Date: Wed, 13 Nov 2019 16:11:50 -0500 From: Phil Staub <phil@staub.us> To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= <freebsd-database@pp.dyndns.biz> Cc: freebsd-pf@freebsd.org Subject: Re: NAT for use with OpenVPN Message-ID: <CAMnCm8gDUhHABqNcjTyaWTwyccxv6OxjhQjRhEt5w4e3uKq%2B8w@mail.gmail.com> In-Reply-To: <CAMnCm8i46JOW-bGOutRyxUtJspeSkz4ZjfAQ=XGe_KtbeF387w@mail.gmail.com> References: <mailman.6.1573387200.62111.freebsd-pf@freebsd.org> <CAMnCm8juj8uPuqfDXWu4rOPjbiK0xrsUUrQn002R639RepQOWg@mail.gmail.com> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <CAMnCm8gn3y7ai95%2BtkwdZs2qYndzQaNdpHev4ZdNLyd-bOY4iQ@mail.gmail.com> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <CAMnCm8jZQi-UKm_-hF8WS0cofq0OWWP_d5No1AbOP8_KgQE5ZA@mail.gmail.com> <baa548e5-7dc3-05cf-0275-902d0193fc21@pp.dyndns.biz> <CAMnCm8iZ4iLJYOUFFpoTpF_=9xpG2=MN77xi%2BtGaSqumHeeqkQ@mail.gmail.com> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> <CAMnCm8gA_V1trdZtpidms54cmf4TL=R2BZ2MP52fJKrjndxtzA@mail.gmail.com> <fa9054ac-b22f-b873-0749-742b73100dba@pp.dyndns.biz> <CAMnCm8gN9aYgsJQYCuppGQ1M-YPwe1y7kaQCeEcDChrogsXj0w@mail.gmail.com> <b574e8e2-a921-99b8-2d2f-b3dc70341ce3@pp.dyndns.biz> <CAMnCm8gS40S27uOHYiKPp5E2hZhg=FknxTKxSsuH6vgOBD5Z9g@mail.gmail.com> <ef17181f-61b3-c2eb-9ebb-49e437ceea76@pp.dyndns.biz> <CAMnCm8hpTmww-pV%2BFbOcMJwk%2Bz1_bSs%2BcVJg5eu5zm84K8RPSA@mail.gmail.com> <cf52cc1b-c979-155c-604b-8918ac5fc2d6@pp.dyndns.biz> <CAMnCm8i46JOW-bGOutRyxUtJspeSkz4ZjfAQ=XGe_KtbeF387w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 13, 2019 at 3:45 PM Phil Staub <phil@staub.us> wrote: > I believe I'm getting close. > > I found a tutorial at > > https://www.howtoforge.com/nat_iptables > > ... that gives identifies a couple rules to enable IP Forwarding and > Masquerading: > > iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE > iptables --append FORWARD --in-interface eth1 -j ACCEPT > > This results in the following: > > # iptables -t nat -L > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > MASQUERADE all -- anywhere anywhere > # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > GUSTER tcp -- anywhere anywhere tcp dpt:80 > GUSTER tcp -- anywhere anywhere tcp dpt:443 > ACCEPT all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain GUSTER (2 references) > target prot opt source destination > # > > I'm not sure about the ACCEPT rule. I think it might be too general, but I'll do some more research on that. > > I am now able to ping 8.8.8.8 from my phone, and I used 'whatismyip.com' to verify that it sees my router's public IP address. > > I also have a handle on where to put this so that it survives a router reboot. > > One of the comments in another tutorial I was reading says that the MASQUERADE rule is resource intensive, but if I understand it correctly, the only alternative would be to put a specific rule in place for each client. I don't think I want to do that > > Comments? > > Phil > > > Update: I don't thnk the second rule (--append FORWARD) is necessary. I removed that rule and the client phone can still access the internet via my router's IP (as indicated by 'whatismyip.com"). Also, I re-read the part about MASQUERADE and found out that it can be replaced by SNAT if the public address is static. In my case, that's not true. It has changed several times as my ISP makes changes to the system, or when we have an outage. So I'm going to see if I can add this rule to the startup and get it to persist over a reboot. Phil _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMnCm8gDUhHABqNcjTyaWTwyccxv6OxjhQjRhEt5w4e3uKq%2B8w>