNia0+Cbzrl2c3wbTwBB9BkhSKT I9bsUOaMeIHG52GLSC1WCME1ZPm6HQ2Y1oip7+Fz64y7Ri2daeeL19klBRB4Q/4Gk0IW X9kCm3OC4NZUVxBnvo2bsa4XdK96mkPgAX//sFMUaihB2BLaZWbNxz/29KGPvhE4mcS1 WNAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pOmHeLzeXv6oE3afXTiQNBEYTFN39bMase8VVq3Cf6c=; b=cVh1EKB8k11+MWJZ/ctUvMXKUi+ACMrdyFYQo5ieElm2BaKnJc0saK8ZweYiIufXmN WXJq3jtzwwz6idI4BZ5F6FEXABHCXYOaJV/wsLQK6ZkML2RZI+8/zOYeMiOj5LTIxIaC qJebg9PaVh6dnyMgom8AsDpjSC9wqI0g05QYG3o6bCB2bAd1G7zTBCjl7TgkZ0JDpLJF ugE2obTjLNJFIgxemDQJ4OS8w67Xve2OeeVMj9CT8tWen2wevsQROKh98I/ynSBIetQB FByZuhGIx1nIUknUGrDRNUtvQD+K3s8WvdO/DNr2elc4ClCHn+xap6ZrxSyaloa5P4hP L3mQ== X-Gm-Message-State: APjAAAW3ci49NmXV2LoW0S3RkDzdfQNrmiITfDLcVoISH71FF1NMkZDg cndlTrjuTlSPbeEjKE9qaGZnGSkLQ5L632OTxtzs+Ol0MCI= X-Google-Smtp-Source: APXvYqz6KnyzrPrDKv5Pi3SRdgEdT8O7NxXz2LJ6W1rbGofiwjtlieEGq4qWd0FbVofVQNX7nU02WL5EicIZKycT81o= X-Received: by 2002:ac5:ccdc:: with SMTP id j28mr2943840vkn.69.1573677957174; Wed, 13 Nov 2019 12:45:57 -0800 (PST) MIME-Version: 1.0 References: <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> In-Reply-To: From: Phil Staub Date: Wed, 13 Nov 2019 15:45:20 -0500 Message-ID: Subject: Re: NAT for use with OpenVPN To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47CxTf5TXtz3Dvm X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=yyxhcdOw; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::a30 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-3.99 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[staub.us]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[0.3.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; HTTP_TO_IP(1.00)[]; IP_SCORE(-2.79)[ip: (-9.56), ipnet: 2607:f8b0::/32(-2.33), asn: 15169(-1.99), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 20:45:59 -0000 I believe I'm getting close. I found a tutorial at https://www.howtoforge.com/nat_iptables ... that gives identifies a couple rules to enable IP Forwarding and Masquerading: iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERAD= E iptables --append FORWARD --in-interface eth1 -j ACCEPT This results in the following: # iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination GUSTER tcp -- anywhere anywhere tcp dpt:80 GUSTER tcp -- anywhere anywhere tcp dpt:443 ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain GUSTER (2 references) target prot opt source destination # I'm not sure about the ACCEPT rule. I think it might be too general, but I'll do some more research on that. I am now able to ping 8.8.8.8 from my phone, and I used 'whatismyip.com' to verify that it sees my router's public IP address. I also have a handle on where to put this so that it survives a router rebo= ot. One of the comments in another tutorial I was reading says that the MASQUERADE rule is resource intensive, but if I understand it correctly, the only alternative would be to put a specific rule in place for each client. I don't think I want to do that Comments? Phil On Wed, Nov 13, 2019 at 11:03 AM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > > # tcpdump -nvvi eth0 icmp > > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size > > 65535 bytes > > 15:22:29.614953 IP (tos 0x0, ttl 62, id 5638, offset 0, flags [DF], > > proto ICMP (1), length 84) > > 10.8.0.8 > 8.8.8.8 : ICMP echo request, id 13, seq > > 1, length 64 > > Are you thinking that the ping should be coming from 192.168.1.200 (my > > OpenVPN server machine)? If not, how else would you know whether the > > address is being NATed? > > The packet is NATed when your Netgear router exchange the source ip > address 10.8.0.8 with its own public external ip address 67.175.144.37. > > I you ping from any machine on your 192.168.1.0/24 subnet you will see > those packets as "67.175.144.37 > 8.8.8.8" on your external interface > regardless of what ip is the source on the LAN. This is what should've > been the case also from 10.8.0.0/24 if the router was doing its job > properly. > > If you listen with tcpdump on the internal interface, before NAT takes > place, you will still see the original private ip addresses as source > addresses. > > Private ip addresses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) > can't be routed on the Internet (RFC1918). NAT means that when your > router receives a packet on its internal interface, destined for the > Internet, with one of those private ip addresses in the source field, it > exchanges it with its own external ip before forwarding it to your ISP. > It then keeps a table of what internal ip communicates with what ip on > the Internet. When a reply returns it's matched against this table and > if the router finds that this packet is meant for a computer on your LAN > it will now reverse the NAT procedure and exchange its external ip > (which is now the destination address) with the correct internal ip and > put the packet on your LAN. > > The reason you can't see pings from your internal ips to your external > ip on the external interface is simply because those packets are never > actually put on that interface physically. When those pings reach the > internal interface, the ip stack in the router realizes that the ping is > meant for itself and immediately responds on the internal interface. > tcpdump listens to what's actually put on the physical interface and > won't see those packets while listening on eth0. Everything you have > shown me so far is consistent with our suspicion that the Netgear router > only provides NAT for 192.168.1.0/24. > > I have only rudimentary knowledge of iptables but I'm convinced your > problem will be solved if you can find a way to add a NAT rule for > 10.8.0.0/24 or better yet, for any subnet existing on your LAN. > > /Morgan > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Wed Nov 13 21:12:30 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 91EEB1BBF34 for ; Wed, 13 Nov 2019 21:12:30 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47Cy4F313mz3Q0h for ; Wed, 13 Nov 2019 21:12:29 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vk1-xa33.google.com with SMTP id l5so936406vkb.4 for ; Wed, 13 Nov 2019 13:12:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=l1fxNsArXH4WQyfVHjtDeOZQ2krh4PHfrJtuqT3zicA=; b=Qb7qYaNXEbAk7afGCP2f9zFVVRQd68SXWJn01juUYiRCkUdZaWSBnu3mlI1jqpqnQK lv6IRRSssPJl+LPvXIUYj8UKYmOeLppNbKWqXWUC6WNG8eiFHhCQx9yAP8lBja/K+QIC jlvrIeMTzJcVP2/bceub7uUTCO6e5ITRJQVhegkzDPyOMSAKySWxjxE94+vLfmbSa3dd K5n10WCFoLst3oChZRnsLXmDF/1xwCklm5Z8bQuRrQH58Rzvop0W/J2pM4nV6FdYYuSn cBOurp0pa7ZchlBiKRHikZjscl/hOvctlJ9dtsMi+owAZd3hmIzY13G3IJ+2rnkqhMmW YUXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l1fxNsArXH4WQyfVHjtDeOZQ2krh4PHfrJtuqT3zicA=; b=hugb7lczl4UGzWffxdVUGRKKr9lbUEfwk2OMIwLDTnul1wAOAuwY8HfNqfY6rniVQ4 fEZGTTL5H9GuLTpPGHp1k+FeGzxfHWF1dRPjyLNOtatkmSXeSNR0BsTTXGWSGbT2rG0J F8j2YjS6Pe4CgfeWexWkoy01QHS00b/8aiQpmMVZak3DiYg5wWcV9pug28qHIDw7AVLK jNY0TKUXx6wimvcML60E/DNjHCeUWiy1tNeFp7E6JnWc3gmZDLfUAsIfzCquXrF5qB7W NV96vFgDj1JB3qf7j8NWaZ5BheWvK1WtuZOsb3ZALSFtWFfLAHEJuWiR9PQYZjZv3f1F IwHA== X-Gm-Message-State: APjAAAWOhY/ukFvIzgjr0T2hnI55RtpX4wUsVTq3ngyOjxzfYkyQ0ZvR vnhQ5YgyML7DrEPDnDLKvG1hl5mOAQ4CtMRwa/E= X-Google-Smtp-Source: APXvYqyp/hwfogjxd3vadADyJGJ7cR8Kv0wmCOhDnvHmhGvvtvukcfyru6mzhnc7ZPBNBMKFTKQK3LR4Z83SguXifLY= X-Received: by 2002:a1f:90d5:: with SMTP id s204mr3148515vkd.21.1573679547793; Wed, 13 Nov 2019 13:12:27 -0800 (PST) MIME-Version: 1.0 References: <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> In-Reply-To: From: Phil Staub Date: Wed, 13 Nov 2019 16:11:50 -0500 Message-ID: Subject: Re: NAT for use with OpenVPN To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47Cy4F313mz3Q0h X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=Qb7qYaNX; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::a33 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-3.94 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[staub.us]; URI_COUNT_ODD(1.00)[9]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[3.3.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.74)[ip: (-9.34), ipnet: 2607:f8b0::/32(-2.33), asn: 15169(-1.99), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 21:12:30 -0000 On Wed, Nov 13, 2019 at 3:45 PM Phil Staub wrote: > I believe I'm getting close. > > I found a tutorial at > > https://www.howtoforge.com/nat_iptables > > ... that gives identifies a couple rules to enable IP Forwarding and > Masquerading: > > iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE > iptables --append FORWARD --in-interface eth1 -j ACCEPT > > This results in the following: > > # iptables -t nat -L > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > MASQUERADE all -- anywhere anywhere > # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > GUSTER tcp -- anywhere anywhere tcp dpt:80 > GUSTER tcp -- anywhere anywhere tcp dpt:443 > ACCEPT all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain GUSTER (2 references) > target prot opt source destination > # > > I'm not sure about the ACCEPT rule. I think it might be too general, but I'll do some more research on that. > > I am now able to ping 8.8.8.8 from my phone, and I used 'whatismyip.com' to verify that it sees my router's public IP address. > > I also have a handle on where to put this so that it survives a router reboot. > > One of the comments in another tutorial I was reading says that the MASQUERADE rule is resource intensive, but if I understand it correctly, the only alternative would be to put a specific rule in place for each client. I don't think I want to do that > > Comments? > > Phil > > > Update: I don't thnk the second rule (--append FORWARD) is necessary. I removed that rule and the client phone can still access the internet via my router's IP (as indicated by 'whatismyip.com"). Also, I re-read the part about MASQUERADE and found out that it can be replaced by SNAT if the public address is static. In my case, that's not true. It has changed several times as my ISP makes changes to the system, or when we have an outage. So I'm going to see if I can add this rule to the startup and get it to persist over a reboot. Phil _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > From owner-freebsd-pf@freebsd.org Wed Nov 13 21:13:29 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B51581BBFB5 for ; Wed, 13 Nov 2019 21:13:29 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47Cy5N0Lg2z3QNr for ; Wed, 13 Nov 2019 21:13:27 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xADLDNa5012148 for ; Wed, 13 Nov 2019 22:13:23 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN References: <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> To: freebsd-pf@freebsd.org From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: <5fce41df-37fb-fc8c-be80-f47dfd0d04ad@pp.dyndns.biz> Date: Wed, 13 Nov 2019 22:13:23 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47Cy5N0Lg2z3QNr X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.91 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.41)[-0.407,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.04)[asn: 198203(-0.21), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.15)[0.154,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 21:13:29 -0000 > |iptables --table nat --append POSTROUTING --out-interface eth0 -j > MASQUERADE As I understand iptables, this is the normal/only way to provide NAT for any subnet. > ||One of the comments in another tutorial I was reading says that the > MASQUERADE rule is resource intensive, but if I understand it correctly, > the only alternative would be to put a specific rule in place for each > client. I don't think I want to do that I wonder what their reference was. When you're using iptables you only have MASQUERADE to chose from. Even my 20 year old Netgear RT-314 did NAT without problems... > ||Comments? Well, I am concerned we couldn't identify what mechanism was responsible for the already working NAT for 192.168.1.0/24. We wouldn't want to end up with two competing mechanisms activated at the same time and the rule you added will provide NAT for 10.8.0.0/24 as well as 192.168.1.0/24 - the latter which was already working. There should be init scripts on that router to start all services. Maybe they can give a clue on what's going on and how Netgear choses to activate their services. Whatever you do, just verify that the router's admin interface is not accessible from the Internet after you've added your rules! /Morgan From owner-freebsd-pf@freebsd.org Wed Nov 13 21:31:40 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C0A501BC510 for ; Wed, 13 Nov 2019 21:31:40 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vk1-xa2a.google.com (mail-vk1-xa2a.google.com [IPv6:2607:f8b0:4864:20::a2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CyVM1cW8z43S0 for ; Wed, 13 Nov 2019 21:31:39 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vk1-xa2a.google.com with SMTP id 70so944842vkz.8 for ; Wed, 13 Nov 2019 13:31:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sHgpVFqUxSrLdsUGK1vNNPadUjInkAwFHUr+XCwO5sg=; b=Q2ibiAgPIYIUNHjbUHNTRZ/a9JTW0HrzVEJQTSVtn8dCXfn3RfG2lq+onaASLkEfSf aWU1QYdte+33pU63CYaxrUrbadc4MykPdNE5iesKC9Jh1AKQIvdjw336PVI/aDhcijZM DuyJ7wt18aa+q+0Bqym2K69M1MURe+E4gTJjP61YJH6N/qAeCOo79vbErAkHqCN5+aW7 2U9WRb6zWpyjTNYRXoEIWQNc5cGXgxcQ4sLQo0N6e3JfZ6RnwV9a/mEyfR0st2l9ID/K 0o2JcSY/T6vwsju0c5VE1DLVw5UA+IipOMDCJbjkWyyipTIU2/DNh2+rS6jUVehwBRQH 9srA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sHgpVFqUxSrLdsUGK1vNNPadUjInkAwFHUr+XCwO5sg=; b=nv0LO++c4smyZKRsZKSLODE+e+HPywNQ4v2LxizwX+x1prlapb38NeSAMKPK12cwBP 7sfd5Y7MlUCIS1fkd8gNKujJSFy+B6KJ87HqZ+XKjgi33k9umMTO1YqX2vcSLlAW1NEI Vh7StE4s1VwG6kD2f9cis8mDOAJhzNdUl3nzPrQbVJo+cXMz8yeisnBBkQU5WaQcrQwm f+x7CCJZ5IWRK0kUbw80I9DfjruV3eW/7Pc9JpMeQeb+mksRagNAcox2lZEEreADm0/l DCUX5pjhJt8sdAfdVnPivUK8Nx+1M9y4cQt0SJNHdeCz7plFzmui9j6Ihm2dt8HofWyR P7tg== X-Gm-Message-State: APjAAAWlBksHcf6KTVyzain6AxkxV2wHhYKAwl4JZFzNMXmSd++vPd/1 d+1jRGfeqlnLaq1yy980/aWxBKKW5nLcMrG4WV2X0PzKFrg= X-Google-Smtp-Source: APXvYqz7b5huVIYxmdQfi9y4g1PiiZhxoGjwrXKA8LUfaoDzhK0vfmK02McjQiXq93HLDedVzljo7Hee1k9mSipSlN8= X-Received: by 2002:a1f:2556:: with SMTP id l83mr3012310vkl.77.1573680697577; Wed, 13 Nov 2019 13:31:37 -0800 (PST) MIME-Version: 1.0 References: <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> <5fce41df-37fb-fc8c-be80-f47dfd0d04ad@pp.dyndns.biz> In-Reply-To: <5fce41df-37fb-fc8c-be80-f47dfd0d04ad@pp.dyndns.biz> From: Phil Staub Date: Wed, 13 Nov 2019 16:31:00 -0500 Message-ID: Subject: Re: NAT for use with OpenVPN To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47CyVM1cW8z43S0 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=Q2ibiAgP; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::a2a as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-2.98 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[staub.us]; URI_COUNT_ODD(1.00)[9]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[a.2.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; HTTP_TO_IP(1.00)[]; IP_SCORE(-2.78)[ip: (-9.52), ipnet: 2607:f8b0::/32(-2.33), asn: 15169(-1.99), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 21:31:40 -0000 On Wed, Nov 13, 2019 at 4:13 PM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > > |iptables --table nat --append POSTROUTING --out-interface eth0 -j > > MASQUERADE > > As I understand iptables, this is the normal/only way to provide NAT for > any subnet. > > > ||One of the comments in another tutorial I was reading says that the > > MASQUERADE rule is resource intensive, but if I understand it correctly= , > > the only alternative would be to put a specific rule in place for each > > client. I don't think I want to do that > > I wonder what their reference was. When you're using iptables you only > have MASQUERADE to chose from. Even my 20 year old Netgear RT-314 did > NAT without problems... > See my follow up message. It's the SNAT directive. The tutorial I was looking at was https://www.karlrupp.net/en/computer/nat_tutorial > > > ||Comments? > > Well, I am concerned we couldn't identify what mechanism was responsible > for the already working NAT for 192.168.1.0/24. We wouldn't want to end > up with two competing mechanisms activated at the same time and the rule > you added will provide NAT for 10.8.0.0/24 as well as 192.168.1.0/24 - > the latter which was already working. > True enough. > There should be init scripts on that router to start all services. Maybe > they can give a clue on what's going on and how Netgear choses to > activate their services. > This thing seems to have a very convoluted startup. Not at all like most Linux systems I've seen. The file I found where they had added some rules was definitely not where I expected it to be, and there are no MASQUERADE commands in it. > > Whatever you do, just verify that the router's admin interface is not > accessible from the Internet after you've added your rules! > Definitely. I assume the way to test that would be to attempt to access my router from the outside the same way I would when I log in from the inside. Phil > /Morgan > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Wed Nov 13 22:37:32 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AB1D91BE1B7 for ; Wed, 13 Nov 2019 22:37:32 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CzyM31GYz4cnR for ; Wed, 13 Nov 2019 22:37:30 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xADMbNPQ012415 for ; Wed, 13 Nov 2019 23:37:27 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN References: <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> <5fce41df-37fb-fc8c-be80-f47dfd0d04ad@pp.dyndns.biz> To: freebsd-pf@freebsd.org From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: Date: Wed, 13 Nov 2019 23:37:23 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47CzyM31GYz4cnR X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [3.41 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.04)[asn: 198203(-0.21), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_MEDIUM(0.61)[0.611,0]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.64)[0.639,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 22:37:32 -0000 > See my follow up message. It's the SNAT directive. The tutorial I was > looking at was > > https://www.karlrupp.net/en/computer/nat_tutorial Well, I'm too inexperienced with iptables to give you and advice here unfortunately. > Definitely. I assume the way to test that would be to attempt to access > my router from the outside the same way I would when I log in from the > inside. Yes, connect your phone with mobile data only (no WiFi) and no VPN and you can try to browse to the admin interface on your external ip. For a more thorough test you could install Termux which will give you a Linux terminal in your phone. It comes with a built-in package manager so you can install your favourite Linux tools. You can use it to install nmap which is the defacto port scanning tool to use. The man page will give you some examples of the syntax and it will scan for open ports. It should only find your 1194 port used by OpenVPN. /Morgan From owner-freebsd-pf@freebsd.org Wed Nov 13 23:20:27 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 411561BEFCE for ; Wed, 13 Nov 2019 23:20:27 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vs1-xe2c.google.com (mail-vs1-xe2c.google.com [IPv6:2607:f8b0:4864:20::e2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47D0vt0Mpyz46Lt for ; Wed, 13 Nov 2019 23:20:25 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vs1-xe2c.google.com with SMTP id n9so2561940vsa.12 for ; Wed, 13 Nov 2019 15:20:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Y+6JP5L+NK0G1T1ovkcVNLvi2yZIMTB91BgwkxS9PIQ=; b=Oj4vVZGKO/HO91B4uf/AHvcAmE6P0nCtVj5v3TtE5/Fz4sWQKY2KgFxUoaYApRcAS7 EsYNxkWWSnlM311MZh29QG64+oMf/phgzxc5vXwEXffCwxBr8Hh6Cco6raxnSZ24YEID 8KZJmyO+5z8TFXLBuDppTWWFNghSI1p+JvltzpG5+qA+2+vZdXFRjL6aLa3VoZZnHacM FBUhwac9XoLgbp01gwH54ftC4yHSwzbVJmgjlGkZ/yuSJkl1c0s9nI/djSkmffmCrxax CDKPEl5KamJMKzp1sDmT1Vd8BcOnt2e4Rrd27HyWYGhJczEMo+mgsJ2CtSLiv5r8a+0w YI/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Y+6JP5L+NK0G1T1ovkcVNLvi2yZIMTB91BgwkxS9PIQ=; b=YhbDwE6Vro88hxb38djf0QHXFx2s5/mosZoQ+4kJtxJS8BKY3aeTofNM/j47lEAGPk Mm21vMIUnsOxWL4opojdDRfK28CKjzuKyZW9+VXEq8zldbt/OPYU2I5wdV4JCXuZdi+8 hqzCX3CNJIMnQ51J6NmTc8sg4OwC1hUcrxdXpVxOcmLSFV2fvl1y1s498msorhdQgxU2 7lsi8sr9dR3dgGg7Z4kn1febsLfz+frZ60+hb8iIB4FqKGUoOEwH4OoBJ8iYGni9//F0 ITvzO2EfUWYXjt8AiFH9WcWHN08h8qvOnT5MuwlMJLGfuVxidI79m4W7PF+VPfrCMbk5 FfuA== X-Gm-Message-State: APjAAAXHDSFsA++DlLwkB/c03bREWTfIRDCEEmZLnlQrSBbk/vEKSnqO 5i3q0yiJgmCw5D3f4uWyznbSY8sbxcdgebe/J3QNIkhu X-Google-Smtp-Source: APXvYqxzGcR1I8CprHatFXX9ZadmLKUh92YjP2M2FzfOQFwm1YnBv2r8PtyWrqOCwXUm7r441vMeZpLqfMsj6BtR8Ws= X-Received: by 2002:a67:ea47:: with SMTP id r7mr3781985vso.106.1573687224200; Wed, 13 Nov 2019 15:20:24 -0800 (PST) MIME-Version: 1.0 References: <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> <5fce41df-37fb-fc8c-be80-f47dfd0d04ad@pp.dyndns.biz> In-Reply-To: From: Phil Staub Date: Wed, 13 Nov 2019 18:19:47 -0500 Message-ID: Subject: Re: NAT for use with OpenVPN To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47D0vt0Mpyz46Lt X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=Oj4vVZGK; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::e2c as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-5.02 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[staub.us]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[c.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.82)[ip: (-9.71), ipnet: 2607:f8b0::/32(-2.33), asn: 15169(-1.99), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 23:20:27 -0000 On Wed, Nov 13, 2019 at 5:37 PM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > > See my follow up message. It's the SNAT directive. The tutorial I was > > looking at was > > > > https://www.karlrupp.net/en/computer/nat_tutorial > > Well, I'm too inexperienced with iptables to give you and advice here > unfortunately. > > > Definitely. I assume the way to test that would be to attempt to access > > my router from the outside the same way I would when I log in from the > > inside. > > Yes, connect your phone with mobile data only (no WiFi) and no VPN and > you can try to browse to the admin interface on your external ip. For a > It never connects. The connection times out. more thorough test you could install Termux which will give you a Linux > terminal in your phone. It comes with a built-in package manager so you > can install your favourite Linux tools. You can use it to install nmap > which is the defacto port scanning tool to use. The man page will give > you some examples of the syntax and it will scan for open ports. It > should only find your 1194 port used by OpenVPN. > I have been using a different terminal emulator, but I like Termux. I couldn't figure out how to do ctrl characters with the one I was using. nmap reports only one port open: 1720! I don't know what that's all about, but another port scanner I have been using didn't find that that port is open. Anyway, I'm going to be taking my laptop outside my home WiFi this evening and I'll see if I can get in to my local network with the OpenVPN client. Phil > > /Morgan > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Wed Nov 13 23:54:19 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4084A1C16D1 for ; Wed, 13 Nov 2019 23:54:19 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vs1-xe31.google.com (mail-vs1-xe31.google.com [IPv6:2607:f8b0:4864:20::e31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47D1fx4wttz3D7Q for ; Wed, 13 Nov 2019 23:54:17 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vs1-xe31.google.com with SMTP id 190so2622032vss.8 for ; Wed, 13 Nov 2019 15:54:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+IA+XtyvverPyPqgZgo62EoXYYCnustz6GAAlskvf/E=; b=z4sTtIK+lS4ZvwZvxpTYqmH4tSy0DIi5snechS+7xpQXAe1Da7xpud8FmRFBuy8v3p ICR/MCDD2a7ao1SDTqZqZtiy3Fyn5hpdmyJRLo7Xg9SVApXHxdEhvh/PxmHt8twb2TAw Y1qBM5i3hFAt2GKazF4zGgl10uSBEfjBvj2ktAf3nLLrdcgrFOBQxNMc/z2gEBwGWFpz IAp0NgMKFeqm25nn7NGlTxu6pJtPyuDvYUJHk9OZNF3plxhz/wTIL/E7gGvYm+krwxfG Xatiig9lLdyDIVXTyf8q3nBTq6DDAMB1ipB/q0nxA514Ojlsu8o/l/8rqefbuOeGV02D ZFLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+IA+XtyvverPyPqgZgo62EoXYYCnustz6GAAlskvf/E=; b=c24ad15UfwBeILtsdOLxbawp7UjefKav04BZiMCkkA7XAicyth8kkUDWzZbgZmcH08 ACR7ztrQ1uWJvbdW8OngXM0QurmJJouCDL939uFEAEFZTCngkQvDwn7rzAahksnZJEzl fhlpdHKzmaNnYOOPLnzJPMF2AOIP1rdj2IQlwGt8AMCL/LfmFfr9v1Yzj0TxMz28bWJi DzATHMNCC6c5TisU+fqCO3Um64atEsZFewv9wNiGEAVhgIWZiDIJuV+jIADHk9PRnI83 V04bQnj0wZpRx4hdpMvweziaabA7i5zh1D+vb0esyuS3RcRuvF9JtdZk90eYWI2sMdfE Jkgw== X-Gm-Message-State: APjAAAX1NKY30rtnn8HE9tX8zqyjbjQTLL1rnkYWqxF0cYI1yxE5hDLX pw6i2sh1+HKDh+ybSifUXax2xaRQBoA4B2gfpSQ= X-Google-Smtp-Source: APXvYqx3fGh78KwAj5N6P154WSgIRg/OKci8t/n55+7eeDx8clS8Vr/R7wo3385ozcaJ2w0kdkheSmA9amMJNek1xWE= X-Received: by 2002:a05:6102:519:: with SMTP id l25mr3839776vsa.222.1573689256015; Wed, 13 Nov 2019 15:54:16 -0800 (PST) MIME-Version: 1.0 References: <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> <5fce41df-37fb-fc8c-be80-f47dfd0d04ad@pp.dyndns.biz> In-Reply-To: From: Phil Staub Date: Wed, 13 Nov 2019 18:53:39 -0500 Message-ID: Subject: Re: NAT for use with OpenVPN To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47D1fx4wttz3D7Q X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=z4sTtIK+; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::e31 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-5.01 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[staub.us]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[1.3.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.81)[ip: (-9.68), ipnet: 2607:f8b0::/32(-2.33), asn: 15169(-1.99), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 23:54:19 -0000 On Wed, Nov 13, 2019 at 6:19 PM Phil Staub wrote: > > > On Wed, Nov 13, 2019 at 5:37 PM Morgan Wesstr=C3=B6m < > freebsd-database@pp.dyndns.biz> wrote: > >> > See my follow up message. It's the SNAT directive. The tutorial I was >> > looking at was >> > >> > https://www.karlrupp.net/en/computer/nat_tutorial >> >> Well, I'm too inexperienced with iptables to give you and advice here >> unfortunately. >> >> > > Definitely. I assume the way to test that would be to attempt to access >> > my router from the outside the same way I would when I log in from the >> > inside. >> >> Yes, connect your phone with mobile data only (no WiFi) and no VPN and >> you can try to browse to the admin interface on your external ip. For a >> > > It never connects. The connection times out. > > more thorough test you could install Termux which will give you a Linux >> terminal in your phone. It comes with a built-in package manager so you >> can install your favourite Linux tools. You can use it to install nmap >> which is the defacto port scanning tool to use. The man page will give >> you some examples of the syntax and it will scan for open ports. It >> should only find your 1194 port used by OpenVPN. >> > > I have been using a different terminal emulator, but I like Termux. I > couldn't figure out how to do ctrl characters with the one I was using. > > nmap reports only one port open: 1720! I don't know what that's all about= , > but another port scanner I have been using didn't find that that port is > open. > > Anyway, I'm going to be taking my laptop outside my home WiFi this evenin= g > and I'll see if I can get in to my local network with the OpenVPN client. > > Phil > > I have a suspicion that the "standard" NAT for this box is being performed within a bitdefender package. I found a bitdefender.tar file, and within that file is some code that initializes an iptables chain called GUSTER. I haven't had time to study it much yet, but I'll probably be working on it tomorrow. Just wanted to share this with you this evening in case you might have some thoughts or maybe have heard what the bitdefender capabilities are. Phil > > >> >> /Morgan >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >