From owner-freebsd-questions@FreeBSD.ORG Mon Jan 26 20:37:08 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A39942F7 for ; Mon, 26 Jan 2015 20:37:08 +0000 (UTC) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 64A45A31 for ; Mon, 26 Jan 2015 20:37:08 +0000 (UTC) Received: from r56.edvax.de (port-92-195-61-84.dynamic.qsc.de [92.195.61.84]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx02.qsc.de (Postfix) with ESMTPS id 7C96724ADD; Mon, 26 Jan 2015 21:36:59 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id t0QKawSK002131; Mon, 26 Jan 2015 21:36:58 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Mon, 26 Jan 2015 21:36:58 +0100 From: Polytropon To: Luciano Mannucci Subject: Re: Simple NAT Message-Id: <20150126213658.48423c08.freebsd@edvax.de> In-Reply-To: <3kWFlD70VnzRRrw@baobab.bilink.it> References: <3kWFlD70VnzRRrw@baobab.bilink.it> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2015 20:37:08 -0000 On Mon, 26 Jan 2015 16:45:16 +0100, Luciano Mannucci wrote: > I have a freebsd machine (FreeBSD troika 10.1-RELEASE FreeBSD 10.1-RELEASE #0 > r274401) with openvpn that works like a charm :-)... > I wish to nat one and only one of my openvpn clients, possibly for a > single destination. What's the better way to avoid disturbing the rest > of the operations? > Any clues? > Is IPFW my friend? Yes, that should work. In /etc/rc.conf, set natd_enable="YES" natd_interface="xl0" where "xl0" is the "outer" interface. In your custom /etc/ipfw.conf, add the rule add divert natd ip from any to any via xl0 and refine the "from any to any" part to reflect the IP addresses (and maybe specific ports) for the connection you want to translate, so the rule will only allow for that _one_ destination you want to enable. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...