From owner-freebsd-pf@freebsd.org Wed Nov 13 21:12:30 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 91EEB1BBF34 for ; Wed, 13 Nov 2019 21:12:30 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47Cy4F313mz3Q0h for ; Wed, 13 Nov 2019 21:12:29 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vk1-xa33.google.com with SMTP id l5so936406vkb.4 for ; Wed, 13 Nov 2019 13:12:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=l1fxNsArXH4WQyfVHjtDeOZQ2krh4PHfrJtuqT3zicA=; b=Qb7qYaNXEbAk7afGCP2f9zFVVRQd68SXWJn01juUYiRCkUdZaWSBnu3mlI1jqpqnQK lv6IRRSssPJl+LPvXIUYj8UKYmOeLppNbKWqXWUC6WNG8eiFHhCQx9yAP8lBja/K+QIC jlvrIeMTzJcVP2/bceub7uUTCO6e5ITRJQVhegkzDPyOMSAKySWxjxE94+vLfmbSa3dd K5n10WCFoLst3oChZRnsLXmDF/1xwCklm5Z8bQuRrQH58Rzvop0W/J2pM4nV6FdYYuSn cBOurp0pa7ZchlBiKRHikZjscl/hOvctlJ9dtsMi+owAZd3hmIzY13G3IJ+2rnkqhMmW YUXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l1fxNsArXH4WQyfVHjtDeOZQ2krh4PHfrJtuqT3zicA=; b=hugb7lczl4UGzWffxdVUGRKKr9lbUEfwk2OMIwLDTnul1wAOAuwY8HfNqfY6rniVQ4 fEZGTTL5H9GuLTpPGHp1k+FeGzxfHWF1dRPjyLNOtatkmSXeSNR0BsTTXGWSGbT2rG0J F8j2YjS6Pe4CgfeWexWkoy01QHS00b/8aiQpmMVZak3DiYg5wWcV9pug28qHIDw7AVLK jNY0TKUXx6wimvcML60E/DNjHCeUWiy1tNeFp7E6JnWc3gmZDLfUAsIfzCquXrF5qB7W NV96vFgDj1JB3qf7j8NWaZ5BheWvK1WtuZOsb3ZALSFtWFfLAHEJuWiR9PQYZjZv3f1F IwHA== X-Gm-Message-State: APjAAAWOhY/ukFvIzgjr0T2hnI55RtpX4wUsVTq3ngyOjxzfYkyQ0ZvR vnhQ5YgyML7DrEPDnDLKvG1hl5mOAQ4CtMRwa/E= X-Google-Smtp-Source: APXvYqyp/hwfogjxd3vadADyJGJ7cR8Kv0wmCOhDnvHmhGvvtvukcfyru6mzhnc7ZPBNBMKFTKQK3LR4Z83SguXifLY= X-Received: by 2002:a1f:90d5:: with SMTP id s204mr3148515vkd.21.1573679547793; Wed, 13 Nov 2019 13:12:27 -0800 (PST) MIME-Version: 1.0 References: <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> In-Reply-To: From: Phil Staub Date: Wed, 13 Nov 2019 16:11:50 -0500 Message-ID: Subject: Re: NAT for use with OpenVPN To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47Cy4F313mz3Q0h X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=Qb7qYaNX; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::a33 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-3.94 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[staub.us]; URI_COUNT_ODD(1.00)[9]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[3.3.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.74)[ip: (-9.34), ipnet: 2607:f8b0::/32(-2.33), asn: 15169(-1.99), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 21:12:30 -0000 On Wed, Nov 13, 2019 at 3:45 PM Phil Staub wrote: > I believe I'm getting close. > > I found a tutorial at > > https://www.howtoforge.com/nat_iptables > > ... that gives identifies a couple rules to enable IP Forwarding and > Masquerading: > > iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE > iptables --append FORWARD --in-interface eth1 -j ACCEPT > > This results in the following: > > # iptables -t nat -L > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > MASQUERADE all -- anywhere anywhere > # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > GUSTER tcp -- anywhere anywhere tcp dpt:80 > GUSTER tcp -- anywhere anywhere tcp dpt:443 > ACCEPT all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain GUSTER (2 references) > target prot opt source destination > # > > I'm not sure about the ACCEPT rule. I think it might be too general, but I'll do some more research on that. > > I am now able to ping 8.8.8.8 from my phone, and I used 'whatismyip.com' to verify that it sees my router's public IP address. > > I also have a handle on where to put this so that it survives a router reboot. > > One of the comments in another tutorial I was reading says that the MASQUERADE rule is resource intensive, but if I understand it correctly, the only alternative would be to put a specific rule in place for each client. I don't think I want to do that > > Comments? > > Phil > > > Update: I don't thnk the second rule (--append FORWARD) is necessary. I removed that rule and the client phone can still access the internet via my router's IP (as indicated by 'whatismyip.com"). Also, I re-read the part about MASQUERADE and found out that it can be replaced by SNAT if the public address is static. In my case, that's not true. It has changed several times as my ISP makes changes to the system, or when we have an outage. So I'm going to see if I can add this rule to the startup and get it to persist over a reboot. Phil _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> >