Date: Wed, 5 Dec 2012 21:15:50 -0500 From: Peter McAlpine <peter@aoeu.ca> To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> Cc: fox@verio.net, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Routing return NAT traffic based on interface Message-ID: <CAEDV4ypCtz5cVKkJ=OQ-9heGZwM-mDPaZ1UBhvunCqN7GojGWA@mail.gmail.com> In-Reply-To: <CAPBZQG1gfavmpUMQpHjX1ZUn_U0sB_3VEbpqtSsK_Z_8008XdQ@mail.gmail.com> References: <CAEDV4ypAo21-4KYws0LTxC%2BXSNNtSmWvMpvFGro6BqNH2z==Wg@mail.gmail.com> <CAFpgnrO3o1==XtxDK__KmEhX1C947DHhj5N_NptKomFBba3fzQ@mail.gmail.com> <CAEDV4ypG9vA4iDVkHD2gSJ3J81DNSMjjoU2_98Jd-2V=nXHz7g@mail.gmail.com> <CAFpgnrO9r_L1syR4STqvNJHTQ2cCFo6U711JNc_Uu-_eEkTQfg@mail.gmail.com> <CAFpgnrN4UWHrkS1sGAqy6jf4vL%2BXi9b%2BoCfbZEF_T=xWt-D6tQ@mail.gmail.com> <20121119235601.GK2692@verio.net> <CAFpgnrPo8Nx8AT8PujqNXsKk3UUTB5hZWyBATX-m9oZ1rWQY1A@mail.gmail.com> <CAEDV4yqZgbxhACTZtv6CpF8zFDhE7YSFJaw3FHvtirvnzJNvhA@mail.gmail.com> <CAPBZQG1gfavmpUMQpHjX1ZUn_U0sB_3VEbpqtSsK_Z_8008XdQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ermal this looks to be working perfectly. Thank you so much! -Peter On Wed, Dec 5, 2012 at 10:21 AM, Ermal Lu=E7i <eri@freebsd.org> wrote: > > > > On Wed, Dec 5, 2012 at 3:51 PM, Peter McAlpine <peter@aoeu.ca> wrote: > >> First off, thanks for all the suggestions from both of you. My email >> filters were messed up causing me to miss your replies. >> >> On 19 November 2012 18:56, David DeSimone <fox@verio.net> wrote: >> > If I understand the poster's problem, it is that there could be whole >> > worlds of other networks behind $int_if, and he is not able to predict >> > what IP addresses should be used to match that traffic; in fact, it is >> > merely the fact that the traffic is arriving on $int_if that indicates >> > it shoudl be NAT'd. >> ^^ this is the problem exactly. >> >> Here's the config I have: >> tun_if =3D "tap3" >> ext_if =3D "xn0" >> set skip on lo >> nat on $ext_if from !$ext_if:network to any -> $ext_if >> pass in on $tun_if from $tun_if:network to any keep state >> pass out on $ext_if from any to any keep state >> > > Maybe this can help, by writing the rules as follows. > > pass in on $tun_if from any to any tag TUNIFACE keep state > pass in on $ext_if route-to ($tun_if $gateway_tun_if) from any to !self > tag TUNIFACE keep state > > pass out on $tun_if reply-to ($ext_if $ext_if_gateway) from any to any > tagged TUNIFACE keep state > pass out on $ext_if reply-to ($tun_if $gateway_tun_if) from any to any > tagged TUNIFACE keep state > > Then keep your other rules going... > > >> I've attached a simple network diagram. If I ping google.com from a.b.c.= d >> the icmp traffic on 'server' goes out ext_if NAT'd, then comes back from >> google.com, but then 'server' is trying to send it back out ext_if again >> because 'server''s default route is the Internet. >> >> I can get the return traffic to go down the tunnel by manually adding a >> route on 'server' to send traffic for a.b.c.0/24 down the tunnel, but th= en >> I need to be aware of what all the networks behind 'client' are, and I >> don't want to have to do that. >> >> Thanks again for all the ideas/input! >> -Peter >> >> On Mon, Nov 19, 2012 at 7:46 PM, Kevin Wilcox <kevin.wilcox@gmail.com >> >wrote: >> >> > On 19 November 2012 18:56, David DeSimone <fox@verio.net> wrote: >> > >> > > This doesn't seem right, because even traffic coming in via the >> external >> > > interface will have its target IP changed to be the router, even if >> > > it is destined for some other place. Previously you were using "fro= m >> > > $int_if:network" to prevent this from happening to other traffic, bu= t >> > > without that restriction, every packet would be subject to NAT. >> > >> > My assumption was that the traffic coming in on the external interface >> > is already destined for the outside IP of the router, unless he's >> > doing some really funky stuff on both sides ;) >> > >> > It sounded like he wanted to NAT anything coming from the inside >> > interface and then anything on the outside that wasn't return NAT >> > traffic was supposed to terminate on the router, but I've been known >> > to have clogged ears and awfully poor eyesight. >> > >> > kmw >> > >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >> > > > -- > Ermal >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEDV4ypCtz5cVKkJ=OQ-9heGZwM-mDPaZ1UBhvunCqN7GojGWA>