Date: Wed, 13 Nov 2019 00:43:03 +0100 From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= <freebsd-database@pp.dyndns.biz> To: freebsd-pf@freebsd.org Subject: Re: NAT for use with OpenVPN Message-ID: <fa9054ac-b22f-b873-0749-742b73100dba@pp.dyndns.biz> In-Reply-To: <CAMnCm8gA_V1trdZtpidms54cmf4TL=R2BZ2MP52fJKrjndxtzA@mail.gmail.com> References: <mailman.6.1573387200.62111.freebsd-pf@freebsd.org> <CAMnCm8jZH8ZULq8CKeZF_t4eBEBH5QAsaPKBtxK0WCWGe_OXDA@mail.gmail.com> <ba536474-57b4-37b0-d076-a1c4561d181e@pp.dyndns.biz> <CAP9XWJm2gAC0VjTejP08X0T8ar_ZS1e7PqjAy8iOMRhfBU_3mA@mail.gmail.com> <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> <CAMnCm8i-UOAZoyERUWM%2B38sPvWcwevqM6LBgRGeM8nXjgnbVtQ@mail.gmail.com> <CAMnCm8juj8uPuqfDXWu4rOPjbiK0xrsUUrQn002R639RepQOWg@mail.gmail.com> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <CAMnCm8gn3y7ai95%2BtkwdZs2qYndzQaNdpHev4ZdNLyd-bOY4iQ@mail.gmail.com> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <CAMnCm8jZQi-UKm_-hF8WS0cofq0OWWP_d5No1AbOP8_KgQE5ZA@mail.gmail.com> <baa548e5-7dc3-05cf-0275-902d0193fc21@pp.dyndns.biz> <CAMnCm8iZ4iLJYOUFFpoTpF_=9xpG2=MN77xi%2BtGaSqumHeeqkQ@mail.gmail.com> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> <CAMnCm8gA_V1trdZtpidms54cmf4TL=R2BZ2MP52fJKrjndxtzA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Something else I just realized: You'll note the route from 10.8.0.0/24 > <http://10.8.0.0/24> and 192.168.1.200. That's the static route I added > from the web interface.. Is that something you think would be needed? Absolutely. When your VPN clients try to access the Internet, the router will see outgoing packets with a source address of 10.8.0.x (remember the tcpdump?). When the reply comes back it will have a destination address of 10.8.0.x and your router needs to know where to send that packet. Since that subnet isn't connected to any of its interfaces the static route tells the router where to forward the packet, in this case to your FreeBSD machine. Your FreeBSD machine knows where that subnet is and will deliver the packet to the correct client. If the static route is missing in your router, it will try to forward the packet to its default gateway which is your ISPs upstream router. > # iptables -t nat -L > > The result is not exactly what I had expected: > > # iptables -t nat -L > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > # > > Looks like there *are* no natting rules. I wonder if they are using > something other than iptables? With my limited knowledge of iptables I tend to agree with you on this. Just typical it shouldn't be that easy. However, the iptables command was just picked by me from a google search. It might not be the correct syntax. Just out of curiosity - is tcpdump part of the Linux dist on that router? If it is we can see what happens to your VPN clients' pings and just confirm that the router doesn't do NAT on them. /Morgan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fa9054ac-b22f-b873-0749-742b73100dba>