From owner-freebsd-pf@freebsd.org Tue Mar 17 02:28:39 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C4C55277241 for ; Tue, 17 Mar 2020 02:28:39 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48hHCp3wB1z44wG for ; Tue, 17 Mar 2020 02:28:38 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: by mail-ed1-x536.google.com with SMTP id a24so24545568edy.7 for ; Mon, 16 Mar 2020 19:28:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=CLuy6TZOlQWnqRoiLT4joLLOjGqOv+mvHSplesKy3cM=; b=HNAblSUi09A/5xxtuurF5KxJgsLWpTosFlhSSWpuNceiGl+uFxrsqlz7mgxE4ceXG5 4KeUFO6WbWna4dwH8cXRBGQcemNtinWTg/dJDCsKEhkddO82ngqVcTNx1DDBqX9STpIr kglehRc/Gzm/xH1a/LWnDZuai9gP5hSc0c6r4nBk+8X4SY7AV4766jVaR7ZWmzbzIEQ1 ZRX28Q99LS90Y3qKmqyZfzuF8J/5Qh1MQ+J8OEg1/jRhAxWu5j3Dj+NDtvTxgvb7PBsS QtxYsJ1pwNty2W+K4zAAMogO27vS3mNNo+7SaZ88P8wbHqYOaElH8JILUDKsdv/KYPmC QKcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=CLuy6TZOlQWnqRoiLT4joLLOjGqOv+mvHSplesKy3cM=; b=KJSI2jIw/PByyB7+j05BmaZ0spMSnRcolJXAVI2pJWHRJomDUytzc6mr6A0+VCTkh5 TFTNoqc+fcKAaXbreY74WvnDDKxoH9aOxjcHCiSar0695Fip6YsG/wnvsQiukh2NjJ3h FDY06IFowPsmk7zOvLOouKx8y4HimuV/sM7eVY764H1LizQlskg23LfDjjFkVsbY/DKJ zCcueyXUYfcrSenK+Eh/f+XwlkZi8qry9PimxM3M6VwiD2yJjwRlYCJodiffqVP55Egw 5x48rt9atvvcg2PPaBjqhpiPdyrQ0H9GzUBS6uUGEysQai0FflUFV2Qh5ov4fav6CCPH 1dSQ== X-Gm-Message-State: ANhLgQ2bm3Zfct3+t6qBdoBzxleTZr2HsWkNIbn77AGcYsedPf3ke1D4 LsvzumGaSZbRNs8ro4OEdgNmPz7ucmCwEAT+O+dLXehVDw== X-Google-Smtp-Source: ADFU+vv6Oz5RQ0KpQbUWRFQDSaJF8C5e85/MuKexDCFE8m0ggiB/ebi2c0AjYYAux0QJ5DnIsRmD9DBWhXhwAvSqOnM= X-Received: by 2002:a17:906:e10d:: with SMTP id gj13mr1993456ejb.291.1584412116162; Mon, 16 Mar 2020 19:28:36 -0700 (PDT) MIME-Version: 1.0 From: Cristian Cardoso Date: Mon, 16 Mar 2020 23:28:25 -0300 Message-ID: Subject: PF + IPsec To: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 48hHCp3wB1z44wG X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=HNAblSUi; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of cristiancardoso11@gmail.com designates 2a00:1450:4864:20::536 as permitted sender) smtp.mailfrom=cristiancardoso11@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; IP_SCORE(0.00)[ip: (-9.53), ipnet: 2a00:1450::/32(-2.40), asn: 15169(-1.65), country: US(-0.05)]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[6.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2020 02:28:39 -0000 Hello I'm setting up a Freebsd server for ipsec vpn communication with strongswan and I'm having some difficulties in the operation The freebsd server's local network is 10.19.12.0/24 and can connect correctly to the network on the other side of the tunnel. I would like another network behind my server to connect to the tunnel as well. In linux I would nat the network that is arriving as follows: iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 10.31.32.0/24 -j --SNAT --to 10.19.12.251 In FreeBSD I tried to run the rule as follows, but to no avail nat on $ LAN inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 Is there any other way to generate the equivalent of FreeBSD postrouting? Best Regards From owner-freebsd-pf@freebsd.org Tue Mar 17 05:48:09 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BD3BB25B7BD for ; Tue, 17 Mar 2020 05:48:09 +0000 (UTC) (envelope-from artem@viklenko.net) Received: from alf.viklenko.net (alf.viklenko.net [IPv6:2001:470:71:d72::61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "www.viklenko.net", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48hMf00RJTz4LVT for ; Tue, 17 Mar 2020 05:48:07 +0000 (UTC) (envelope-from artem@viklenko.net) Received: from [IPv6:2001:470:71:d72:69ba:4e9a:8726:172a] ([IPv6:2001:470:71:d72:69ba:4e9a:8726:172a]) (authenticated bits=0) by alf.viklenko.net (8.15.2/8.15.2) with ESMTPSA id 02H5lsdY019066 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 17 Mar 2020 07:47:58 +0200 (EET) (envelope-from artem@viklenko.net) Subject: Re: PF + IPsec To: Cristian Cardoso , freebsd-pf@freebsd.org References: From: Artem Viklenko Organization: Art&Co. Message-ID: <4c936163-f77b-3fe1-56be-8f6967add0ef@viklenko.net> Date: Tue, 17 Mar 2020 07:47:54 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (alf.viklenko.net [IPv6:2001:470:71:d72:0:0:0:61]); Tue, 17 Mar 2020 07:47:58 +0200 (EET) X-Rspamd-Queue-Id: 48hMf00RJTz4LVT X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.48 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[viklenko.net:s=alf-mail]; NEURAL_HAM_MEDIUM(-0.82)[-0.816,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; HAS_ORG_HEADER(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[viklenko.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[viklenko.net,reject]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-1.66)[ipnet: 2001:470::/32(-4.65), asn: 6939(-3.59), country: US(-0.05)]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2020 05:48:09 -0000 Hi! PF do NAT on outbound and RDR on inbound. You can try to do NAT on enc0 interface instead of lan. On 17.03.20 04:28, Cristian Cardoso wrote: > Hello > I'm setting up a Freebsd server for ipsec vpn communication with > strongswan and I'm having some difficulties in the operation > > The freebsd server's local network is 10.19.12.0/24 and can connect > correctly to the network on the other side of the tunnel. > > I would like another network behind my server to connect to the tunnel as well. > > In linux I would nat the network that is arriving as follows: > iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 10.31.32.0/24 -j > --SNAT --to 10.19.12.251 > > In FreeBSD I tried to run the rule as follows, but to no avail > nat on $ LAN inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 > > Is there any other way to generate the equivalent of FreeBSD postrouting? > > Best Regards > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Regards! From owner-freebsd-pf@freebsd.org Tue Mar 17 12:35:54 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7F4E12649F6 for ; Tue, 17 Mar 2020 12:35:54 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48hXhT4f7jz3LbR for ; Tue, 17 Mar 2020 12:35:53 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: by mail-ed1-x531.google.com with SMTP id h5so26239089edn.5 for ; Tue, 17 Mar 2020 05:35:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=fmhDwaniIXH+HPSCgocOgcVTPhZSowuqnWx0Sc+D6NQ=; b=YSUvisQV99JzDbuigdLWcEnImmQaxqzC3sI1NAgeyvbmCgTiSpGErksMVT/ziEYqfL Q4/OecsMkU6wmSgrgSBzO/dGkyoVROHucdpLPged6B6qvUt1n6R3mQolLNUrBz5hKExU P8FF36U++gwwKynT74F67vxOWa2xbG0F99/24LolNP0XFyanYKsVW3pJYeLfPqDzhQV8 ONAEMiIN7DrLcGivpUvhas9IXgEAzRJ8XqBdSUp7e/IpCAlWFCRQxqgYHuco2oiIKkRD eNs2UMPQPjJcSIhy02gOqnSGAcpahXQ2smQ2XgAYnW4w4vkt2uDbq+xrzgOxLtdGca9l s3qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=fmhDwaniIXH+HPSCgocOgcVTPhZSowuqnWx0Sc+D6NQ=; b=K28NIzIxodHThGPL3aFXalHSmrFkyxKdNVIZZ34uvOexvXzCbr4Uy10uW+ecq5Jjs6 TNM33lxboSMpSXWm04hyYb2RIbg0GjzaNSG1SdmIbX5uhFPW+IATrSBJ+QWwZUtbrKax 7PIiWoj/KPNjkU89hqZhkkafzDu8FhC3a2SHlHMsJ6ctzuwg4LOVz6oLZ9Xj9hJcBSk1 Yq4Yzho+Mi1XdKOLDwZ4gxGT/UUVnRT7SCVlvqDcv2xmoZcU7yYlmIUTMforvRfONTpM T7DYy5FxwSax1G+3BVijOak1AmvkSqyHV+Q7v9EJTp1tV0Pya7tOkBs8V9KlqeSxwENq 42TQ== X-Gm-Message-State: ANhLgQ0vPp+K2gIxWwZYQ9qb+wRCAeRYogBQ54Gcf6yg54j/lKxxRUMe XBi6z9bNx68oM50K2HNol6OsvM9pL0lBoAPiktA256rkWg== X-Google-Smtp-Source: ADFU+vstJgnXfST8cytesJqkxbeuoAiA71AkzBhT6CRGzdtopXZR1q2H2iqnZ1eXqzLNndJSI78ToQ82728AsUCPP8Q= X-Received: by 2002:a50:ec0b:: with SMTP id g11mr5054361edr.80.1584448552063; Tue, 17 Mar 2020 05:35:52 -0700 (PDT) MIME-Version: 1.0 References: <4c936163-f77b-3fe1-56be-8f6967add0ef@viklenko.net> In-Reply-To: <4c936163-f77b-3fe1-56be-8f6967add0ef@viklenko.net> From: Cristian Cardoso Date: Tue, 17 Mar 2020 09:35:40 -0300 Message-ID: Subject: Re: PF + IPsec To: Artem Viklenko Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 48hXhT4f7jz3LbR X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=YSUvisQV; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of cristiancardoso11@gmail.com designates 2a00:1450:4864:20::531 as permitted sender) smtp.mailfrom=cristiancardoso11@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[1.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; IP_SCORE(0.00)[ip: (-9.56), ipnet: 2a00:1450::/32(-2.39), asn: 15169(-1.65), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2020 12:35:54 -0000 I tried as follows without success: rdr on xn0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12.251 nat on xn0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67/32 -> 10.19.12.25= 1 rdr on enc0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12.251 nat on enc0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67 -> 10.19.12.251 xn0 is my interface that goes to the internal network that is beyond the freebsd and enc0 of the vpn, I just put the icmp protocol for testing I checked on tcpdump on the enc0 interface, which occurs echo request and echo reply, but does not return to the PC that ran icmp on another network within 10.0.0.0/8 Any suggestion? Em ter., 17 de mar. de 2020 =C3=A0s 02:48, Artem Viklenko escreveu: > > Hi! > > PF do NAT on outbound and RDR on inbound. > You can try to do NAT on enc0 interface instead of lan. > > > On 17.03.20 04:28, Cristian Cardoso wrote: > > Hello > > I'm setting up a Freebsd server for ipsec vpn communication with > > strongswan and I'm having some difficulties in the operation > > > > The freebsd server's local network is 10.19.12.0/24 and can connect > > correctly to the network on the other side of the tunnel. > > > > I would like another network behind my server to connect to the tunnel = as well. > > > > In linux I would nat the network that is arriving as follows: > > iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 10.31.32.0/24 -j > > --SNAT --to 10.19.12.251 > > > > In FreeBSD I tried to run the rule as follows, but to no avail > > nat on $ LAN inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 > > > > Is there any other way to generate the equivalent of FreeBSD postroutin= g? > > > > Best Regards > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > -- > Regards! From owner-freebsd-pf@freebsd.org Tue Mar 17 12:54:03 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 85C892651DF for ; Tue, 17 Mar 2020 12:54:03 +0000 (UTC) (envelope-from artem@viklenko.net) Received: from alf.viklenko.net (alf.viklenko.net [IPv6:2001:470:71:d72::61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "www.viklenko.net", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48hY5P5jqgz456l for ; Tue, 17 Mar 2020 12:54:01 +0000 (UTC) (envelope-from artem@viklenko.net) Received: from [IPv6:2001:470:71:d72:69ba:4e9a:8726:172a] ([IPv6:2001:470:71:d72:69ba:4e9a:8726:172a]) (authenticated bits=0) by alf.viklenko.net (8.15.2/8.15.2) with ESMTPSA id 02HCrs1B003846 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 17 Mar 2020 14:53:57 +0200 (EET) (envelope-from artem@viklenko.net) Subject: Re: PF + IPsec To: Cristian Cardoso Cc: freebsd-pf@freebsd.org References: <4c936163-f77b-3fe1-56be-8f6967add0ef@viklenko.net> From: Artem Viklenko Organization: Art&Co. Message-ID: <59961b63-a5b8-e0e6-55de-76ab9c43763c@viklenko.net> Date: Tue, 17 Mar 2020 14:53:54 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (alf.viklenko.net [IPv6:2001:470:71:d72:0:0:0:61]); Tue, 17 Mar 2020 14:53:57 +0200 (EET) X-Rspamd-Queue-Id: 48hY5P5jqgz456l X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.48 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[viklenko.net:s=alf-mail]; NEURAL_HAM_MEDIUM(-0.82)[-0.818,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; HAS_ORG_HEADER(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[viklenko.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[viklenko.net,reject]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-1.66)[ipnet: 2001:470::/32(-4.65), asn: 6939(-3.59), country: US(-0.05)]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2020 12:54:03 -0000 You don't need rdr nat on enc0 inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 On 17.03.20 14:35, Cristian Cardoso wrote: > I tried as follows without success: > > rdr on xn0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12.251 > nat on xn0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67/32 -> 10.19.12.251 > rdr on enc0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12.251 > nat on enc0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67 -> 10.19.12.251 > > xn0 is my interface that goes to the internal network that is beyond > the freebsd and enc0 of the vpn, I just put the icmp protocol for > testing > I checked on tcpdump on the enc0 interface, which occurs echo request > and echo reply, but does not return to the PC that ran icmp on another > network within 10.0.0.0/8 > > Any suggestion? > > Em ter., 17 de mar. de 2020 às 02:48, Artem Viklenko > escreveu: >> >> Hi! >> >> PF do NAT on outbound and RDR on inbound. >> You can try to do NAT on enc0 interface instead of lan. >> >> >> On 17.03.20 04:28, Cristian Cardoso wrote: >>> Hello >>> I'm setting up a Freebsd server for ipsec vpn communication with >>> strongswan and I'm having some difficulties in the operation >>> >>> The freebsd server's local network is 10.19.12.0/24 and can connect >>> correctly to the network on the other side of the tunnel. >>> >>> I would like another network behind my server to connect to the tunnel as well. >>> >>> In linux I would nat the network that is arriving as follows: >>> iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 10.31.32.0/24 -j >>> --SNAT --to 10.19.12.251 >>> >>> In FreeBSD I tried to run the rule as follows, but to no avail >>> nat on $ LAN inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 >>> >>> Is there any other way to generate the equivalent of FreeBSD postrouting? >>> >>> Best Regards >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>> >> >> -- >> Regards! > -- Regards! From owner-freebsd-pf@freebsd.org Tue Mar 17 13:22:34 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3C7A926629C for ; Tue, 17 Mar 2020 13:22:34 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48hYkJ2ldWz3DMF for ; Tue, 17 Mar 2020 13:22:32 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: by mail-ed1-x52c.google.com with SMTP id v6so11278913edw.8 for ; Tue, 17 Mar 2020 06:22:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=M9OpaSZqAmP++WW1Wc4/DxpM1JLFPj2wbcyYEpV5rog=; b=bC/OaE3EtN5Y4m30HuSVxGbeb8d5V8VITxRjyDxgtyDoTK8Pql2vwwMOE0c62sReBT hbPbcuBtVPidZGtx3h8g0jy2HwMByo4IK8+7D2YuhBtxelbFA9/zpHHWcDyCSMsysB8d mgDkZ/brIoqIBo1wpyBFg/VLKl/ivxT5qARo37wb3oJL3yd6PgQgbGJePNlf/0KNEnFB zs9a1poPoiAa0ZwBBnJX95xKNFwUDraoXOJrgFM3bs7zNHeibzeP+aEd3Cq35SbjGcRp EP/HjNNjg0AcofDHSvzncaBn4lvjxsZENPkh3g2i7QDNyYaJ038R43gE6Ba13EYIIFnQ xmPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=M9OpaSZqAmP++WW1Wc4/DxpM1JLFPj2wbcyYEpV5rog=; b=dMmXACJ1jdVfTuT6T7RjVhDvR4GcjyFetJsT18WV0DLc1Lj22i7dkF1C96NAcUNvA4 aMhlSTstZg46Ls18o1guMb1A+ZS/tW2Q60QQAByJgD+qcZdQit3WOTOcoDP3Pcquj1NY THj0B9tq8BjTO0ix7g/+LicRou7mlre4yFOIq7evHfwKxMo1fPcI+oYnHMFWgVLk6HOS VU4ze1gCXYGX6nkcF8FB1wBl5n+SUxC4CbzHBkMPr5EbujG5tgxWDi28r/Zwg+sr/LGG dU9wDXzB/CwLyO/uH0P+Y7wfKHVcRxo9bEe+UpZrIvlmmPKLnMmOQ99yTq0Fhh0Echui BV2Q== X-Gm-Message-State: ANhLgQ2I/BS3G49iq9n9IwIh70fLAjOtWIWD0lvC18esNKXdaEXuTBsk bK3qxoA9vZ5K6kBj0cDhjjzPfbeFp2uoiZfttRjIz1IH9Q== X-Google-Smtp-Source: ADFU+vuTyaKjgnzh/2On+CPucsiutNE4t6RHzx2Igm1AhVOzyyb+6p0sPXn7die4Xm7Kyr7m3AB9hlkUZDufEtJktL0= X-Received: by 2002:a05:6402:1bc4:: with SMTP id ch4mr5009702edb.211.1584451349647; Tue, 17 Mar 2020 06:22:29 -0700 (PDT) MIME-Version: 1.0 References: <4c936163-f77b-3fe1-56be-8f6967add0ef@viklenko.net> <59961b63-a5b8-e0e6-55de-76ab9c43763c@viklenko.net> In-Reply-To: <59961b63-a5b8-e0e6-55de-76ab9c43763c@viklenko.net> From: Cristian Cardoso Date: Tue, 17 Mar 2020 10:22:18 -0300 Message-ID: Subject: Re: PF + IPsec To: Artem Viklenko Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 48hYkJ2ldWz3DMF X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=bC/OaE3E; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of cristiancardoso11@gmail.com designates 2a00:1450:4864:20::52c as permitted sender) smtp.mailfrom=cristiancardoso11@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[c.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; IP_SCORE(0.00)[ip: (-9.55), ipnet: 2a00:1450::/32(-2.39), asn: 15169(-1.65), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2020 13:22:34 -0000 I tried first that way you said, but it doesn't work, returned the expired ttl message in transit, when I try to run icmp from some host that is on a network outside freebsd, in my test only with the nat rule in enc0 Running tests from a host on another network, for example on the 10.7.8.0/24 network The way is this 10.7.8.243 -> 172.0.10.11 -> 10.19.12.251 -> vpn tunnel Without the nat rule on the xn0 interface, neither echo reply occurs within the vpn tunnel With the nat rule, on the xn0 interface, echo reply occurs within the enc0 interface, only the packet is returned outside 10.19.12.251 which does not occur for networks outside freebsd / 24 In the freebsd route table, the tunnel is configured in this way via strong= swan 10.31.32.67/32 10.19.12.251 UGS xn0 Thanks for help =3D ) Em ter., 17 de mar. de 2020 =C3=A0s 09:54, Artem Viklenko escreveu: > > You don't need rdr > > nat on enc0 inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 > > > On 17.03.20 14:35, Cristian Cardoso wrote: > > I tried as follows without success: > > > > rdr on xn0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12.2= 51 > > nat on xn0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67/32 -> 10.19.1= 2.251 > > rdr on enc0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12.= 251 > > nat on enc0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67 -> 10.19.12.= 251 > > > > xn0 is my interface that goes to the internal network that is beyond > > the freebsd and enc0 of the vpn, I just put the icmp protocol for > > testing > > I checked on tcpdump on the enc0 interface, which occurs echo request > > and echo reply, but does not return to the PC that ran icmp on another > > network within 10.0.0.0/8 > > > > Any suggestion? > > > > Em ter., 17 de mar. de 2020 =C3=A0s 02:48, Artem Viklenko > > escreveu: > >> > >> Hi! > >> > >> PF do NAT on outbound and RDR on inbound. > >> You can try to do NAT on enc0 interface instead of lan. > >> > >> > >> On 17.03.20 04:28, Cristian Cardoso wrote: > >>> Hello > >>> I'm setting up a Freebsd server for ipsec vpn communication with > >>> strongswan and I'm having some difficulties in the operation > >>> > >>> The freebsd server's local network is 10.19.12.0/24 and can connect > >>> correctly to the network on the other side of the tunnel. > >>> > >>> I would like another network behind my server to connect to the tunne= l as well. > >>> > >>> In linux I would nat the network that is arriving as follows: > >>> iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 10.31.32.0/24 -j > >>> --SNAT --to 10.19.12.251 > >>> > >>> In FreeBSD I tried to run the rule as follows, but to no avail > >>> nat on $ LAN inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 > >>> > >>> Is there any other way to generate the equivalent of FreeBSD postrout= ing? > >>> > >>> Best Regards > >>> _______________________________________________ > >>> freebsd-pf@freebsd.org mailing list > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-pf > >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >>> > >> > >> -- > >> Regards! > > > > -- > Regards! From owner-freebsd-pf@freebsd.org Tue Mar 17 19:56:04 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0F19D2712F5 for ; Tue, 17 Mar 2020 19:56:04 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48hkSJ5zRXz3Drk for ; Tue, 17 Mar 2020 19:56:00 +0000 (UTC) (envelope-from cristian.cardoso11@gmail.com) Received: by mail-ed1-x52c.google.com with SMTP id a43so6302621edf.6 for ; Tue, 17 Mar 2020 12:56:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7M25fHDxkGxKRnBZNvMpU+hZRPLtWXbjWSzd8vuscmc=; b=FSt10XOw7FO0LcTOB01g4dPGF/zr2T9pSflClA+4LhRWSUUqHdB24HnXacIAwSD+AY G9Tcsb58lge/9BiEFnpfea2VMklndHfdhEq7XUXzcOnGUBK+6RwqhqD0YzWvyaJj9g+p GN4GGAlooNCJH3yNTfD4uC2aXPUX4Msuuko0L+PIG7a0IoJBsJ+kk4k9m8YV+m4jPCGe LAV0XrY5O4+7y6kAvyf0zr2yVkepIWNHf856JN8eHaKRMeOrBtmAVgIAHMDZd8On5HPa fFQs7lsFDI2nnJinU7KTZCwaR+vIYoD1DP7tcrfWA/f+DKQ4+jLMkah/NKt/z7Q0/7Kr aKow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7M25fHDxkGxKRnBZNvMpU+hZRPLtWXbjWSzd8vuscmc=; b=k6RbSmJmF6/WZCrWyajO6rVzMU71eUiAktPZMyDKve1dwke9+g2okSEeSdfapmN/E0 hYWo2MjYM9U9uiTeKFF2u1jD6ba9TPdmmM04K89ZgBDoO5SG3OETxMz4KhlM7oKAy1aN obd5Qne/yBLzmIMoME8BZXjFExQoOF4yXW0Pt0nWn94FQOYpYuxJW1rCm99LI8MyXJf7 /bNMFUdp3bYN8JgC1KIpsiFQ9pODtEp7YtqMitUKV9vVgak4ZB2SUWu/AmsQ6ZP27J5C xfs0qFFCa7Yz49TsADDRCQTIqpMdJXOP4veDdDWe00OkaAdlDaJZ4gZ2kZ//MA2Xma0l 9Efg== X-Gm-Message-State: ANhLgQ3msJVwFxEgTRroCWS7/vF648NeSADJkDsoPCy/7v/d6KIqEgcD vaYLVupCL3qEsCdKlXmhcImYeUPlGpEFPCQuTAlPCsgNWQ== X-Google-Smtp-Source: ADFU+vuIenfqBSS++ffM2CNXNq4HeGbT80DxRH4434Q9bl23z+th0qAmCX3lbVPvp/cy5sZtEigl3gWqseGWMjfGc0s= X-Received: by 2002:a17:906:e10d:: with SMTP id gj13mr745063ejb.291.1584474958261; Tue, 17 Mar 2020 12:55:58 -0700 (PDT) MIME-Version: 1.0 References: <4c936163-f77b-3fe1-56be-8f6967add0ef@viklenko.net> <59961b63-a5b8-e0e6-55de-76ab9c43763c@viklenko.net> In-Reply-To: From: Cristian Cardoso Date: Tue, 17 Mar 2020 16:55:46 -0300 Message-ID: Subject: Re: PF + IPsec To: Artem Viklenko Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 48hkSJ5zRXz3Drk X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=FSt10XOw; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of cristiancardoso11@gmail.com designates 2a00:1450:4864:20::52c as permitted sender) smtp.mailfrom=cristiancardoso11@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[c.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; IP_SCORE(0.00)[ip: (-9.55), ipnet: 2a00:1450::/32(-2.39), asn: 15169(-1.65), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2020 19:56:04 -0000 After some more research, I discovered a few things. The nat in the enc0 interface that you informed me was correct. The part I did not understand and did not know until now is that when the tunnel is / 24 to / 24 external routes do not enter into the route table of the setkey command. After discovering this, I put it in rc.conf ipsec_enable =3D "YES" # Set to YES to run setkey on ipsec_file ipsec_file =3D "/ etc / ipsec.conf" # Name of config file for setkey and in the /ipsec.conf file I put the following spdadd -4 10.0.0.0/8 10.31.32.67 any -P out ipsec esp / tunnel / my valid ip - remote valid ip / unique: 1; spdadd -4 10.31.32.67 10.0.0.0/8 any -P in ipsec esp / tunnel / my valid ip - remote valid ip / unique: 1; With that + the nat rule that you indicated everything worked correctly. Referral link that might help someone else: https://unix.stackexchange.com/questions/457838/nat-outbound-ipsec-packets-= using-pf-on-freebsd-11-and-strongswan-x-fortigate https://www.freebsd.org/cgi/man.cgi?query=3Dsetkey&sektion=3D8&manpath=3Dfr= eebsd-release-ports http://www.freenix.no/arkiv/daemonnews/200101/ipsec-howto.html Thank you for your help Em ter., 17 de mar. de 2020 =C3=A0s 10:22, Cristian Cardoso escreveu: > > I tried first that way you said, but it doesn't work, returned the > expired ttl message in transit, when I try to run icmp from some host > that is on a network outside freebsd, in my test only with the nat > rule in enc0 > > Running tests from a host on another network, for example on the > 10.7.8.0/24 network > > The way is this > 10.7.8.243 -> 172.0.10.11 -> 10.19.12.251 -> vpn tunnel > > Without the nat rule on the xn0 interface, neither echo reply occurs > within the vpn tunnel > With the nat rule, on the xn0 interface, echo reply occurs within the > enc0 interface, only the packet is returned outside 10.19.12.251 which > does not occur for networks outside freebsd / 24 > > In the freebsd route table, the tunnel is configured in this way via stro= ngswan > 10.31.32.67/32 10.19.12.251 UGS xn0 > > Thanks for help =3D ) > > Em ter., 17 de mar. de 2020 =C3=A0s 09:54, Artem Viklenko > escreveu: > > > > You don't need rdr > > > > nat on enc0 inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 > > > > > > On 17.03.20 14:35, Cristian Cardoso wrote: > > > I tried as follows without success: > > > > > > rdr on xn0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12= .251 > > > nat on xn0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67/32 -> 10.19= .12.251 > > > rdr on enc0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.1= 2.251 > > > nat on enc0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67 -> 10.19.1= 2.251 > > > > > > xn0 is my interface that goes to the internal network that is beyond > > > the freebsd and enc0 of the vpn, I just put the icmp protocol for > > > testing > > > I checked on tcpdump on the enc0 interface, which occurs echo request > > > and echo reply, but does not return to the PC that ran icmp on anothe= r > > > network within 10.0.0.0/8 > > > > > > Any suggestion? > > > > > > Em ter., 17 de mar. de 2020 =C3=A0s 02:48, Artem Viklenko > > > escreveu: > > >> > > >> Hi! > > >> > > >> PF do NAT on outbound and RDR on inbound. > > >> You can try to do NAT on enc0 interface instead of lan. > > >> > > >> > > >> On 17.03.20 04:28, Cristian Cardoso wrote: > > >>> Hello > > >>> I'm setting up a Freebsd server for ipsec vpn communication with > > >>> strongswan and I'm having some difficulties in the operation > > >>> > > >>> The freebsd server's local network is 10.19.12.0/24 and can connect > > >>> correctly to the network on the other side of the tunnel. > > >>> > > >>> I would like another network behind my server to connect to the tun= nel as well. > > >>> > > >>> In linux I would nat the network that is arriving as follows: > > >>> iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 10.31.32.0/24 -j > > >>> --SNAT --to 10.19.12.251 > > >>> > > >>> In FreeBSD I tried to run the rule as follows, but to no avail > > >>> nat on $ LAN inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251 > > >>> > > >>> Is there any other way to generate the equivalent of FreeBSD postro= uting? > > >>> > > >>> Best Regards > > >>> _______________________________________________ > > >>> freebsd-pf@freebsd.org mailing list > > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-pf > > >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.or= g" > > >>> > > >> > > >> -- > > >> Regards! > > > > > > > -- > > Regards! From owner-freebsd-pf@freebsd.org Tue Mar 17 20:53:02 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1CBA92721CB for ; Tue, 17 Mar 2020 20:53:02 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48hlk41BzKz47FJ for ; Tue, 17 Mar 2020 20:52:59 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-io1-xd30.google.com with SMTP id q9so2667143iod.4 for ; Tue, 17 Mar 2020 13:52:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=p+dXMQiYtmgd3IsvjOgHVL4L7hSdqyXOzRUyqwZ1DxI=; b=efTSlioKN3UARfk4vASgDcZc5C22l0aXwKyn1cAqQ6+qCTlvGaZWc4LOkGXBAJhfEE jhDq7rFX0/M2XwVvceAhyJ1BJlEyZlofvtROIx604vr3hMQOVUxE/H6V5SuPeDEfS+X5 39wW1xsKlEFQWLzPeVBQ3qQPhgHdNrwPJentD268QJtJqWqFoSNnPtPs/rgnJRNMV0d3 lbnu4CmTDxEvEKEoHckrIssHZEoXV11U0HHNxA5re5IiIYQaHNGhgvnPw7BPxvestQpl Wvg2KpSanzGCeN8wYUNfUCY6MsCUZEj21DnUCB2pW9UgaUlnWARbF3TA9TimdX7iVKiw UbLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=p+dXMQiYtmgd3IsvjOgHVL4L7hSdqyXOzRUyqwZ1DxI=; b=So3jIyMslRYzwaCo+VDR1ehE0gGISJrjgrZD1RS2bHBAWtTaxoB/P8Ws0bG/eHFfUD 7lkAl9MWt2PI1ovwDqisNnSvezMTmV73T5M5zaW1OhayUWtmY6wJsGMACg89al4eFP8p 32zzW8252dNmIblGtnObYMwoCuiCxkeqL8qFvkO4S9EzCUzhaCLRLWBLCNLaTyLrOOpK fkjXHFucXLEgmTDiiRTYzB2IMWtHsjc83YSq5s29p636RmmBxJLGmHlYzCDoiKjOLH+W nRpVXAGPxYek1hvD8U8jj31P3vfU+F7W8cIxO/0xEv8I4Q1fOO/CLknwa1VySir0odHo soZQ== X-Gm-Message-State: ANhLgQ0MkrQYSVOSC7Rxm4yxJDGFDllfEXBQGIsCZfMKIFSPEji+rck/ DtX93Aaj3buzkGLQ+z+vBbDPsxWRAfgU9Kw++YumuZlW X-Google-Smtp-Source: ADFU+vt7F0H0B2Nee58MbJaCzNz9rj7FbewzQHWzUtYdPRRV3VQxvkbL5h0oq7MQKCsVOlwdT2oQMqQcIVlVxrCBkyc= X-Received: by 2002:a02:b04a:: with SMTP id q10mr1171214jah.141.1584478378100; Tue, 17 Mar 2020 13:52:58 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:f61a:0:0:0:0:0 with HTTP; Tue, 17 Mar 2020 13:52:57 -0700 (PDT) From: David Mehler Date: Tue, 17 Mar 2020 16:52:57 -0400 Message-ID: Subject: working pf Asterisk configuration To: freebsd-pf Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 48hlk41BzKz47FJ X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=efTSlioK; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of davemehler@gmail.com designates 2607:f8b0:4864:20::d30 as permitted sender) smtp.mailfrom=davemehler@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_TWO(0.00)[2]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE_FREEMAIL(0.00)[]; IP_SCORE(0.00)[ip: (-6.24), ipnet: 2607:f8b0::/32(-1.85), asn: 15169(-1.65), country: US(-0.05)]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[0.3.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2020 20:53:02 -0000 Hello, I've got a 12.1 system with a jail. In this jail i'm wanting to run an Asterisk server. Does anyone have a working pf firewall configuration for a similar setup? Last time I attempted this I got 5060 to work, but there was no audio at all. Thanks. Dave.