Date: Wed, 13 Nov 2019 10:27:18 -0500 From: Phil Staub <phil@staub.us> To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= <freebsd-database@pp.dyndns.biz> Cc: freebsd-pf@freebsd.org Subject: Re: NAT for use with OpenVPN Message-ID: <CAMnCm8hpTmww-pV%2BFbOcMJwk%2Bz1_bSs%2BcVJg5eu5zm84K8RPSA@mail.gmail.com> In-Reply-To: <ef17181f-61b3-c2eb-9ebb-49e437ceea76@pp.dyndns.biz> References: <mailman.6.1573387200.62111.freebsd-pf@freebsd.org> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> <CAMnCm8i-UOAZoyERUWM%2B38sPvWcwevqM6LBgRGeM8nXjgnbVtQ@mail.gmail.com> <CAMnCm8juj8uPuqfDXWu4rOPjbiK0xrsUUrQn002R639RepQOWg@mail.gmail.com> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <CAMnCm8gn3y7ai95%2BtkwdZs2qYndzQaNdpHev4ZdNLyd-bOY4iQ@mail.gmail.com> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <CAMnCm8jZQi-UKm_-hF8WS0cofq0OWWP_d5No1AbOP8_KgQE5ZA@mail.gmail.com> <baa548e5-7dc3-05cf-0275-902d0193fc21@pp.dyndns.biz> <CAMnCm8iZ4iLJYOUFFpoTpF_=9xpG2=MN77xi%2BtGaSqumHeeqkQ@mail.gmail.com> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> <CAMnCm8gA_V1trdZtpidms54cmf4TL=R2BZ2MP52fJKrjndxtzA@mail.gmail.com> <fa9054ac-b22f-b873-0749-742b73100dba@pp.dyndns.biz> <CAMnCm8gN9aYgsJQYCuppGQ1M-YPwe1y7kaQCeEcDChrogsXj0w@mail.gmail.com> <b574e8e2-a921-99b8-2d2f-b3dc70341ce3@pp.dyndns.biz> <CAMnCm8gS40S27uOHYiKPp5E2hZhg=FknxTKxSsuH6vgOBD5Z9g@mail.gmail.com> <ef17181f-61b3-c2eb-9ebb-49e437ceea76@pp.dyndns.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 13, 2019 at 10:12 AM Morgan Wesstr=C3=B6m <
freebsd-database@pp.dyndns.biz> wrote:
> > # tcpdump -nvvi br0 icmp
>
> eth0 is your external interface so try:
>
> # tcpdump -ni eth0 icmp
>
> Then ping 8.8.8.8 from your VPN client and see what shows up.
>
> br0 is a virtual bridge interface. This is what they use to connect your
> internal interface and your wlan interface together (and maybe some
> more) so they look as a single entity and one physical network. This way
> they can have a single subnet spanning both those interfaces instead of
> multiple subnets which would probably confuse most regular users. :)
>
# tcpdump -nvvi eth0 icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
15:22:29.614953 IP (tos 0x0, ttl 62, id 5638, offset 0, flags [DF], proto
ICMP (1), length 84)
10.8.0.8 > 8.8.8.8: ICMP echo request, id 13, seq 1, length 64
15:22:31.059524 IP (tos 0x0, ttl 62, id 5808, offset 0, flags [DF], proto
ICMP (1), length 84)
10.8.0.8 > 8.8.8.8: ICMP echo request, id 13, seq 2, length 64
15:22:31.733821 IP (tos 0x0, ttl 62, id 6095, offset 0, flags [DF], proto
ICMP (1), length 84)
10.8.0.8 > 8.8.8.8: ICMP echo request, id 13, seq 3, length 64
15:22:32.725210 IP (tos 0x0, ttl 62, id 6162, offset 0, flags [DF], proto
ICMP (1), length 84)
10.8.0.8 > 8.8.8.8: ICMP echo request, id 13, seq 4, length 64
15:22:35.341540 IP (tos 0x0, ttl 62, id 6344, offset 0, flags [DF], proto
ICMP (1), length 84)
10.8.0.8 > 8.8.8.8: ICMP echo request, id 13, seq 5, length 64
^C
5 packets captured
7 packets received by filter
0 packets dropped by kernel
As (I think) you expected, the ping to my public ip (and all the other
devices pinging the router) didn't show up this time.
Are you thinking that the ping should be coming from 192.168.1.200 (my
OpenVPN server machine)? If not, how else would you know whether the
address is being NATed?
Phil
> /Morgan
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMnCm8hpTmww-pV%2BFbOcMJwk%2Bz1_bSs%2BcVJg5eu5zm84K8RPSA>