From owner-freebsd-pf@freebsd.org Tue Mar 17 13:22:34 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3C7A926629C for ; Tue, 17 Mar 2020 13:22:34 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48hYkJ2ldWz3DMF for ; Tue, 17 Mar 2020 13:22:32 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: by mail-ed1-x52c.google.com with SMTP id v6so11278913edw.8 for ; Tue, 17 Mar 2020 06:22:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=M9OpaSZqAmP++WW1Wc4/DxpM1JLFPj2wbcyYEpV5rog=; b=bC/OaE3EtN5Y4m30HuSVxGbeb8d5V8VITxRjyDxgtyDoTK8Pql2vwwMOE0c62sReBT hbPbcuBtVPidZGtx3h8g0jy2HwMByo4IK8+7D2YuhBtxelbFA9/zpHHWcDyCSMsysB8d mgDkZ/brIoqIBo1wpyBFg/VLKl/ivxT5qARo37wb3oJL3yd6PgQgbGJePNlf/0KNEnFB zs9a1poPoiAa0ZwBBnJX95xKNFwUDraoXOJrgFM3bs7zNHeibzeP+aEd3Cq35SbjGcRp EP/HjNNjg0AcofDHSvzncaBn4lvjxsZENPkh3g2i7QDNyYaJ038R43gE6Ba13EYIIFnQ xmPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=M9OpaSZqAmP++WW1Wc4/DxpM1JLFPj2wbcyYEpV5rog=; b=dMmXACJ1jdVfTuT6T7RjVhDvR4GcjyFetJsT18WV0DLc1Lj22i7dkF1C96NAcUNvA4 aMhlSTstZg46Ls18o1guMb1A+ZS/tW2Q60QQAByJgD+qcZdQit3WOTOcoDP3Pcquj1NY THj0B9tq8BjTO0ix7g/+LicRou7mlre4yFOIq7evHfwKxMo1fPcI+oYnHMFWgVLk6HOS VU4ze1gCXYGX6nkcF8FB1wBl5n+SUxC4CbzHBkMPr5EbujG5tgxWDi28r/Zwg+sr/LGG dU9wDXzB/CwLyO/uH0P+Y7wfKHVcRxo9bEe+UpZrIvlmmPKLnMmOQ99yTq0Fhh0Echui BV2Q== X-Gm-Message-State: ANhLgQ2I/BS3G49iq9n9IwIh70fLAjOtWIWD0lvC18esNKXdaEXuTBsk bK3qxoA9vZ5K6kBj0cDhjjzPfbeFp2uoiZfttRjIz1IH9Q== X-Google-Smtp-Source: ADFU+vuTyaKjgnzh/2On+CPucsiutNE4t6RHzx2Igm1AhVOzyyb+6p0sPXn7die4Xm7Kyr7m3AB9hlkUZDufEtJktL0= X-Received: by 2002:a05:6402:1bc4:: with SMTP id ch4mr5009702edb.211.1584451349647; Tue, 17 Mar 2020 06:22:29 -0700 (PDT) MIME-Version: 1.0 References: <4c936163-f77b-3fe1-56be-8f6967add0ef@viklenko.net> <59961b63-a5b8-e0e6-55de-76ab9c43763c@viklenko.net> In-Reply-To: <59961b63-a5b8-e0e6-55de-76ab9c43763c@viklenko.net> From: Cristian Cardoso Date: Tue, 17 Mar 2020 10:22:18 -0300 Message-ID: Subject: Re: PF + IPsec To: Artem Viklenko Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 48hYkJ2ldWz3DMF X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=bC/OaE3E; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of cristiancardoso11@gmail.com designates 2a00:1450:4864:20::52c as permitted sender) smtp.mailfrom=cristiancardoso11@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[c.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; IP_SCORE(0.00)[ip: (-9.55), ipnet: 2a00:1450::/32(-2.39), asn: 15169(-1.65), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2020 13:22:34 -0000 I tried first that way you said, but it doesn't work, returned the expired ttl message in transit, when I try to run icmp from some host that is on a network outside freebsd, in my test only with the nat rule in enc0 Running tests from a host on another network, for example on the 10.7.8.0/24 network The way is this 10.7.8.243 -> 172.0.10.11 -> 10.19.12.251 -> vpn tunnel Without the nat rule on the xn0 interface, neither echo reply occurs within the vpn tunnel With the nat rule, on the xn0 interface, echo reply occurs within the enc0 interface, only the packet is returned outside 10.19.12.251 which does not occur for networks outside freebsd / 24 In the freebsd route table, the tunnel is configured in this way via strong= swan 10.31.32.67/32 10.19.12.251 UGS xn0 Thanks for help =3D ) Em ter., 17 de mar. de 2020 =C3=A0s 09:54, Artem Viklenko escreveu: > > You don't need rdr > > nat on enc0 inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 > > > On 17.03.20 14:35, Cristian Cardoso wrote: > > I tried as follows without success: > > > > rdr on xn0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12.2= 51 > > nat on xn0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67/32 -> 10.19.1= 2.251 > > rdr on enc0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12.= 251 > > nat on enc0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67 -> 10.19.12.= 251 > > > > xn0 is my interface that goes to the internal network that is beyond > > the freebsd and enc0 of the vpn, I just put the icmp protocol for > > testing > > I checked on tcpdump on the enc0 interface, which occurs echo request > > and echo reply, but does not return to the PC that ran icmp on another > > network within 10.0.0.0/8 > > > > Any suggestion? > > > > Em ter., 17 de mar. de 2020 =C3=A0s 02:48, Artem Viklenko > > escreveu: > >> > >> Hi! > >> > >> PF do NAT on outbound and RDR on inbound. > >> You can try to do NAT on enc0 interface instead of lan. > >> > >> > >> On 17.03.20 04:28, Cristian Cardoso wrote: > >>> Hello > >>> I'm setting up a Freebsd server for ipsec vpn communication with > >>> strongswan and I'm having some difficulties in the operation > >>> > >>> The freebsd server's local network is 10.19.12.0/24 and can connect > >>> correctly to the network on the other side of the tunnel. > >>> > >>> I would like another network behind my server to connect to the tunne= l as well. > >>> > >>> In linux I would nat the network that is arriving as follows: > >>> iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 10.31.32.0/24 -j > >>> --SNAT --to 10.19.12.251 > >>> > >>> In FreeBSD I tried to run the rule as follows, but to no avail > >>> nat on $ LAN inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 > >>> > >>> Is there any other way to generate the equivalent of FreeBSD postrout= ing? > >>> > >>> Best Regards > >>> _______________________________________________ > >>> freebsd-pf@freebsd.org mailing list > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-pf > >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >>> > >> > >> -- > >> Regards! > > > > -- > Regards!